From: Joseph Sutton Date: Wed, 14 Jun 2023 22:30:34 +0000 (+1200) Subject: s4:kdc: Add functions to create structures of auditing information for authentication... X-Git-Tag: talloc-2.4.1~368 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a3063fb4f59331f43dfb7d6930dbe0f8b383f6b7;p=thirdparty%2Fsamba.git s4:kdc: Add functions to create structures of auditing information for authentication policies Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/auth/authn_policy.h b/auth/authn_policy.h index bb1d91ec701..2fb405d1390 100644 --- a/auth/authn_policy.h +++ b/auth/authn_policy.h @@ -41,6 +41,8 @@ NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_n const char *device_account_name, const struct authn_ntlm_client_policy *client_policy); +struct authn_audit_info; + enum authn_audit_event { AUTHN_AUDIT_EVENT_OK = 0, AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION, diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c index c757e77dbf5..fde127e9d17 100644 --- a/source4/kdc/authn_policy_util.c +++ b/source4/kdc/authn_policy_util.c @@ -417,6 +417,124 @@ out: return ret; } +/* + * Reference an existing authentication policy onto a talloc context, returning + * ‘true’ on success. + */ +static bool authn_policy_ref(TALLOC_CTX *mem_ctx, + struct authn_policy *policy_out, + const struct authn_policy *policy) +{ + const char *silo_name = NULL; + const char *policy_name = NULL; + + if (policy->silo_name != NULL) { + silo_name = talloc_strdup(mem_ctx, policy->silo_name); + if (silo_name == NULL) { + return false; + } + } + + if (policy->policy_name != NULL) { + policy_name = talloc_strdup(mem_ctx, policy->policy_name); + if (policy_name == NULL) { + /* + * We can’t free ‘silo_name’ here, as it is declared + * const. It will be freed with the parent context. + */ + return false; + } + } + + *policy_out = (struct authn_policy) { + .silo_name = silo_name, + .policy_name = policy_name, + .enforced = policy->enforced, + }; + + return true; +} + +/* Create a structure containing auditing information. */ +static NTSTATUS _authn_policy_audit_info(TALLOC_CTX *mem_ctx, + const struct authn_policy *policy, + const struct authn_int64_optional tgt_lifetime_raw, + const struct auth_user_info_dc *client_info, + const enum authn_audit_event event, + const enum authn_audit_reason reason, + const NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out) +{ + struct authn_audit_info *audit_info = NULL; + bool ok; + + if (audit_info_out == NULL) { + return NT_STATUS_OK; + } + + audit_info = talloc_zero(mem_ctx, struct authn_audit_info); + if (audit_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (client_info != NULL) { + /* + * Keep a reference to the client’s user information so that it + * is available to be logged later. + */ + audit_info->client_info = talloc_reference(audit_info, client_info); + if (audit_info->client_info == NULL) { + talloc_free(audit_info); + return NT_STATUS_NO_MEMORY; + } + } + + if (policy != NULL) { + audit_info->policy = talloc_zero(audit_info, struct authn_policy); + if (audit_info->policy == NULL) { + talloc_free(audit_info); + return NT_STATUS_NO_MEMORY; + } + + ok = authn_policy_ref(audit_info, audit_info->policy, policy); + if (!ok) { + talloc_free(audit_info); + return NT_STATUS_NO_MEMORY; + } + } + + audit_info->event = event; + audit_info->reason = reason; + audit_info->policy_status = policy_status; + audit_info->location = location; + audit_info->tgt_lifetime_raw = tgt_lifetime_raw; + + *audit_info_out = audit_info; + return NT_STATUS_OK; +} + +/* Create a structure containing auditing information. */ +#define authn_policy_audit_info( \ + mem_ctx, \ + policy, \ + tgt_lifetime_raw, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + audit_info_out) \ + _authn_policy_audit_info( \ + mem_ctx, \ + policy, \ + tgt_lifetime_raw, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + __location__, \ + audit_info_out) + /* Return an authentication policy moved onto a talloc context. */ static struct authn_policy authn_policy_move(TALLOC_CTX *mem_ctx, struct authn_policy *policy) @@ -766,3 +884,89 @@ bool authn_policy_restrictions_present(const struct authn_server_policy *policy) { return authn_policy_restrictions(policy) != NULL; } + +/* Create a structure containing auditing information. */ +NTSTATUS _authn_kerberos_client_policy_audit_info( + TALLOC_CTX *mem_ctx, + const struct authn_kerberos_client_policy *client_policy, + const struct auth_user_info_dc *client_info, + const enum authn_audit_event event, + const enum authn_audit_reason reason, + const NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out) +{ + const struct authn_policy *policy = NULL; + struct authn_int64_optional tgt_lifetime_raw = authn_int64_none(); + + if (client_policy != NULL) { + policy = &client_policy->policy; + tgt_lifetime_raw = authn_int64_some(client_policy->tgt_lifetime_raw); + } + + return _authn_policy_audit_info(mem_ctx, + policy, + tgt_lifetime_raw, + client_info, + event, + reason, + policy_status, + location, + audit_info_out); +} + +/* Create a structure containing auditing information. */ +NTSTATUS _authn_ntlm_client_policy_audit_info( + TALLOC_CTX *mem_ctx, + const struct authn_ntlm_client_policy *client_policy, + const struct auth_user_info_dc *client_info, + const enum authn_audit_event event, + const enum authn_audit_reason reason, + const NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out) +{ + const struct authn_policy *policy = NULL; + + if (client_policy != NULL) { + policy = &client_policy->policy; + } + + return _authn_policy_audit_info(mem_ctx, + policy, + authn_int64_none() /* tgt_lifetime_raw */, + client_info, + event, + reason, + policy_status, + location, + audit_info_out); +} + +/* Create a structure containing auditing information. */ +NTSTATUS _authn_server_policy_audit_info( + TALLOC_CTX *mem_ctx, + const struct authn_server_policy *server_policy, + const struct auth_user_info_dc *client_info, + const enum authn_audit_event event, + const enum authn_audit_reason reason, + const NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out) +{ + const struct authn_policy *policy = NULL; + + if (server_policy != NULL) { + policy = &server_policy->policy; + } + + return _authn_policy_audit_info(mem_ctx, + policy, + authn_int64_none() /* tgt_lifetime_raw */, + client_info, + event, + reason, + policy_status, + location, + audit_info_out); +} diff --git a/source4/kdc/authn_policy_util.h b/source4/kdc/authn_policy_util.h index a481d4d1543..71f4e2a73b5 100644 --- a/source4/kdc/authn_policy_util.h +++ b/source4/kdc/authn_policy_util.h @@ -46,6 +46,8 @@ int authn_policy_get_assigned_silo(struct ldb_context *samdb, const struct ldb_message **silo_msg_out, bool *is_enforced); +struct auth_user_info_dc; + /* Authentication policies for Kerberos clients. */ /* @@ -87,4 +89,94 @@ int authn_policy_server(struct ldb_context *samdb, /* Return whether an authentication policy enforces restrictions. */ bool authn_policy_restrictions_present(const struct authn_server_policy *policy); +/* Create a structure containing auditing information. */ +NTSTATUS _authn_kerberos_client_policy_audit_info( + TALLOC_CTX *mem_ctx, + const struct authn_kerberos_client_policy *client_policy, + const struct auth_user_info_dc *client_info, + enum authn_audit_event event, + enum authn_audit_reason reason, + NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out); + +/* Create a structure containing auditing information. */ +#define authn_kerberos_client_policy_audit_info( \ + mem_ctx, \ + policy, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + audit_info_out) \ + _authn_kerberos_client_policy_audit_info( \ + mem_ctx, \ + policy, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + __location__, \ + audit_info_out) + +/* Create a structure containing auditing information. */ +NTSTATUS _authn_ntlm_client_policy_audit_info( + TALLOC_CTX *mem_ctx, + const struct authn_ntlm_client_policy *policy, + const struct auth_user_info_dc *client_info, + enum authn_audit_event event, + enum authn_audit_reason reason, + NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out); + +/* Create a structure containing auditing information. */ +#define authn_ntlm_client_policy_audit_info( \ + mem_ctx, \ + policy, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + audit_info_out) \ + _authn_ntlm_client_policy_audit_info( \ + mem_ctx, \ + policy, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + __location__, \ + audit_info_out) + +/* Create a structure containing auditing information. */ +NTSTATUS _authn_server_policy_audit_info( + TALLOC_CTX *mem_ctx, + const struct authn_server_policy *policy, + const struct auth_user_info_dc *client_info, + enum authn_audit_event event, + enum authn_audit_reason reason, + NTSTATUS policy_status, + const char *location, + struct authn_audit_info **audit_info_out); + +/* Create a structure containing auditing information. */ +#define authn_server_policy_audit_info( \ + mem_ctx, \ + policy, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + audit_info_out) \ + _authn_server_policy_audit_info( \ + mem_ctx, \ + policy, \ + client_info, \ + event, \ + reason, \ + policy_status, \ + __location__, \ + audit_info_out) + #endif