From: Stefan Metzmacher Date: Wed, 29 Jan 2025 10:17:42 +0000 (+0100) Subject: s4:auth: split auth_user_info_dc_expand_sids() out of auth_generate_security_token() X-Git-Tag: tevent-0.17.0~778 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef7ff8bc16005876fb21420e6ae6a649c51059e9;p=thirdparty%2Fsamba.git s4:auth: split auth_user_info_dc_expand_sids() out of auth_generate_security_token() This way we'll be able to reuse it for the device sids in the next commit. Signed-off-by: Stefan Metzmacher Reviewed-by: Jennifer Sutton --- diff --git a/source4/auth/session.c b/source4/auth/session.c index 8f5d58b3437..8c51a9fcacb 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -52,34 +52,29 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, return session_info; } -_PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */ - struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - const struct auth_user_info_dc *user_info_dc, - const struct auth_user_info_dc *device_info_dc, - const struct auth_claims auth_claims, - uint32_t session_info_flags, - struct security_token **_security_token) +static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct ldb_context *sam_ctx, + const struct auth_user_info_dc *user_info_dc, + uint32_t session_info_flags, + struct auth_SidAttr **_sids, + uint32_t *_num_sids) { - struct security_token *security_token = NULL; + TALLOC_CTX *frame = talloc_stackframe(); NTSTATUS nt_status; - uint32_t i; + struct auth_SidAttr *sids = NULL; uint32_t num_sids = 0; - uint32_t num_device_sids = 0; + uint32_t i; const char *filter = NULL; - struct auth_SidAttr *sids = NULL; - struct auth_SidAttr *device_sids = NULL; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) { - return NT_STATUS_NO_MEMORY; - } - sids = talloc_array(tmp_ctx, struct auth_SidAttr, user_info_dc->num_sids); + sids = talloc_array(mem_ctx, + struct auth_SidAttr, + user_info_dc->num_sids); if (sids == NULL) { - TALLOC_FREE(tmp_ctx); + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } + talloc_steal(frame, sids); num_sids = user_info_dc->num_sids; @@ -94,86 +89,160 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, */ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { - sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 2); + sids = talloc_realloc(frame, + sids, + struct auth_SidAttr, + num_sids + 2); if (sids == NULL) { - TALLOC_FREE(tmp_ctx); + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - sid_copy(&sids[num_sids].sid, &global_sid_World); - sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS; + sids[num_sids] = (struct auth_SidAttr) { + .sid = global_sid_World, + .attrs = SE_GROUP_DEFAULT_FLAGS, + }; num_sids++; - sid_copy(&sids[num_sids].sid, &global_sid_Network); - sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS; + sids[num_sids] = (struct auth_SidAttr) { + .sid = global_sid_Network, + .attrs = SE_GROUP_DEFAULT_FLAGS, + }; num_sids++; } if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 1); + sids = talloc_realloc(frame, + sids, + struct auth_SidAttr, + num_sids + 1); if (sids == NULL) { - TALLOC_FREE(tmp_ctx); + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - sid_copy(&sids[num_sids].sid, &global_sid_Authenticated_Users); - sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS; + sids[num_sids] = (struct auth_SidAttr) { + .sid = global_sid_Authenticated_Users, + .attrs = SE_GROUP_DEFAULT_FLAGS, + }; num_sids++; } if (session_info_flags & AUTH_SESSION_INFO_NTLM) { - sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 1); + sids = talloc_realloc(frame, + sids, + struct auth_SidAttr, + num_sids + 1); if (sids == NULL) { - TALLOC_FREE(tmp_ctx); + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } - if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids].sid)) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_INTERNAL_ERROR; - } - sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS; + sids[num_sids] = (struct auth_SidAttr) { + .sid = global_sid_NTLM_Authentication, + .attrs = SE_GROUP_DEFAULT_FLAGS, + }; num_sids++; } - if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(&global_sid_Anonymous, &sids[PRIMARY_USER_SID_INDEX].sid)) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(&global_sid_System, &sids[PRIMARY_USER_SID_INDEX].sid)) { + goto done; + } + + if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(&global_sid_System, &sids[PRIMARY_USER_SID_INDEX].sid)) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (sam_ctx != NULL) { - filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:"LDB_OID_COMPARATOR_AND":=%u))", - GROUP_TYPE_BUILTIN_LOCAL_GROUP); - - /* Search for each group in the token */ - for (i = 0; i < num_sids; i++) { - struct dom_sid_buf buf; - const char *sid_dn; - DATA_BLOB sid_blob; - - sid_dn = talloc_asprintf( - tmp_ctx, - "", - dom_sid_str_buf(&sids[i].sid, &buf)); - if (sid_dn == NULL) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - sid_blob = data_blob_string_const(sid_dn); - - /* This function takes in memberOf values and expands - * them, as long as they meet the filter - so only - * builtin groups - * - * We already have the SID in the token, so set - * 'only childs' flag to true */ - nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter, - tmp_ctx, &sids, &num_sids); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } + goto done; + } + if (sam_ctx == NULL) { + /* Don't expand nested groups of system, anonymous etc*/ + goto done; + } + + filter = talloc_asprintf(frame, + "(&(objectClass=group)(groupType:"LDB_OID_COMPARATOR_AND":=%u))", + GROUP_TYPE_BUILTIN_LOCAL_GROUP); + if (filter == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* Search for each group in the token */ + for (i = 0; i < num_sids; i++) { + struct dom_sid_buf buf; + const char *sid_dn; + DATA_BLOB sid_blob; + + sid_dn = talloc_asprintf( + frame, + "", + dom_sid_str_buf(&sids[i].sid, &buf)); + if (sid_dn == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; } + sid_blob = data_blob_string_const(sid_dn); + + /* + * This function takes in memberOf values and expands + * them, as long as they meet the filter - so only + * builtin groups + * + * We already have the SID in the token, so set + * 'only childs' flag to true + */ + nt_status = dsdb_expand_nested_groups(sam_ctx, + &sid_blob, + true, + filter, + frame, + &sids, + &num_sids); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(frame); + return nt_status; + } + } + +done: + *_sids = talloc_move(mem_ctx, &sids); + *_num_sids = num_sids; + TALLOC_FREE(frame); + return NT_STATUS_OK; +} + +_PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ + const struct auth_user_info_dc *user_info_dc, + const struct auth_user_info_dc *device_info_dc, + const struct auth_claims auth_claims, + uint32_t session_info_flags, + struct security_token **_security_token) +{ + struct security_token *security_token = NULL; + NTSTATUS nt_status; + uint32_t i; + uint32_t num_sids = 0; + uint32_t num_device_sids = 0; + struct auth_SidAttr *sids = NULL; + struct auth_SidAttr *device_sids = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = auth_user_info_dc_expand_sids(tmp_ctx, + lp_ctx, + sam_ctx, + user_info_dc, + session_info_flags, + &sids, + &num_sids); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(tmp_ctx); + return nt_status; } if (device_info_dc != NULL) {