From: Ken Raeburn Date: Thu, 29 Jan 2009 23:06:31 +0000 (+0000) Subject: Support -n (dry-run) and -v (verbose) options for update_princ_encryption X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c05ae15a632e07a8dfc6072715a71d338b77a2f;p=thirdparty%2Fkrb5.git Support -n (dry-run) and -v (verbose) options for update_princ_encryption git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21833 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 58bfa7830e..18667feae5 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -707,6 +707,8 @@ struct update_enc_mkvno { unsigned int re_match_count; unsigned int already_current; unsigned int updated; + unsigned int dry_run : 1; + unsigned int verbose : 1; #ifdef SOLARIS_REGEXPS char *expbuf; #endif @@ -845,10 +847,22 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) pname); goto fail; } + /* Line up "skip" and "update" messages for viewing. */ if (old_mkvno == new_mkvno) { + if (p->dry_run && p->verbose) + printf("would skip: %s\n", pname); + else if (p->verbose) + printf("skipping: %s\n", pname); p->already_current++; goto skip; } + if (p->dry_run) { + if (p->verbose) + printf("would update: %s\n", pname); + p->updated++; + goto skip; + } else if (p->verbose) + printf("updating: %s\n", pname); retval = master_key_convert (util_context, ent); if (retval) { com_err(progname, retval, @@ -928,11 +942,17 @@ kdb5_update_princ_encryption(int argc, char *argv[]) char *regexp = NULL; krb5_keyblock *tmp_keyblock = NULL; - while ((optchar = getopt(argc, argv, "f")) != -1) { + while ((optchar = getopt(argc, argv, "fnv")) != -1) { switch (optchar) { case 'f': force = 1; break; + case 'n': + data.dry_run = 1; + break; + case 'v': + data.verbose = 1; + break; case '?': case ':': default: @@ -980,8 +1000,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) #ifdef BSD_REGEXPS ((msg = (char *) re_comp(regexp)) != NULL) #endif - ) - { + ) { /* XXX syslog msg or regerr(regerrno) */ com_err(progname, 0, "error compiling converted regexp '%s'", regexp); free(regexp); @@ -1028,12 +1047,21 @@ kdb5_update_princ_encryption(int argc, char *argv[]) new_master_keyblock = *tmp_keyblock; if (!force && + !data.dry_run && !are_you_sure("Re-encrypt all keys not using master key vno %u?", new_mkvno)) { printf("OK, doing nothing.\n"); exit_status++; goto cleanup; } + if (data.verbose) { + if (data.dry_run) + printf("Principals whose keys WOULD BE re-encrypted to master key vno %u:\n", + new_mkvno); + else + printf("Principals whose keys are being re-encrypted to master key vno %u if necessary:\n", + new_mkvno); + } retval = krb5_db_iterate(util_context, name_pattern, update_princ_encryption_1, &data); @@ -1044,8 +1072,12 @@ kdb5_update_princ_encryption(int argc, char *argv[]) exit_status++; } (void) krb5_db_fini(util_context); - printf("%u principals processed: %u updated, %u already current\n", - data.re_match_count, data.updated, data.already_current); + if (data.dry_run) + printf("%u principals processed: %u would be updated, %u already current\n", + data.re_match_count, data.updated, data.already_current); + else + printf("%u principals processed: %u updated, %u already current\n", + data.re_match_count, data.updated, data.already_current); cleanup: free(regexp); diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M index fc57ffb193..294357fc97 100644 --- a/src/kadmin/dbutil/kdb5_util.M +++ b/src/kadmin/dbutil/kdb5_util.M @@ -225,14 +225,26 @@ This option needs documentation. \fBlist_mkeys\fP This option needs documentation. .TP -\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fBprinc\-pattern\fP] +\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP] Update all principal records (or only those matching the .B princ\-pattern glob pattern) to re-encrypt the key data using the latest version of -the database master key, if they are encrypted using older versions. +the database master key, if they are encrypted using older versions, +and give a count at the end of the number of principals updated. If the .B \-f option is not given, ask for confirmation before starting to make -changes. +changes. The +.B \-v +option causes each principal processed (each one matching the pattern) +to be listed, and an indication given as to whether it needed updating +or not. +The +.B \-n +option causes the actions not to be taken, only the normal or verbose +status messages displayed; this implies +.B \-f +since no database changes will be performed and thus there's little +reason to seek confirmation. .SH SEE ALSO kadmin(8) diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 86e230a093..460160a048 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -98,7 +98,7 @@ void usage() "\tadd_mkey [-e etype] [-s]\n" "\tuse_mkey kvno [time]\n" "\tlist_mkeys\n" - "\tupdate_princ_encryption [-f] [princ-pattern]\n" + "\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" ); /* avoid a string length compiler warning */ fprintf(stderr,