From: Stefan Metzmacher Date: Wed, 19 Feb 2025 23:31:36 +0000 (+0100) Subject: s4:dsdb/common: add dsdb_trust_get_claims_tf_policy() X-Git-Tag: tevent-0.17.0~640 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0da3bb7feb977e3cf0cd9a83de74eb041e997e05;p=thirdparty%2Fsamba.git s4:dsdb/common: add dsdb_trust_get_claims_tf_policy() Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/dsdb/common/util_trusts.c b/source4/dsdb/common/util_trusts.c index a184ba6b934..34ad72f85f1 100644 --- a/source4/dsdb/common/util_trusts.c +++ b/source4/dsdb/common/util_trusts.c @@ -36,6 +36,7 @@ #include "../lib/util/dlinklist.h" #include "lib/crypto/md4.h" #include "libcli/ldap/ldap_ndr.h" +#include "libcli/security/claims_transformation.h" #undef strcasecmp @@ -3246,3 +3247,112 @@ const struct lsa_TrustDomainInfoInfoEx *dsdb_trust_domain_by_name( return NULL; } + +NTSTATUS dsdb_trust_get_claims_tf_policy(struct ldb_context *samldb, + const struct ldb_message *tdo_msg, + const char *tdo_attr, + TALLOC_CTX *mem_ctx, + struct claims_tf_rule_set **_rule_set) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const struct ldb_val *tdo_link_val = NULL; + struct ldb_dn *config_dn = NULL; + struct ldb_dn *claims_tf_dn = NULL; + struct ldb_dn *policy_dn = NULL; + struct ldb_message *policy_msg = NULL; + static const char * const policy_attrs[] = { + "msDS-TransformationRules", + NULL + }; + const struct ldb_val *xml_blob = NULL; + DATA_BLOB rules_blob = { .length = 0, }; + struct claims_tf_rule_set *rule_set = NULL; + int cmp; + bool ok; + int ret; + + *_rule_set = NULL; + + tdo_link_val = ldb_msg_find_ldb_val(tdo_msg, tdo_attr); + if (tdo_link_val == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_DS_NO_ATTRIBUTE_OR_VALUE; + } + + config_dn = ldb_get_config_basedn(samldb); + if (config_dn == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_DS_INIT_FAILURE; + } + + claims_tf_dn = ldb_dn_copy(frame, config_dn); + if (claims_tf_dn == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + ok = ldb_dn_add_child_fmt(claims_tf_dn, + "%s,%s,%s", + "CN=Claims Transformation Policies", + "CN=Claims Configuration", + "CN=Services"); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + policy_dn = ldb_msg_find_attr_as_dn(samldb, frame, tdo_msg, tdo_attr); + if (policy_dn == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* + * The policy dn needs to be a child of + * the CN=Claims Transformation Policies container + */ + cmp = ldb_dn_compare_base(claims_tf_dn, policy_dn); + if (cmp != 0) { + TALLOC_FREE(frame); + return NT_STATUS_DS_OBJ_CLASS_VIOLATION; + } + + ret = dsdb_search_one(samldb, + frame, + &policy_msg, + policy_dn, + LDB_SCOPE_BASE, + policy_attrs, + DSDB_SEARCH_ONE_ONLY, + "(objectClass=msDS-ClaimsTransformationPolicyType)"); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(frame); + return NT_STATUS_POLICY_OBJECT_NOT_FOUND; + } + + xml_blob = ldb_msg_find_ldb_val(policy_msg, "msDS-TransformationRules"); + if (xml_blob == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_DS_NO_ATTRIBUTE_OR_VALUE; + } + + ok = claims_tf_policy_unwrap_xml(xml_blob, + &rules_blob); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_DS_INVALID_ATTRIBUTE_SYNTAX; + } + + ok = claims_tf_rule_set_parse_blob(&rules_blob, + frame, + &rule_set, + NULL); /* _error_string */ + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_DS_INVALID_ATTRIBUTE_SYNTAX; + } + + *_rule_set = talloc_move(mem_ctx, &rule_set); + TALLOC_FREE(frame); + return NT_STATUS_OK; +} diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index ec07cae6ad3..dac80adc6b5 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -35,6 +35,7 @@ struct gmsa_update_pwd_part; struct gmsa_update; struct gmsa_return_pwd; struct KeyEnvelope; +struct claims_tf_rule_set; enum dsdb_password_checked { DSDB_PASSWORD_NOT_CHECKED = 0, /* unused */