KDC: implement transition check for trusted domains

When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.

In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.

Part of https://fedorahosted.org/freeipa/ticket/3909

daemons/ipa-kdb/ipa_kdb.c

@@ -602,7 +602,7 @@ kdb_vftabl kdb_function_table = {
     NULL,                               /* decrypt_key_data */
     NULL,                               /* encrypt_key_data */
     ipadb_sign_authdata,                /* sign_authdata */
-    NULL,                               /* check_transited_realms */
+    ipadb_check_transited_realms,       /* check_transited_realms */
     ipadb_check_policy_as,              /* check_policy_as */
     NULL,                               /* check_policy_tgs */
     ipadb_audit_as_req,                 /* audit_as_req */

daemons/ipa-kdb/ipa_kdb.h

@@ -253,7 +253,10 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
 krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit);
 
 void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
-
+krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+					     const krb5_data *tr_contents,
+					     const krb5_data *client_realm,
+					     const krb5_data *server_realm);
 /* DELEGATION CHECKS */
 
 krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,

daemons/ipa-kdb/ipa_kdb_mspac.c

@@ -2490,3 +2490,66 @@ done:
     ldap_msgfree(result);
     return kerr;
 }
+
+krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
+					     const krb5_data *tr_contents,
+					     const krb5_data *client_realm,
+					     const krb5_data *server_realm)
+{
+	struct ipadb_context *ipactx;
+	bool has_transited_contents, has_client_realm, has_server_realm;
+        int i;
+        krb5_error_code ret;
+
+        ipactx = ipadb_get_context(kcontext);
+        if (!ipactx || !ipactx->mspac) {
+            return KRB5_KDB_DBNOTINITED;
+        }
+
+	has_transited_contents = false;
+	has_client_realm = false;
+	has_server_realm = false;
+
+	/* First, compare client or server realm with ours */
+	if (strncasecmp(client_realm->data, ipactx->realm, client_realm->length) == 0) {
+		has_client_realm = true;
+	}
+	if (strncasecmp(server_realm->data, ipactx->realm, server_realm->length) == 0) {
+		has_server_realm = true;
+	}
+
+	if ((tr_contents->length == 0) || (tr_contents->data[0] == '\0')) {
+		/* For in-realm case allow transition */
+		if (has_client_realm && has_server_realm) {
+			return 0;
+		}
+		/* Since transited realm is empty, we don't need to check for it, it is a direct trust case */
+		has_transited_contents = true;
+	}
+
+	if (!ipactx->mspac || !ipactx->mspac->trusts) {
+		return KRB5_PLUGIN_NO_HANDLE;
+	}
+
+	/* Iterate through list of trusts and check if any of input belongs to any of the trust */
+	for(i=0; i < ipactx->mspac->num_trusts ; i++) {
+		if (!has_transited_contents &&
+		    (strncasecmp(tr_contents->data, ipactx->mspac->trusts[i].domain_name, tr_contents->length) == 0)) {
+			has_transited_contents = true;
+		}
+		if (!has_client_realm &&
+		    (strncasecmp(client_realm->data, ipactx->mspac->trusts[i].domain_name, client_realm->length) == 0)) {
+			has_client_realm = true;
+		}
+		if (!has_server_realm &&
+		    (strncasecmp(server_realm->data, ipactx->mspac->trusts[i].domain_name, server_realm->length) == 0)) {
+			has_server_realm = true;
+		}
+	}
+
+	ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	if (has_client_realm && has_transited_contents && has_server_realm) {
+		ret = 0;
+	}
+	return ret;
+}