From dd8553b54b7e6fad207ec09cffe039b844493755 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Sep 2016 14:57:59 +0200
Subject: s4-kdc: Move kpasswd_make_pwchange_reply() to a helper file

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Sep 11 06:45:00 CEST 2016 on sn-devel-144
---
 source4/kdc/kpasswd-heimdal.c | 63 +++-----------------------------
 source4/kdc/kpasswd-helper.c  | 84 +++++++++++++++++++++++++++++++++++++++++++
 source4/kdc/kpasswd-helper.h  |  6 ++++
 3 files changed, 94 insertions(+), 59 deletions(-)

(limited to 'source4/kdc')

diff --git a/source4/kdc/kpasswd-heimdal.c b/source4/kdc/kpasswd-heimdal.c
index af8187b4765..49fc755dad3 100644
--- a/source4/kdc/kpasswd-heimdal.c
+++ b/source4/kdc/kpasswd-heimdal.c
@@ -72,60 +72,6 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
 	return true;
 }
 
-static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
-					TALLOC_CTX *mem_ctx,
-					NTSTATUS status,
-					enum samPwdChangeReason reject_reason,
-					struct samr_DomInfo1 *dominfo,
-					DATA_BLOB *error_blob)
-{
-	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-		return kpasswd_make_error_reply(mem_ctx,
-						KRB5_KPASSWD_ACCESSDENIED,
-						"No such user when changing password",
-						error_blob);
-	}
-	if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-		return kpasswd_make_error_reply(mem_ctx,
-						KRB5_KPASSWD_ACCESSDENIED,
-						"Not permitted to change password",
-						error_blob);
-	}
-	if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-		const char *reject_string;
-		switch (reject_reason) {
-		case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
-			reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long.",
-							dominfo->min_password_length);
-			break;
-		case SAM_PWD_CHANGE_NOT_COMPLEX:
-			reject_string = "Password does not meet complexity requirements";
-			break;
-		case SAM_PWD_CHANGE_PWD_IN_HISTORY:
-			reject_string = talloc_asprintf(mem_ctx, "Password is already in password history.  New password must not match any of your %d previous passwords.",
-							dominfo->password_history_length);
-			break;
-		default:
-			reject_string = "Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.";
-			break;
-		}
-		return kpasswd_make_error_reply(mem_ctx,
-						KRB5_KPASSWD_SOFTERROR,
-						reject_string,
-						error_blob);
-	}
-	if (!NT_STATUS_IS_OK(status)) {
-		return kpasswd_make_error_reply(mem_ctx,
-						 KRB5_KPASSWD_HARDERROR,
-						 talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
-						 error_blob);
-
-	}
-	return kpasswd_make_error_reply(mem_ctx, KRB5_KPASSWD_SUCCESS,
-					"Password changed",
-					error_blob);
-}
-
 /*
    A user password change
 
@@ -161,8 +107,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
 						 reply);
 	}
 
-	return kpasswd_make_pwchange_reply(kdc,
-					   mem_ctx,
+	return kpasswd_make_pwchange_reply(mem_ctx,
 					   result,
 					   reject_reason,
 					   dominfo,
@@ -321,7 +266,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
 		if (ret != LDB_SUCCESS) {
 			free(set_password_on_princ);
 			status = NT_STATUS_TRANSACTION_ABORTED;
-			return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+			return kpasswd_make_pwchange_reply(mem_ctx,
 							   status,
 							   SAM_PWD_CHANGE_NO_ERROR,
 							   NULL,
@@ -340,7 +285,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
 		free(set_password_on_princ);
 		if (!NT_STATUS_IS_OK(status)) {
 			ldb_transaction_cancel(samdb);
-			return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+			return kpasswd_make_pwchange_reply(mem_ctx,
 							   status,
 							   SAM_PWD_CHANGE_NO_ERROR,
 							   NULL,
@@ -367,7 +312,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
 		} else {
 			ldb_transaction_cancel(samdb);
 		}
-		return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+		return kpasswd_make_pwchange_reply(mem_ctx,
 						   status,
 						   reject_reason,
 						   dominfo,
diff --git a/source4/kdc/kpasswd-helper.c b/source4/kdc/kpasswd-helper.c
index 31195d907d5..5ecb6e976b4 100644
--- a/source4/kdc/kpasswd-helper.c
+++ b/source4/kdc/kpasswd-helper.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
+#include "librpc/gen_ndr/samr.h"
 #include "kdc/kpasswd-helper.h"
 
 bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
@@ -72,3 +73,86 @@ bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
 
 	return true;
 }
+
+bool kpasswd_make_pwchange_reply(TALLOC_CTX *mem_ctx,
+				 NTSTATUS status,
+				 enum samPwdChangeReason reject_reason,
+				 struct samr_DomInfo1 *dominfo,
+				 DATA_BLOB *error_blob)
+{
+	const char *reject_string = NULL;
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_ACCESSDENIED,
+						"No such user when changing password",
+						error_blob);
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_ACCESSDENIED,
+						"Not permitted to change password",
+						error_blob);
+	}
+	if (dominfo != NULL &&
+	    NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+		switch (reject_reason) {
+		case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
+			reject_string =
+				talloc_asprintf(mem_ctx,
+						"Password too short, password "
+						"must be at least %d characters "
+						"long.",
+						dominfo->min_password_length);
+			if (reject_string == NULL) {
+				reject_string = "Password too short";
+			}
+			break;
+		case SAM_PWD_CHANGE_NOT_COMPLEX:
+			reject_string = "Password does not meet complexity "
+					"requirements";
+			break;
+		case SAM_PWD_CHANGE_PWD_IN_HISTORY:
+			reject_string =
+				talloc_asprintf(mem_ctx,
+						"Password is already in password "
+						"history. New password must not "
+						"match any of your %d previous "
+						"passwords.",
+						dominfo->password_history_length);
+			if (reject_string == NULL) {
+				reject_string = "Password is already in password "
+						"history";
+			}
+			break;
+		default:
+			reject_string = "Password change rejected, password "
+					"changes may not be permitted on this "
+					"account, or the minimum password age "
+					"may not have elapsed.";
+			break;
+		}
+
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_SOFTERROR,
+						reject_string,
+						error_blob);
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		reject_string = talloc_asprintf(mem_ctx,
+						"Failed to set password: %s",
+						nt_errstr(status));
+		if (reject_string == NULL) {
+			reject_string = "Failed to set password";
+		}
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_HARDERROR,
+						reject_string,
+						error_blob);
+	}
+
+	return kpasswd_make_error_reply(mem_ctx,
+					KRB5_KPASSWD_SUCCESS,
+					"Password changed",
+					error_blob);
+}
diff --git a/source4/kdc/kpasswd-helper.h b/source4/kdc/kpasswd-helper.h
index 74a508ca70f..d2ff1e3ec2f 100644
--- a/source4/kdc/kpasswd-helper.h
+++ b/source4/kdc/kpasswd-helper.h
@@ -27,4 +27,10 @@ bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
 			      const char *error_string,
 			      DATA_BLOB *error_data);
 
+bool kpasswd_make_pwchange_reply(TALLOC_CTX *mem_ctx,
+				 NTSTATUS status,
+				 enum samPwdChangeReason reject_reason,
+				 struct samr_DomInfo1 *dominfo,
+				 DATA_BLOB *error_blob);
+
 #endif /* _KPASSWD_HELPER_H */
-- 
cgit v1.2.1