Add kinit PAC request options

Add --request-pac and --no-request-pac options to kinit, to explicitly
request inclusion or exclusion of PAC authorization data.

ticket: 7985

diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index c039241d4960fdbfa51f1bb3cc7fb8d1da3b94f4..f24c319c1b7f6b71b6e3afb02ed102eb5185d055 100644 (file)
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -88,11 +88,13 @@ struct k_opts
 
     int forwardable;
     int proxiable;
+    int request_pac;
     int anonymous;
     int addresses;
 
     int not_forwardable;
     int not_proxiable;
+    int not_request_pac;
     int no_addresses;
 
     int verbose;
@@ -128,18 +130,6 @@ struct k5_data
    stored in *(struct[2]), the array index which was specified is
    stored in *index, and long_getopt() returns 0. */
 
-struct option long_options[] = {
-    { "noforwardable", 0, NULL, 'F' },
-    { "noproxiable", 0, NULL, 'P' },
-    { "addresses", 0, NULL, 'a'},
-    { "forwardable", 0, NULL, 'f' },
-    { "proxiable", 0, NULL, 'p' },
-    { "noaddresses", 0, NULL, 'A' },
-    { "canonicalize", 0, NULL, 'C' },
-    { "enterprise", 0, NULL, 'E' },
-    { NULL, 0, NULL, 0 }
-};
-
 const char *shopts = "r:fpFPn54aAVl:s:c:kit:T:RS:vX:CEI:";
 
 static void
@@ -152,6 +142,7 @@ usage()
 #define USAGE_LONG_ADDRESSES    " | --addresses | --noaddresses"
 #define USAGE_LONG_CANONICALIZE " | --canonicalize"
 #define USAGE_LONG_ENTERPRISE   " | --enterprise"
+#define USAGE_LONG_REQUESTPAC   "--request-pac | --no-request-pac"
 #define USAGE_BREAK_LONG       USAGE_BREAK
 
     fprintf(stderr, "Usage: %s [-V] "
@@ -165,6 +156,8 @@ usage()
             "-n "
             "[-a | -A" USAGE_LONG_ADDRESSES "] "
             USAGE_BREAK_LONG
+            "[" USAGE_LONG_REQUESTPAC "] "
+            USAGE_BREAK_LONG
             "[-C" USAGE_LONG_CANONICALIZE "] "
             USAGE_BREAK
             "[-E" USAGE_LONG_ENTERPRISE "] "
@@ -254,6 +247,19 @@ parse_options(argc, argv, opts)
     char **argv;
     struct k_opts* opts;
 {
+    struct option long_options[] = {
+        { "noforwardable", 0, NULL, 'F' },
+        { "noproxiable", 0, NULL, 'P' },
+        { "addresses", 0, NULL, 'a'},
+        { "forwardable", 0, NULL, 'f' },
+        { "proxiable", 0, NULL, 'p' },
+        { "noaddresses", 0, NULL, 'A' },
+        { "canonicalize", 0, NULL, 'C' },
+        { "enterprise", 0, NULL, 'E' },
+        { "request-pac", 0, &opts->request_pac, 1 },
+        { "no-request-pac", 0, &opts->not_request_pac, 1 },
+        { NULL, 0, NULL, 0 }
+    };
     krb5_error_code code;
     int errflg = 0;
     int i;
@@ -383,6 +389,9 @@ parse_options(argc, argv, opts)
             break;
         case '5':
             break;
+        case 0:
+            /* If this option set a flag, do nothing else now. */
+            break;
         default:
             errflg++;
             break;
@@ -399,6 +408,12 @@ parse_options(argc, argv, opts)
         fprintf(stderr, _("Only one of -p and -P allowed\n"));
         errflg++;
     }
+    if (opts->request_pac && opts->not_request_pac)
+    {
+        fprintf(stderr, _("Only one of --request-pac and --no-request-pac "
+                          "allowed\n"));
+        errflg++;
+    }
     if (opts->addresses && opts->no_addresses)
     {
         fprintf(stderr, _("Only one of -a and -A allowed\n"));
@@ -727,6 +742,10 @@ k5_kinit(opts, k5)
         krb5_get_init_creds_opt_set_address_list(options, NULL);
     if (opts->armor_ccache)
         krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache);
+    if (opts->request_pac)
+        krb5_get_init_creds_opt_set_pac_request(k5->ctx, options, TRUE);
+    if (opts->not_request_pac)
+        krb5_get_init_creds_opt_set_pac_request(k5->ctx, options, FALSE);
 
 
     if ((opts->action == INIT_KT) && opts->keytab_name)