From 958bbb77bfbfc100031850b6fd7836658c35912a Mon Sep 17 00:00:00 2001
From: Asanka Herath <asanka@secure-endpoints.com>
Date: Sat, 5 May 2007 22:13:20 +0000
Subject: [PATCH] windows-netidmgr-20070505

Only automatically add configuration for cell foo.com if the realm
of the cell matches the realm of the identity
---
 src/WINNT/netidmgr_plugin/afsfuncs.c    | 47 ++++++++++++++++++++++++++-------
 src/WINNT/netidmgr_plugin/afsfuncs.h    |  4 ++-
 src/WINNT/netidmgr_plugin/afsnewcreds.c | 13 ++++++++-
 3 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/src/WINNT/netidmgr_plugin/afsfuncs.c b/src/WINNT/netidmgr_plugin/afsfuncs.c
index d185494..223fba2 100644
--- a/src/WINNT/netidmgr_plugin/afsfuncs.c
+++ b/src/WINNT/netidmgr_plugin/afsfuncs.c
@@ -650,6 +650,7 @@ ViceIDToUsername(char *username,
 	pr_End();
     }
 
+#ifdef AFS_ID_TO_NAME
     /*
      * This is a crock, but it is Transarc's crock, so
      * we have to play along in order to get the
@@ -659,7 +660,7 @@ ViceIDToUsername(char *username,
      * the code for tokens, this hack (AFS ID %d) will
      * not work if you change %d to something else.
      */
-
+#endif /* AFS_ID_TO_NAME */
     /*
      * This code is taken from cklog -- it lets people
      * automatically register with the ptserver in foreign cells
@@ -692,8 +693,6 @@ ViceIDToUsername(char *username,
             status = pr_CreateUser(username, &id);
 	    pr_End();
             StringCbCopyA(username, BUFSIZ, username_copy);
-	    if (status)
-		return status;
 #ifdef AFS_ID_TO_NAME
             StringCchPrintfA(username, BUFSIZ, "%s (AFS ID %d)", username_copy, (int) viceId);
 #endif /* AFS_ID_TO_NAME */
@@ -727,7 +726,7 @@ afs_klog(khm_handle identity,
     char	RealmName[128];
     char	CellName[128];
     char	ServiceName[128];
-    khm_handle	confighandle;
+    khm_handle	confighandle = NULL;
     khm_int32	supports_krb4 = 1;
     khm_int32   got524cred = 0;
 
@@ -1155,11 +1154,6 @@ afs_klog(khm_handle identity,
         ViceIDToUsername(aclient.name, realm_of_user, realm_of_cell, CellName, 
                          &aclient, &aserver, &atoken);
 
-        // NOTE: On WIN32, the order of SetToken params changed...
-        // to   ktc_SetToken(&aserver, &aclient, &atoken, 0)
-        // from ktc_SetToken(&aserver, &atoken, &aclient, 0) on
-        // Unix...  The afscompat ktc_SetToken provides the Unix order
-
         if (rc = ktc_SetToken(&aserver, &atoken, &aclient, 0)) {
             afs_report_error(rc, "ktc_SetToken()");
             return(rc);
@@ -1470,3 +1464,38 @@ cleanup:
  
     return(hr); 
 }
+
+khm_boolean
+afs_check_for_cell_realm_match(khm_handle identity, char * cell) {
+    char local_cell[MAXCELLCHARS];
+    wchar_t wrealm[MAXCELLCHARS];
+    wchar_t idname[KCDB_IDENT_MAXCCH_NAME];
+    wchar_t * atsign;
+    khm_size cb;
+    char * realm;
+    afs_conf_cell cellconfig;
+    int rc;
+
+    ZeroMemory(local_cell, sizeof(local_cell));
+
+    rc = afs_get_cellconfig(cell, &cellconfig, local_cell);
+    if (rc)
+        return FALSE;
+
+    realm = afs_realm_of_cell(&cellconfig, FALSE);
+    if (realm == NULL)
+        return FALSE;
+
+    AnsiStrToUnicode(wrealm, sizeof(wrealm), realm);
+
+    cb = sizeof(idname);
+    idname[0] = L'\0';
+    kcdb_identity_get_name(identity, idname, &cb);
+
+    atsign = wcschr(idname, L'@');
+    if (atsign && atsign[1] && !wcsicmp(atsign + 1, wrealm)) {
+        return TRUE;
+    } else {
+        return FALSE;
+    }
+}
diff --git a/src/WINNT/netidmgr_plugin/afsfuncs.h b/src/WINNT/netidmgr_plugin/afsfuncs.h
index b1ba8f1..be55608 100644
--- a/src/WINNT/netidmgr_plugin/afsfuncs.h
+++ b/src/WINNT/netidmgr_plugin/afsfuncs.h
@@ -73,8 +73,10 @@ ServiceControl(LPSTR lpszMachineName,
 
 void afs_report_error(LONG rc, LPCSTR FailedFunctionName);
 
+khm_boolean
+afs_check_for_cell_realm_match(khm_handle identity, char * cell);
+
 static char *afs_realm_of_cell(afs_conf_cell *, BOOL);
 static long afs_get_cellconfig_callback(void *, struct sockaddr_in *, char *);
 static int afs_get_cellconfig(char *, afs_conf_cell *, char *);
-
 #endif
diff --git a/src/WINNT/netidmgr_plugin/afsnewcreds.c b/src/WINNT/netidmgr_plugin/afsnewcreds.c
index 074d866..de5c389 100644
--- a/src/WINNT/netidmgr_plugin/afsnewcreds.c
+++ b/src/WINNT/netidmgr_plugin/afsnewcreds.c
@@ -535,6 +535,7 @@ afs_check_add_token_to_identity(wchar_t * cell, khm_handle ident,
     return ok_to_add;
 }
 
+
 void 
 afs_cred_get_identity_creds(afs_cred_list * l, 
                             khm_handle ident,
@@ -672,7 +673,8 @@ afs_cred_get_identity_creds(afs_cred_list * l,
 
         khc_open_space(csp_params, L"Cells", 0, &h_gcells);
 
-        if(!cm_GetRootCellName(buf)) {
+        if (!cm_GetRootCellName(buf) &&
+            afs_check_for_cell_realm_match(ident, buf)) {
             AnsiStrToUnicode(wbuf, sizeof(wbuf), buf);
 
             if (afs_check_add_token_to_identity(wbuf, ident, NULL)) {
@@ -753,6 +755,15 @@ afs_cred_get_identity_creds(afs_cred_list * l,
                 if (i < l->n_rows)
                     continue;
 
+                {
+                    char cell[MAXCELLCHARS];
+
+                    UnicodeStrToAnsi(cell, sizeof(cell), c_cell);
+
+                    if (!afs_check_for_cell_realm_match(ident, cell))
+                        continue;
+                }
+
                 r = afs_cred_get_new_row(l);
 
                 r->cell = PMALLOC(cb);
-- 
1.9.4