From ec8a560392c89da96a805e9779eaa2041dd992c1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sep 10 2020 19:34:00 +0000
Subject: ipa-kdb: support getprincs request in kadmin.local


kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.

The whole filter looks like this

 (&(|
    (objectclass=krbprincipalaux)
    (objectclass=krbprincipal)
    (objectclass=ipakrbprincipal))
   (|(ipakrbprincipalalias=*)
     (krbprincipalname:caseIgnoreIA5Match:=*)))

There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:

      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )

In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.

Fixes: https://pagure.io/freeipa/issue/8490

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index cdfb322..39b6ca9 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -966,6 +966,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
     krb5_error_code kerr;
     char *src_filter = NULL, *esc_original_princ = NULL;
     int ret;
+    int len = 0;
 
     if (!ipactx->lcontext) {
         ret = ipadb_get_connection(ipactx);
@@ -983,6 +984,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
         goto done;
     }
 
+    len = strlen(esc_original_princ);
+
     /* Starting in DAL 8.0, aliases are always okay. */
 #ifdef KRB5_KDB_FLAG_ALIAS_OK
     if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
@@ -996,12 +999,24 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
     } else
 #endif
     {
+        /* In case we've got a principal name as '*' we have to
+         * follow RFC 4515 section 3 and reencode it using
+         * <valueencoding> rule from RFC 4511 section 4.1.6 but
+         * only to the part of the filter that does use assertion
+         * value. */
+        const char *asterisk = "%x2A";
+        char *assertion_value = esc_original_princ;
+
+        if ((len == 1) && (esc_original_princ[0] == '*')) {
+            assertion_value = asterisk;
+        }
+
         if (filter == NULL) {
             ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
-                           esc_original_princ, esc_original_princ);
+                           esc_original_princ, assertion_value);
         } else {
             ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
-                           esc_original_princ, esc_original_princ, filter);
+                           esc_original_princ, assertion_value, filter);
         }
     }