From 45b0148fcce3fded5cea52b6fadd50114358ba25 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Jan 27 2016 15:03:03 +0000 Subject: ipa-kdb: get_authz_data_types() make sure entry can be NULL This function determines which type of authorization data should be added to the Kerberos ticket. There are global default and it is possible to configure this per service as well. The second argument is the data base entry of a service. If no service is given it makes sense to return the global defaults and most parts of get_authz_data_types() handle this case well and this patch fixes the remain issue and adds a test for this as well. Reviewed-By: Tomas Babej --- diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 8594309..daa42e3 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2005,7 +2005,7 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry, service_specific = false; authz_data_type = authz_data_list[c]; sep = strchr(authz_data_list[c], ':'); - if (sep != NULL) { + if (sep != NULL && entry != NULL) { if (entry->princ == NULL) { krb5_klog_syslog(LOG_ERR, "Missing principal in database " "entry, no authorization data will " \ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 5bc89e2..3bd6e64 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -404,6 +404,14 @@ void test_get_authz_data_types(void **state) get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad); assert_true(with_pad == test_set[c].exp_with_pad); assert_true(with_pac == test_set[c].exp_with_pac); + + /* test if global default are returned if there is no server entry */ + if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) { + get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac, + &with_pad); + assert_true(with_pad == test_set[c].exp_with_pad); + assert_true(with_pac == test_set[c].exp_with_pac); + } } free(ied);