IPA certauth plugin

This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <[email protected]>
Reviewed-By: David Kupka <[email protected]>

.gitignore

@@ -75,6 +75,7 @@ freeipa2-dev-doc
 /daemons/dnssec/ipa-ods-exporter.socket
 /daemons/ipa-kdb/ipa_kdb_tests
 /daemons/ipa-kdb/tests/.dirstamp
+/daemons/ipa-kdb/ipa-certauth
 /daemons/ipa-otpd/ipa-otpd
 /daemons/ipa-otpd/ipa-otpd.socket
 /daemons/ipa-otpd/[email protected]

daemons/ipa-kdb/Makefile.am

@@ -18,6 +18,7 @@ AM_CPPFLAGS =						\
 	$(WARN_CFLAGS)					\
 	$(NDRPAC_CFLAGS)				\
 	$(NSS_CFLAGS)					\
+	$(SSSCERTMAP_CFLAGS)				\
 	$(NULL)
 
 plugindir = $(libdir)/krb5/plugins/kdb
@@ -39,6 +40,20 @@ ipadb_la_SOURCES = 		\
 	ipa_kdb_audit_as.c	\
 	$(NULL)
 
+if BUILD_IPA_CERTAUTH_PLUGIN
+ipadb_la_SOURCES += ipa_kdb_certauth.c
+
+
+%: %.in
+	sed \
+		-e 's|@plugindir@|$(plugindir)|g' \
+		'$(srcdir)/[email protected]' >$@
+
+krb5confdir = $(sysconfdir)/krb5.conf.d
+krb5conf_DATA = ipa-certauth
+CLEANFILES = $(krb5conf_DATA)
+endif
+
 ipadb_la_LDFLAGS = 		\
 	-avoid-version 		\
 	-module			\
@@ -50,6 +65,7 @@ ipadb_la_LIBADD = 		\
 	$(NDRPAC_LIBS)		\
 	$(UNISTRING_LIBS)	\
 	$(NSS_LIBS)             \
+	$(SSSCERTMAP_LIBS)	\
 	$(top_builddir)/util/libutil.la	\
 	$(NULL)
 
@@ -70,6 +86,11 @@ ipa_kdb_tests_SOURCES =        \
        ipa_kdb_delegation.c    \
        ipa_kdb_audit_as.c      \
        $(NULL)
+
+if BUILD_IPA_CERTAUTH_PLUGIN
+ipa_kdb_tests_SOURCES += ipa_kdb_certauth.c
+endif
+
 ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
 ipa_kdb_tests_LDADD =          \
        $(CMOCKA_LIBS)          \
@@ -78,12 +99,13 @@ ipa_kdb_tests_LDADD =          \
        $(NDRPAC_LIBS)          \
        $(UNISTRING_LIBS)       \
        $(NSS_LIBS)             \
+       $(SSSCERTMAP_LIBS)      \
        $(top_builddir)/util/libutil.la	\
        -lkdb5                  \
        -lsss_idmap             \
        $(NULL)
 
-dist_noinst_DATA = ipa_kdb.exports
+dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in
 
 clean-local:
 	rm -f tests/.dirstamp

daemons/ipa-kdb/ipa-certauth.in

@@ -0,0 +1,5 @@
+[plugins]
+ certauth = {
+  module = ipakdb:@plugindir@/ipadb.so
+  enable_only = ipakdb
+ }

daemons/ipa-kdb/ipa_kdb.c

@@ -67,6 +67,8 @@ static void ipadb_context_free(krb5_context kcontext,
         }
         free(cfg->authz_data);
 
+        ipa_certauth_free_moddata(&((*ctx)->certauth_moddata));
+
         free(*ctx);
         *ctx = NULL;
     }

daemons/ipa-kdb/ipa_kdb.exports

@@ -3,6 +3,7 @@ EXPORTED {
 	# public symbols
 	global:
 		kdb_function_table;
+		certauth_ipakdb_initvt;
 
 	# everything else is local
 	local:

daemons/ipa-kdb/ipa_kdb.h

@@ -40,6 +40,7 @@
 #include <arpa/inet.h>
 #include <endian.h>
 #include <unistd.h>
+#include <krb5/certauth_plugin.h>
 
 #include "ipa_krb5.h"
 #include "ipa_pwd.h"
@@ -111,6 +112,7 @@ struct ipadb_context {
     krb5_key_salt_tuple *def_encs;
     int n_def_encs;
     struct ipadb_mspac *mspac;
+    krb5_certauth_moddata certauth_moddata;
 
     /* Don't access this directly, use ipadb_get_global_config(). */
     struct ipadb_global_config config;
@@ -331,3 +333,6 @@ ipadb_get_global_config(struct ipadb_context *ipactx);
 int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
                              char *attr, krb5_key_salt_tuple **enc_salt_types,
                              int *n_enc_salt_types);
+
+/* CERTAUTH PLUGIN */
+void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);