From 1ec825b28a296d7df11fd9ac83a6c123c7b177ea Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 26 Sep 2016 19:20:24 +0200
Subject: [PATCH] s3-rpc_server: allow to set minimal auth level for a DCE/RPC
 service

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/rpc_server/rpc_pipes.h |  5 +++++
 source3/rpc_server/srv_pipe.c  | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/source3/rpc_server/rpc_pipes.h b/source3/rpc_server/rpc_pipes.h
index d44ee92bd5c..8a8f8e58169 100644
--- a/source3/rpc_server/rpc_pipes.h
+++ b/source3/rpc_server/rpc_pipes.h
@@ -98,6 +98,11 @@ struct pipe_rpc_fns {
 	 * shall we allow "connect" auth level for this interface ?
 	 */
 	bool allow_connect;
+
+	/*
+	 * minimal required auth level
+	 */
+	enum dcerpc_AuthLevel min_auth_level;
 };
 
 /*
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 0633b5fa78c..3af0daf410e 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1357,6 +1357,18 @@ static bool api_pipe_request(struct pipes_struct *p,
 					    pipe_fns->syntax.if_version);
 	SMB_ASSERT(interface_name != NULL);
 
+	if (p->auth.auth_level < pipe_fns->min_auth_level) {
+
+		DEBUG(1, ("%s: auth level required for %s: 0x%x, got: 0x%0x\n",
+			  __func__, interface_name,
+			  pipe_fns->min_auth_level,
+			  p->auth.auth_level));
+
+		setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
+		TALLOC_FREE(frame);
+		return true;
+	}
+
 	switch (p->auth.auth_level) {
 	case DCERPC_AUTH_LEVEL_NONE:
 	case DCERPC_AUTH_LEVEL_PACKET:
-- 
2.47.2