Merge commit 'upstream/0.9.rc1'
Guido Günther
15 years ago
| 0 | 0 | Christopher Aillon <caillon@redhat.com> |
| 1 | 1 | Jonathan Blandford <jrb@redhat.com> |
| 2 | Colin Walters <walters@verbum.org> | |
| 2 | 3 | Guido Günther <agx@sigxcpu.org> |
| 0 | Sa Apr 4 11:15:39 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 0 | Sat Apr 18 00:19:02 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 1 | ||
| 2 | * src/krb5-auth-gconf.c (ka_gconf_set_principal): handle length zero | |
| 3 | KA_GCONF_KEY_PRINCIPAL | |
| 4 | ||
| 5 | Fri Apr 17 13:36:00 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 6 | ||
| 7 | * preferences/krb5-auth-dialog-preferences.glade: mark GtkEntrys | |
| 8 | activates_default and close button as has_default. | |
| 9 | ||
| 10 | Fri Apr 17 13:20:09 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 11 | ||
| 12 | make pkinit anchors configurable and pass pkinit options to | |
| 13 | krb5_get_init_creds_opt_set_pa (MIT pkinit), if available. | |
| 14 | * configure.ac: check for krb5_get_init_creds_opt_set_pa | |
| 15 | * preferences/krb5-auth-dialog-preferences.c | |
| 16 | (ka_preferences_pkanchors_notify, | |
| 17 | ka_preferences_dialog_pkanchors_changed, | |
| 18 | ka_preferences_dialog_setup_pkanchors_entry): new functions | |
| 19 | (ka_preferences_dialog_init: call | |
| 20 | ka_preferences_dialog_setup_pkanchors_entry to handle pk_anchors | |
| 21 | * preferences/krb5-auth-dialog-preferences.glade: add pkanchors_entry | |
| 22 | GtkEntry | |
| 23 | * src/krb5-auth-applet.c (ka_applet-{set,get}_property, | |
| 24 | ka_applet_class_init): handle pk-anchors property | |
| 25 | * src/krb5-auth-dialog.c (ka_set_ticket_options): pass pkinit userid | |
| 26 | and anchors to krb5_get_init_creds_opt_set_pa if available. | |
| 27 | (ka_auth_pkinit): rename to ka_auth_heimdal_pkinit | |
| 28 | (ka_auth_heimdal_pkinit): pass pk_anchors | |
| 29 | (grab_credentials): fetch pk_anchors from pk-anchors property and | |
| 30 | pass it to ka_auth_{password,heimdal_pkinit} | |
| 31 | * src/krb5-auth-gconf.c (ka_gconf_set_pk_anchors): new function | |
| 32 | (ka_gconf_key_changed_callback): handle pk_anchors | |
| 33 | (ka_gconf_init); likewise | |
| 34 | * src/krb5-auth-gconf-tools.h: add pk_anchors | |
| 35 | * src/krb5-auth-dialog.schemas.in: add pk_anchors | |
| 36 | ||
| 37 | Fri Apr 17 13:19:18 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 38 | ||
| 39 | * AUTHORS: add Colin | |
| 40 | ||
| 41 | Sat Apr 4 11:15:39 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 1 | 42 | |
| 2 | 43 | GtkSecureEntry warning fixes: |
| 3 | 44 | * gtksecentry/gtksecentry.c (gtk_secure_entry_state_changed: drop |
| 20 | 61 | (gtk_secure_entry_layout_index_to_text_index): likewise |
| 21 | 62 | (gtk_secure_entry_text_index_to_layout_index): likewise |
| 22 | 63 | |
| 23 | Sa Apr 4 11:06:45 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 64 | Sat Apr 4 11:06:45 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 24 | 65 | |
| 25 | 66 | add preferences capplet |
| 26 | 67 | * preferences/{krb5-auth-dialog-preferences.{c,glade,desktop.in}, |
| 31 | 72 | preferences |
| 32 | 73 | (ka_applet_create_context_menu): add preferences context menu entry |
| 33 | 74 | |
| 34 | Sa Apr 4 10:57:23 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 75 | Sat Apr 4 10:57:23 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 35 | 76 | |
| 36 | 77 | allow to set ticket proxiable, renewable and forwardable ticket flags |
| 37 | 78 | via gconf |
| 46 | 87 | boolean gconf keys |
| 47 | 88 | * src/krb5-auth-dialog.schemas.in: add new gconf keys to schema |
| 48 | 89 | |
| 49 | Sa Apr 4 10:52:53 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 90 | Sat Apr 4 10:52:53 CEST 2009 Guido Günther <agx@sigxcpu.org> | |
| 50 | 91 | |
| 51 | 92 | split out gconf tool functions |
| 52 | 93 | * src/krb5-auth-gconf-tools.h: new file |
| 55 | 96 | src/krb5-auth-gconf-tools.c |
| 56 | 97 | (KA_GCONF_*): move to src/krb5-auth-gconf-tools.h |
| 57 | 98 | |
| 58 | Sa Mär 28 14:17:49 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 99 | Sat Mär 28 14:17:49 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 59 | 100 | |
| 60 | 101 | add dbus service file |
| 61 | 102 | * src/org.gnome.KrbAuthDialog.service.in: new file |
| 62 | 103 | * src/Makefile.am (service_DATA): process annd install service file |
| 63 | 104 | |
| 64 | Di Mär 24 00:04:50 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 105 | Tue Mär 24 00:04:50 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 65 | 106 | |
| 66 | 107 | monitor ccache via GFileMontor |
| 67 | 108 | * src/krb5-auth-dialog.c (monitor_ccache, ka_ccache_filename, |
| 69 | 110 | (main): monitor ccache via monitor_ccache |
| 70 | 111 | * configure.ac: look for gio-unix |
| 71 | 112 | |
| 72 | Di Mär 24 00:01:28 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 113 | Tue Mär 24 00:01:28 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 73 | 114 | |
| 74 | 115 | * src/krb5-auth-dialog.c (auth_dialog_prompter): handle |
| 75 | 116 | GTK_RESPONSE_DELETE_EVENT like GTK_RESPONSE_CANCEL so pressing ESC or |
| 78 | 119 | kerberos error codes - more robust since heimdal and mit have different |
| 79 | 120 | responses, let alone pkinit. |
| 80 | 121 | |
| 81 | Mo Mär 23 23:57:36 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 122 | Mon Mär 23 23:57:36 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 82 | 123 | |
| 83 | 124 | split password auth into a separate function |
| 84 | 125 | * src/krb5-auth-dialog.c (ka_auth_password): new function |
| 85 | 126 | (grab_credentials): fall back to password auth if no token is |
| 86 | 127 | present and pkinit is enabled |
| 87 | 128 | |
| 88 | Mo Mär 23 23:55:20 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 129 | Mon Mär 23 23:55:20 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 89 | 130 | |
| 90 | 131 | * src/krb5-auth-pwdialog.h: remove unused headers |
| 91 | 132 | * src/krb5-auth-applet.h: likewise |
| 92 | 133 | * src/krb5-auth-dialog.c (is_online): move static variable to the top |
| 93 | 134 | |
| 94 | Mi Mär 11 17:21:07 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 135 | Wed Mär 11 17:21:07 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 95 | 136 | |
| 96 | 137 | silence compiler warnings |
| 97 | 138 | * src/krb5-auth-{applet,dialog,gconf,pwdialog}.[ch]: mark unused |
| 98 | 139 | parameters as G_GNUC_UNUSED or drop them, add missing void to |
| 99 | 140 | prototypes |
| 100 | 141 | |
| 101 | Mi Mär 11 17:19:02 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 142 | Mon Mär 11 17:19:02 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 102 | 143 | |
| 103 | 144 | add more compiler warnings |
| 104 | 145 | * acinclude.m4: add KA_COMPILE_WARNINGS |
| 105 | 146 | * compiler-flags.m4: add gl_COMPILER_FLAGS to test compiler options |
| 106 | 147 | * configure.ac: call KA_COMPILE_WARNINGS and add WARN_CFLAGS to CFLAGS |
| 107 | 148 | |
| 108 | Mi Mär 11 17:10:11 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 149 | Wed Mär 11 17:10:11 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 109 | 150 | |
| 110 | 151 | push the dialog into the foreground and grab the keyboard so we make |
| 111 | 152 | sure the user gets to see the dialog in all cases (e.g. when an app is |
| 116 | 157 | window_state_changed): new functions |
| 117 | 158 | (ka_pwdialog_run): use these |
| 118 | 159 | |
| 119 | Mi Mär 11 17:04:03 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 160 | Wed Mär 11 17:04:03 CET 2009 Guido Günther <agx@sigxcpu.org> | |
| 120 | 161 | |
| 121 | 162 | add a pwdialog gobject - remove lots of duplicate code and splits most |
| 122 | 163 | of the password dialog handling into its own file |
| 64 | 64 | AC_CHECK_MEMBERS(krb5_creds.flags.b.renewable,,,[#include <krb5.h>]) |
| 65 | 65 | AC_CHECK_MEMBERS(krb5_creds.flags.b.proxiable,,,[#include <krb5.h>]) |
| 66 | 66 | AC_CHECK_MEMBERS(krb5_creds.flags,,,[#include <krb5.h>]) |
| 67 | AC_CHECK_FUNCS([krb5_get_error_message]) | |
| 68 | AC_CHECK_FUNCS([krb5_get_renewed_creds]) | |
| 69 | AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_default_flags]) | |
| 70 | AC_CHECK_FUNCS([krb5_cc_clear_mcred]) | |
| 67 | AC_CHECK_FUNCS([krb5_get_error_message krb5_get_renewed_creds \ | |
| 68 | krb5_get_init_creds_opt_set_default_flags \ | |
| 69 | krb5_cc_clear_mcred]) | |
| 70 | AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit], | |
| 71 | [heimdal_pkinit=yes],[heimdal_pkinit=no]) | |
| 72 | AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pa], | |
| 73 | [mit_pkinit=yes],[mit_pkinit=no]) | |
| 71 | 74 | AC_MSG_CHECKING(if a krb5_principal->realm is a char*) |
| 72 | 75 | AC_COMPILE_IFELSE([ |
| 73 | 76 | $ac_includes_default |
| 94 | 97 | foo->realm = bar; |
| 95 | 98 | return 0; |
| 96 | 99 | }],[AC_DEFINE(HAVE_KRB5_PRINCIPAL_REALM_AS_DATA,1,[Define if the realm of a krb5_principal is a krb5_data]) |
| 97 | AC_MSG_RESULT(yes)], | |
| 98 | AC_MSG_RESULT(no)) | |
| 100 | AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) | |
| 101 | ||
| 99 | 102 | dnl pkinit |
| 100 | 103 | AC_MSG_CHECKING([whether to enable pkinit support]) |
| 101 | 104 | AC_ARG_ENABLE([pkinit], |
| 102 | 105 | AS_HELP_STRING([--enable-pkinit],[whether to enable preauth via pkinit support]), |
| 103 | 106 | [],[enable_pkinit=autodetect]) |
| 107 | ||
| 108 | if test "x$heimdal_pkinit" = "xyes" -o \ | |
| 109 | "x$mit_pkinit" = "xyes"; then | |
| 110 | enable_pkinit=yes | |
| 111 | AC_DEFINE([ENABLE_PKINIT],[1],[Define for pkinit support]) | |
| 112 | fi | |
| 104 | 113 | AC_MSG_RESULT([$enable_pkinit]) |
| 105 | ||
| 106 | if test "x$enable_pkinit" != "xno"; then | |
| 107 | AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit], | |
| 108 | [enable_pkinit=yes],[enable_pkinit=no]) | |
| 109 | fi | |
| 110 | ||
| 111 | if test "x$enable_pkinit" = "xyes"; then | |
| 112 | AC_DEFINE([ENABLE_PKINIT],[1],[Define for pkinit support]) | |
| 113 | fi | |
| 114 | 114 | AM_CONDITIONAL([ENABLE_PKINIT],[test "x$enable_pkinit" = "xyes"]) |
| 115 | 115 | CFLAGS="$savedCFLAGS" |
| 116 | 116 | LIBS="$savedLIBS" |
| 117 | ||
| 118 | 117 | |
| 119 | 118 | |
| 120 | 119 | dnl NetworkManager |
| 0 | <Project xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" | |
| 1 | xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" | |
| 2 | xmlns:foaf="http://xmlns.com/foaf/0.1/" | |
| 3 | xmlns:gnome="http://api.gnome.org/doap-extensions#" | |
| 4 | xmlns="http://usefulinc.com/ns/doap#"> | |
| 5 | <name xml:lang="en">krb5-auth-dialog</name> | |
| 6 | <shortdesc xml:lang="en">Tray applet to acquire, monitor and refresh Kerberos tickets</shortdesc> | |
| 7 | <homepage rdf:resource="https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/" /> | |
| 8 | <maintainer> | |
| 9 | <foaf:Person> | |
| 10 | <foaf:name>Guido Günther</foaf:name> | |
| 11 | <foaf:mbox rdf:resource="agx@sigxcpu.org" /> | |
| 12 | <gnome:userid>guidog</gnome:userid> | |
| 13 | </foaf:Person> | |
| 14 | </maintainer> | |
| 15 | </Project> | |
| 16 |
| 35 | 35 | |
| 36 | 36 | #include "krb5-auth-gconf-tools.h" |
| 37 | 37 | |
| 38 | #define N_LISTENERS 7 | |
| 38 | #define N_LISTENERS 8 | |
| 39 | 39 | |
| 40 | 40 | typedef struct { |
| 41 | 41 | GladeXML *xml; |
| 44 | 44 | GtkWidget *dialog; |
| 45 | 45 | GtkWidget *principal_entry; |
| 46 | 46 | GtkWidget *pkuserid_entry; |
| 47 | GtkWidget *pkanchors_entry; | |
| 47 | 48 | GtkWidget *forwardable_toggle; |
| 48 | 49 | GtkWidget *proxiable_toggle; |
| 49 | 50 | GtkWidget *renewable_toggle; |
| 191 | 192 | dialog->listeners [dialog->n_listeners] = gconf_client_notify_add (dialog->client, |
| 192 | 193 | KA_GCONF_KEY_PK_USERID, |
| 193 | 194 | (GConfClientNotifyFunc) ka_preferences_pkuserid_notify, |
| 195 | dialog, NULL, NULL); | |
| 196 | dialog->n_listeners++; | |
| 197 | } | |
| 198 | ||
| 199 | ||
| 200 | static void | |
| 201 | ka_preferences_pkanchors_notify (GConfClient *client G_GNUC_UNUSED, | |
| 202 | guint cnx_id G_GNUC_UNUSED, | |
| 203 | GConfEntry *entry, | |
| 204 | KaPreferencesDialog *dialog) | |
| 205 | { | |
| 206 | const char *pkanchors; | |
| 207 | ||
| 208 | if (!entry->value || entry->value->type != GCONF_VALUE_STRING) | |
| 209 | return; | |
| 210 | ||
| 211 | pkanchors = gconf_value_get_string (entry->value); | |
| 212 | ||
| 213 | if (!pkanchors || !strlen(pkanchors)) | |
| 214 | gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), ""); | |
| 215 | else { | |
| 216 | const char *old_pkanchors; | |
| 217 | ||
| 218 | old_pkanchors = gtk_entry_get_text (GTK_ENTRY (dialog->pkanchors_entry)); | |
| 219 | if (!old_pkanchors || (old_pkanchors && strcmp (old_pkanchors, pkanchors))) | |
| 220 | gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors); | |
| 221 | } | |
| 222 | } | |
| 223 | ||
| 224 | ||
| 225 | static void | |
| 226 | ka_preferences_dialog_pkanchors_changed (GtkEntry *entry, | |
| 227 | KaPreferencesDialog *dialog) | |
| 228 | { | |
| 229 | const char *pkanchors; | |
| 230 | ||
| 231 | pkanchors = gtk_entry_get_text (entry); | |
| 232 | ||
| 233 | if (!pkanchors || !strlen(pkanchors)) | |
| 234 | gconf_client_unset (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL); | |
| 235 | else | |
| 236 | gconf_client_set_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, pkanchors, NULL); | |
| 237 | } | |
| 238 | ||
| 239 | ||
| 240 | static void | |
| 241 | ka_preferences_dialog_setup_pkanchors_entry (KaPreferencesDialog *dialog) | |
| 242 | { | |
| 243 | char *pkanchors = NULL; | |
| 244 | ||
| 245 | dialog->pkanchors_entry = glade_xml_get_widget (dialog->xml, "pkanchors_entry"); | |
| 246 | g_assert (dialog->pkanchors_entry != NULL); | |
| 247 | ||
| 248 | if (!ka_gconf_get_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, &pkanchors)) | |
| 249 | g_warning ("Getting pkanchors failed"); | |
| 250 | ||
| 251 | if (pkanchors && strlen(pkanchors)) | |
| 252 | gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors); | |
| 253 | if (pkanchors) | |
| 254 | g_free (pkanchors); | |
| 255 | ||
| 256 | g_signal_connect (dialog->pkanchors_entry, "changed", | |
| 257 | G_CALLBACK (ka_preferences_dialog_pkanchors_changed), dialog); | |
| 258 | if (!gconf_client_key_is_writable (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL)) { | |
| 259 | gtk_widget_set_sensitive (dialog->pkanchors_entry, FALSE); | |
| 260 | } | |
| 261 | ||
| 262 | dialog->listeners [dialog->n_listeners] = gconf_client_notify_add (dialog->client, | |
| 263 | KA_GCONF_KEY_PK_ANCHORS, | |
| 264 | (GConfClientNotifyFunc) ka_preferences_pkanchors_notify, | |
| 194 | 265 | dialog, NULL, NULL); |
| 195 | 266 | dialog->n_listeners++; |
| 196 | 267 | } |
| 551 | 622 | |
| 552 | 623 | ka_preferences_dialog_setup_principal_entry (dialog); |
| 553 | 624 | ka_preferences_dialog_setup_pkuserid_entry (dialog); |
| 625 | ka_preferences_dialog_setup_pkanchors_entry(dialog); | |
| 554 | 626 | ka_preferences_dialog_setup_forwardable_toggle (dialog); |
| 555 | 627 | ka_preferences_dialog_setup_proxiable_toggle (dialog); |
| 556 | 628 | ka_preferences_dialog_setup_renewable_toggle (dialog); |
| 0 | 0 | <?xml version="1.0" encoding="UTF-8" standalone="no"?> |
| 1 | 1 | <!DOCTYPE glade-interface SYSTEM "glade-2.0.dtd"> |
| 2 | <!--Generated with glade3 3.4.5 on Thu Apr 2 18:10:14 2009 --> | |
| 2 | <!--Generated with glade3 3.4.5 on Tue Apr 14 22:22:46 2009 --> | |
| 3 | 3 | <glade-interface> |
| 4 | 4 | <widget class="GtkDialog" id="krb5_auth_dialog_prefs"> |
| 5 | 5 | <property name="border_width">5</property> |
| 86 | 86 | <widget class="GtkEntry" id="principal_entry"> |
| 87 | 87 | <property name="visible">True</property> |
| 88 | 88 | <property name="can_focus">True</property> |
| 89 | <property name="activates_default">True</property> | |
| 89 | 90 | </widget> |
| 90 | 91 | <packing> |
| 91 | 92 | <property name="position">1</property> |
| 127 | 128 | <property name="visible">True</property> |
| 128 | 129 | <property name="can_focus">True</property> |
| 129 | 130 | <property name="tooltip" translatable="yes">The principal's public/private/certificate identifier. Leave empty if not using PKINIT.</property> |
| 131 | <property name="activates_default">True</property> | |
| 130 | 132 | </widget> |
| 131 | 133 | <packing> |
| 132 | 134 | <property name="position">1</property> |
| 135 | 137 | </widget> |
| 136 | 138 | <packing> |
| 137 | 139 | <property name="position">3</property> |
| 140 | </packing> | |
| 141 | </child> | |
| 142 | <child> | |
| 143 | <widget class="GtkLabel" id="label3"> | |
| 144 | <property name="visible">True</property> | |
| 145 | <property name="xalign">0</property> | |
| 146 | <property name="label" translatable="yes">PKINT anchors:</property> | |
| 147 | </widget> | |
| 148 | <packing> | |
| 149 | <property name="expand">False</property> | |
| 150 | <property name="fill">False</property> | |
| 151 | <property name="position">4</property> | |
| 152 | </packing> | |
| 153 | </child> | |
| 154 | <child> | |
| 155 | <widget class="GtkHBox" id="hbox12"> | |
| 156 | <property name="visible">True</property> | |
| 157 | <property name="spacing">6</property> | |
| 158 | <child> | |
| 159 | <widget class="GtkLabel" id="label20"> | |
| 160 | <property name="visible">True</property> | |
| 161 | <property name="label" translatable="yes"> </property> | |
| 162 | </widget> | |
| 163 | <packing> | |
| 164 | <property name="expand">False</property> | |
| 165 | <property name="fill">False</property> | |
| 166 | </packing> | |
| 167 | </child> | |
| 168 | <child> | |
| 169 | <widget class="GtkEntry" id="pkanchors_entry"> | |
| 170 | <property name="visible">True</property> | |
| 171 | <property name="can_focus">True</property> | |
| 172 | <property name="tooltip" translatable="yes">Path to CA certificates used as trust anchors for PKINIT</property> | |
| 173 | <property name="activates_default">True</property> | |
| 174 | </widget> | |
| 175 | <packing> | |
| 176 | <property name="position">1</property> | |
| 177 | </packing> | |
| 178 | </child> | |
| 179 | </widget> | |
| 180 | <packing> | |
| 181 | <property name="position">5</property> | |
| 138 | 182 | </packing> |
| 139 | 183 | </child> |
| 140 | 184 | </widget> |
| 391 | 435 | <property name="visible">True</property> |
| 392 | 436 | <property name="can_focus">True</property> |
| 393 | 437 | <property name="tooltip" translatable="yes">Send notification about ticket expiry that many minutes before it finally expires. </property> |
| 438 | <property name="activates_default">True</property> | |
| 394 | 439 | <property name="adjustment">0 0 100 1 10 10</property> |
| 395 | 440 | </widget> |
| 396 | 441 | <packing> |
| 551 | 596 | <widget class="GtkButton" id="button1"> |
| 552 | 597 | <property name="visible">True</property> |
| 553 | 598 | <property name="can_focus">True</property> |
| 599 | <property name="can_default">True</property> | |
| 600 | <property name="has_default">True</property> | |
| 554 | 601 | <property name="receives_default">True</property> |
| 555 | 602 | <property name="label" translatable="yes">gtk-close</property> |
| 556 | 603 | <property name="use_stock">True</property> |
| 40 | 40 | KA_PROP_0 = 0, |
| 41 | 41 | KA_PROP_PRINCIPAL, |
| 42 | 42 | KA_PROP_PK_USERID, |
| 43 | KA_PROP_PK_ANCHORS, | |
| 43 | 44 | KA_PROP_TRAYICON, |
| 44 | 45 | KA_PROP_PW_PROMPT_MINS, |
| 45 | 46 | KA_PROP_TGT_FORWARDABLE, |
| 75 | 76 | char* principal; /* the principal to request */ |
| 76 | 77 | gboolean renewable; /* credentials renewable? */ |
| 77 | 78 | char* pk_userid; /* "userid" for pkint */ |
| 79 | char* pk_anchors; /* trust anchors for pkint */ | |
| 78 | 80 | gboolean tgt_forwardable; /* request a forwardable ticket */ |
| 79 | 81 | gboolean tgt_renewable; /* request a renewable ticket */ |
| 80 | 82 | gboolean tgt_proxiable; /* request a proxiable ticket */ |
| 101 | 103 | KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_userid); |
| 102 | 104 | break; |
| 103 | 105 | |
| 106 | case KA_PROP_PK_ANCHORS: | |
| 107 | g_free (self->priv->pk_anchors); | |
| 108 | self->priv->pk_anchors = g_value_dup_string (value); | |
| 109 | KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_anchors); | |
| 110 | break; | |
| 111 | ||
| 104 | 112 | case KA_PROP_TRAYICON: |
| 105 | 113 | self->priv->show_trayicon = g_value_get_boolean (value); |
| 106 | 114 | KA_DEBUG ("%s: %s", pspec->name, self->priv->show_trayicon ? "True" : "False"); |
| 149 | 157 | |
| 150 | 158 | case KA_PROP_PK_USERID: |
| 151 | 159 | g_value_set_string (value, self->priv->pk_userid); |
| 160 | break; | |
| 161 | ||
| 162 | case KA_PROP_PK_ANCHORS: | |
| 163 | g_value_set_string (value, self->priv->pk_anchors); | |
| 152 | 164 | break; |
| 153 | 165 | |
| 154 | 166 | case KA_PROP_TRAYICON: |
| 206 | 218 | |
| 207 | 219 | g_free (applet->priv->principal); |
| 208 | 220 | g_free (applet->priv->pk_userid); |
| 221 | g_free (applet->priv->pk_anchors); | |
| 209 | 222 | /* no need to free applet->priv */ |
| 210 | 223 | |
| 211 | 224 | if (parent_class->finalize != NULL) |
| 249 | 262 | G_PARAM_CONSTRUCT | G_PARAM_READWRITE); |
| 250 | 263 | g_object_class_install_property (object_class, |
| 251 | 264 | KA_PROP_PK_USERID, |
| 265 | pspec); | |
| 266 | ||
| 267 | pspec = g_param_spec_string ("pk-anchors", | |
| 268 | "PKinit trust anchors", | |
| 269 | "Get/Set Pkinit trust anchors", | |
| 270 | "", | |
| 271 | G_PARAM_CONSTRUCT | G_PARAM_READWRITE); | |
| 272 | g_object_class_install_property (object_class, | |
| 273 | KA_PROP_PK_ANCHORS, | |
| 252 | 274 | pspec); |
| 253 | 275 | |
| 254 | 276 | pspec = g_param_spec_boolean("show-trayicon", |
| 381 | 381 | * set ticket options by looking at krb5.conf and gconf |
| 382 | 382 | */ |
| 383 | 383 | static void |
| 384 | ka_set_ticket_options(KaApplet* applet, | |
| 385 | krb5_get_init_creds_opt *out) | |
| 384 | ka_set_ticket_options(KaApplet* applet, krb5_context context, | |
| 385 | krb5_get_init_creds_opt *out, | |
| 386 | const char* pk_userid, const char* pk_anchors) | |
| 386 | 387 | { |
| 387 | 388 | gboolean flag; |
| 388 | ||
| 389 | 389 | #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS |
| 390 | krb5_get_init_creds_opt_set_default_flags(kcontext, PACKAGE, | |
| 391 | krb5_principal_get_realm(kcontext, kprincipal), out); | |
| 390 | krb5_get_init_creds_opt_set_default_flags(context, PACKAGE, | |
| 391 | krb5_principal_get_realm(context, kprincipal), out); | |
| 392 | 392 | #endif |
| 393 | 393 | g_object_get(applet, "tgt-forwardable", &flag, NULL); |
| 394 | 394 | if (flag) |
| 401 | 401 | krb5_deltat r = 3600*24*30; /* 1 month */ |
| 402 | 402 | krb5_get_init_creds_opt_set_renew_life (out, r); |
| 403 | 403 | } |
| 404 | ||
| 405 | #if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA | |
| 406 | /* pkinit optins for MIT Kerberos */ | |
| 407 | if (pk_userid && strlen(pk_userid)) { | |
| 408 | KA_DEBUG("pkinit with '%s'", pk_userid); | |
| 409 | krb5_get_init_creds_opt_set_pa(context, out, | |
| 410 | "X509_user_identity", pk_userid); | |
| 411 | if (pk_anchors && strlen(pk_anchors)) { | |
| 412 | KA_DEBUG("pkinit anchors '%s'", pk_anchors); | |
| 413 | krb5_get_init_creds_opt_set_pa(context, out, | |
| 414 | "X509_anchors", pk_anchors); | |
| 415 | } | |
| 416 | } | |
| 417 | #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA */ | |
| 404 | 418 | } |
| 405 | 419 | |
| 406 | 420 | |
| 444 | 458 | } |
| 445 | 459 | |
| 446 | 460 | |
| 447 | #ifdef ENABLE_PKINIT | |
| 461 | #if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT | |
| 448 | 462 | static krb5_error_code |
| 449 | ka_auth_pkinit(KaApplet* applet, krb5_creds* creds, const char* pk_userid) | |
| 463 | ka_auth_heimdal_pkinit(KaApplet* applet, krb5_creds* creds, | |
| 464 | const char* pk_userid, const char* pk_anchors) | |
| 450 | 465 | { |
| 451 | 466 | krb5_get_init_creds_opt *opts = NULL; |
| 452 | 467 | krb5_error_code retval; |
| 468 | const char* pkinit_anchors = NULL; | |
| 453 | 469 | |
| 454 | 470 | KA_DEBUG("pkinit with '%s'", pk_userid); |
| 455 | ||
| 456 | retval = krb5_get_init_creds_opt_alloc (kcontext, &opts); | |
| 457 | if (retval) | |
| 471 | if (pk_anchors && strlen (pk_anchors)) { | |
| 472 | pkinit_anchors = pk_anchors; | |
| 473 | KA_DEBUG("pkinit anchors '%s'", pkinit_anchors); | |
| 474 | } | |
| 475 | ||
| 476 | if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts))) | |
| 458 | 477 | goto out; |
| 459 | ka_set_ticket_options (applet, opts); | |
| 460 | ||
| 478 | ||
| 479 | ka_set_ticket_options (applet, kcontext, opts, NULL, NULL); | |
| 461 | 480 | retval = krb5_get_init_creds_opt_set_pkinit(kcontext, opts, |
| 462 | 481 | kprincipal, |
| 463 | 482 | pk_userid, |
| 464 | NULL, /* x509 anchors */ | |
| 483 | pkinit_anchors, | |
| 465 | 484 | NULL, |
| 466 | 485 | NULL, |
| 467 | 486 | 0, /* pk_use_enc_key */ |
| 483 | 502 | #endif /* ! ENABLE_PKINIT */ |
| 484 | 503 | |
| 485 | 504 | static krb5_error_code |
| 486 | ka_auth_password(KaApplet* applet, krb5_creds* creds) | |
| 505 | ka_auth_password(KaApplet* applet, krb5_creds* creds, | |
| 506 | const char* pk_userid, const char* pk_anchors) | |
| 487 | 507 | { |
| 488 | 508 | krb5_error_code retval; |
| 489 | 509 | krb5_get_init_creds_opt *opts = NULL; |
| 490 | 510 | |
| 491 | retval = krb5_get_init_creds_opt_alloc (kcontext, &opts); | |
| 492 | if (retval) | |
| 511 | if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts))) | |
| 493 | 512 | goto out; |
| 494 | ka_set_ticket_options (applet, opts); | |
| 513 | ka_set_ticket_options (applet, kcontext, opts, | |
| 514 | pk_userid, pk_anchors); | |
| 515 | ||
| 495 | 516 | retval = krb5_get_init_creds_password(kcontext, creds, kprincipal, |
| 496 | 517 | NULL, auth_dialog_prompter, applet, |
| 497 | 518 | 0, NULL, opts); |
| 584 | 605 | krb5_creds my_creds; |
| 585 | 606 | krb5_ccache ccache; |
| 586 | 607 | gchar *pk_userid = NULL; |
| 608 | gchar *pk_anchors = NULL; | |
| 587 | 609 | gboolean pw_auth = TRUE; |
| 588 | 610 | |
| 589 | 611 | memset(&my_creds, 0, sizeof(my_creds)); |
| 598 | 620 | if (retval) |
| 599 | 621 | goto out2; |
| 600 | 622 | |
| 601 | g_object_get(applet, "pk-userid", &pk_userid, NULL); | |
| 602 | #ifdef ENABLE_PKINIT | |
| 623 | g_object_get(applet, "pk-userid", &pk_userid, | |
| 624 | "pk-anchors", &pk_anchors, | |
| 625 | NULL); | |
| 626 | #if ENABLE_PKINIT && HAVE_HX509_ERR_H && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT | |
| 603 | 627 | /* pk_userid set: try pkinit */ |
| 604 | 628 | if (pk_userid && strlen(pk_userid)) { |
| 605 | retval = ka_auth_pkinit(applet, &my_creds, pk_userid); | |
| 629 | retval = ka_auth_heimdal_pkinit(applet, &my_creds, | |
| 630 | pk_userid, pk_anchors); | |
| 606 | 631 | /* other error than: "no token found" - no need to try password auth: */ |
| 607 | 632 | if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT) |
| 608 | 633 | pw_auth = FALSE; |
| 609 | 634 | } |
| 610 | 635 | #endif /* ENABLE_PKINIT */ |
| 611 | 636 | if (pw_auth) |
| 612 | retval = ka_auth_password(applet, &my_creds); | |
| 637 | retval = ka_auth_password(applet, &my_creds, | |
| 638 | pk_userid, pk_anchors); | |
| 613 | 639 | |
| 614 | 640 | creds_expiry = my_creds.times.endtime; |
| 615 | 641 | if (canceled) |
| 620 | 646 | case KRB5KRB_AP_ERR_BAD_INTEGRITY: |
| 621 | 647 | #ifdef HAVE_HX509_ERR_H |
| 622 | 648 | case HX509_PKCS11_LOGIN: |
| 623 | #endif | |
| 624 | /* Invalid password/pin, try again. */ | |
| 649 | #endif /* Invalid password/pin, try again. */ | |
| 625 | 650 | invalid_auth = TRUE; |
| 626 | 651 | break; |
| 627 | 652 | default: |
| 33 | 33 | <default></default> |
| 34 | 34 | |
| 35 | 35 | <locale name="C"> |
| 36 | <short>Pkinit identifier</short> | |
| 37 | <long>The principal's public/private/certificate identifier when using pkinit</long> | |
| 36 | <short>PKINIT identifier</short> | |
| 37 | <long>The principal's public/private/certificate identifier when using PKINIT</long> | |
| 38 | </locale> | |
| 39 | </schema> | |
| 40 | ||
| 41 | <schema> | |
| 42 | <key>/schemas/apps/::PACKAGE::/pk_anchors</key> | |
| 43 | <applyto>/apps/::PACKAGE::/pk_anchors</applyto> | |
| 44 | <owner>::PACKAGE::</owner> | |
| 45 | <type>string</type> | |
| 46 | <default></default> | |
| 47 | ||
| 48 | <locale name="C"> | |
| 49 | <short>PKINIT trust anchors</short> | |
| 50 | <long>PKINIT CA certificates</long> | |
| 38 | 51 | </locale> |
| 39 | 52 | </schema> |
| 40 | 53 |
| 27 | 27 | #define KA_GCONF_PATH "/apps/" PACKAGE |
| 28 | 28 | #define KA_GCONF_KEY_PRINCIPAL KA_GCONF_PATH "/principal" |
| 29 | 29 | #define KA_GCONF_KEY_PK_USERID KA_GCONF_PATH "/pk_userid" |
| 30 | #define KA_GCONF_KEY_PK_ANCHORS KA_GCONF_PATH "/pk_anchors" | |
| 30 | 31 | #define KA_GCONF_KEY_PROMPT_MINS KA_GCONF_PATH "/prompt_minutes" |
| 31 | 32 | #define KA_GCONF_KEY_SHOW_TRAYICON KA_GCONF_PATH "/show_trayicon" |
| 32 | 33 | #define KA_GCONF_KEY_FORWARDABLE KA_GCONF_PATH "/forwardable" |
| 19 | 19 | #include "config.h" |
| 20 | 20 | |
| 21 | 21 | #include <gconf/gconf-client.h> |
| 22 | #include <string.h> | |
| 22 | 23 | |
| 23 | 24 | #include "krb5-auth-applet.h" |
| 24 | 25 | #include "krb5-auth-gconf-tools.h" |
| 29 | 30 | { |
| 30 | 31 | gchar* principal = NULL; |
| 31 | 32 | |
| 32 | if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal)) { | |
| 33 | if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal) | |
| 34 | || !strlen(principal)) { | |
| 35 | g_free (principal); | |
| 33 | 36 | principal = g_strdup (g_get_user_name()); |
| 34 | 37 | } |
| 35 | 38 | g_object_set(applet, "principal", principal, NULL); |
| 48 | 51 | } |
| 49 | 52 | g_object_set(applet, "pk_userid", pk_userid, NULL); |
| 50 | 53 | g_free (pk_userid); |
| 54 | return TRUE; | |
| 55 | } | |
| 56 | ||
| 57 | ||
| 58 | static gboolean | |
| 59 | ka_gconf_set_pk_anchors (GConfClient* client, KaApplet* applet) | |
| 60 | { | |
| 61 | gchar* pk_anchors = NULL; | |
| 62 | ||
| 63 | if(!ka_gconf_get_string (client, KA_GCONF_KEY_PK_ANCHORS, &pk_anchors)) { | |
| 64 | pk_anchors = g_strdup (""); | |
| 65 | } | |
| 66 | g_object_set(applet, "pk_anchors", pk_anchors, NULL); | |
| 67 | g_free (pk_anchors); | |
| 51 | 68 | return TRUE; |
| 52 | 69 | } |
| 53 | 70 | |
| 139 | 156 | ka_gconf_set_show_trayicon (client, applet); |
| 140 | 157 | } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_USERID) == 0) { |
| 141 | 158 | ka_gconf_set_pk_userid (client, applet); |
| 159 | } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_ANCHORS) == 0) { | |
| 160 | ka_gconf_set_pk_anchors(client, applet); | |
| 142 | 161 | } else if (g_strcmp0 (key, KA_GCONF_KEY_FORWARDABLE) == 0) { |
| 143 | 162 | ka_gconf_set_tgt_forwardable (client, applet); |
| 144 | 163 | } else if (g_strcmp0 (key, KA_GCONF_KEY_RENEWABLE) == 0) { |
| 175 | 194 | ka_gconf_set_prompt_mins (client, applet); |
| 176 | 195 | ka_gconf_set_show_trayicon (client, applet); |
| 177 | 196 | ka_gconf_set_pk_userid(client, applet); |
| 197 | ka_gconf_set_pk_anchors(client, applet); | |
| 178 | 198 | ka_gconf_set_tgt_forwardable(client, applet); |
| 179 | 199 | ka_gconf_set_tgt_renewable(client, applet); |
| 180 | 200 | ka_gconf_set_tgt_proxiable(client, applet); |