/src/samba/auth/authn_policy.c

Source
/*
   Unix SMB/CIFS implementation.
   Samba Active Directory authentication policy functions

   Copyright (C) Catalyst.Net Ltd 2023

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "lib/replace/replace.h"
#include "auth/authn_policy.h"
#include "auth/authn_policy_impl.h"

bool authn_policy_is_enforced(const struct authn_policy *policy)
{
  return policy->enforced;
}

/* Authentication policies for Kerberos clients. */

/* Is an authentication policy enforced? */
bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
{
  return authn_policy_is_enforced(&policy->policy);
}

/* Get the raw TGT lifetime enforced by an authentication policy. */
int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
{
  if (policy == NULL) {
    return 0;
  }

  if (!authn_policy_is_enforced(&policy->policy)) {
    return 0;
  }

  return policy->tgt_lifetime_raw;
}

/* Auditing information. */

enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
{
  bool is_enforced;

  if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
    /* We didn’t get an error. */
    return AUTH_EVT_ID_NONE;
  }

  if (audit_info->policy == NULL) {
    /*
     * We got an error, but there’s no policy, so it must have
     * stemmed from something else.
     */
    return AUTH_EVT_ID_NONE;
  }

  is_enforced = authn_policy_is_enforced(audit_info->policy);

  switch (audit_info->event) {
  case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
    if (is_enforced) {
      return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
    }

    return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;

  case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
    if (is_enforced) {
      return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
    }

    return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;

  case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
    if (is_enforced) {
      return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
    }

    /* No relevant event ID. */
    break;

  case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
  case AUTHN_AUDIT_EVENT_OTHER_ERROR:
  default:
    /* No relevant event ID. */
    break;
  }

  return AUTH_EVT_ID_NONE;
}

const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
{
  if (audit_info->policy == NULL) {
    return NULL;
  }

  return audit_info->policy->silo_name;
}

const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
{
  if (audit_info->policy == NULL) {
    return NULL;
  }

  return audit_info->policy->policy_name;
}

const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
{
  if (audit_info->policy == NULL) {
    return NULL;
  }

  return &audit_info->policy->enforced;
}

const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
{
  return audit_info->client_info;
}

const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
{
  switch (audit_info->event) {
  case AUTHN_AUDIT_EVENT_OK:
    return "OK";
  case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
    return "KERBEROS_DEVICE_RESTRICTION";
  case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
    return "KERBEROS_SERVER_RESTRICTION";
  case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
    return "NTLM_DEVICE_RESTRICTION";
  case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
    return "NTLM_SERVER_RESTRICTION";
  case AUTHN_AUDIT_EVENT_OTHER_ERROR:
  default:
    return "OTHER_ERROR";
  }
}

const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
{
  switch (audit_info->reason) {
  case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
    return "DESCRIPTOR_INVALID";
  case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
    return "DESCRIPTOR_NO_OWNER";
  case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
    return "SECURITY_TOKEN_FAILURE";
  case AUTHN_AUDIT_REASON_ACCESS_DENIED:
    return "ACCESS_DENIED";
  case AUTHN_AUDIT_REASON_FAST_REQUIRED:
    return "FAST_REQUIRED";
  case AUTHN_AUDIT_REASON_NONE:
  default:
    return NULL;
  }
}

NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
{
  return audit_info->policy_status;
}

const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
{
  return audit_info->location;
}

struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
{
  int64_t lifetime;

  if (!audit_info->tgt_lifetime_raw.is_present) {
    return authn_int64_none();
  }

  lifetime = audit_info->tgt_lifetime_raw.val;
  lifetime /= INT64_C(1000) * 1000 * 10 * 60;

  return authn_int64_some(lifetime);
}

Line	Count	Source
1		/*
2		Unix SMB/CIFS implementation.
3		Samba Active Directory authentication policy functions
4
5		Copyright (C) Catalyst.Net Ltd 2023
6
7		This program is free software; you can redistribute it and/or modify
8		it under the terms of the GNU General Public License as published by
9		the Free Software Foundation; either version 3 of the License, or
10		(at your option) any later version.
11
12		This program is distributed in the hope that it will be useful,
13		but WITHOUT ANY WARRANTY; without even the implied warranty of
14		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15		GNU General Public License for more details.
16
17		You should have received a copy of the GNU General Public License
18		along with this program. If not, see <http://www.gnu.org/licenses/>.
19		*/
20
21		#include "lib/replace/replace.h"
22		#include "auth/authn_policy.h"
23		#include "auth/authn_policy_impl.h"
24
25		bool authn_policy_is_enforced(const struct authn_policy *policy)
26	0	{
27	0	return policy->enforced;
28	0	}
29
30		/* Authentication policies for Kerberos clients. */
31
32		/* Is an authentication policy enforced? */
33		bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
34	0	{
35	0	return authn_policy_is_enforced(&policy->policy);
36	0	}
37
38		/* Get the raw TGT lifetime enforced by an authentication policy. */
39		int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
40	0	{
41	0	if (policy == NULL) {
42	0	return 0;
43	0	}
44
45	0	if (!authn_policy_is_enforced(&policy->policy)) {
46	0	return 0;
47	0	}
48
49	0	return policy->tgt_lifetime_raw;
50	0	}
51
52		/* Auditing information. */
53
54		enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
55	0	{
56	0	bool is_enforced;
57
58	0	if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
59		/* We didn’t get an error. */
60	0	return AUTH_EVT_ID_NONE;
61	0	}
62
63	0	if (audit_info->policy == NULL) {
64		/*
65		* We got an error, but there’s no policy, so it must have
66		* stemmed from something else.
67		*/
68	0	return AUTH_EVT_ID_NONE;
69	0	}
70
71	0	is_enforced = authn_policy_is_enforced(audit_info->policy);
72
73	0	switch (audit_info->event) {
74	0	case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
75	0	if (is_enforced) {
76	0	return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
77	0	}
78
79	0	return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
80
81	0	case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
82	0	if (is_enforced) {
83	0	return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
84	0	}
85
86	0	return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
87
88	0	case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
89	0	if (is_enforced) {
90	0	return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
91	0	}
92
93		/* No relevant event ID. */
94	0	break;
95
96	0	case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
97	0	case AUTHN_AUDIT_EVENT_OTHER_ERROR:
98	0	default:
99		/* No relevant event ID. */
100	0	break;
101	0	}
102
103	0	return AUTH_EVT_ID_NONE;
104	0	}
105
106		const char authn_audit_info_silo_name(const struct authn_audit_info audit_info)
107	0	{
108	0	if (audit_info->policy == NULL) {
109	0	return NULL;
110	0	}
111
112	0	return audit_info->policy->silo_name;
113	0	}
114
115		const char authn_audit_info_policy_name(const struct authn_audit_info audit_info)
116	0	{
117	0	if (audit_info->policy == NULL) {
118	0	return NULL;
119	0	}
120
121	0	return audit_info->policy->policy_name;
122	0	}
123
124		const bool authn_audit_info_policy_enforced(const struct authn_audit_info audit_info)
125	0	{
126	0	if (audit_info->policy == NULL) {
127	0	return NULL;
128	0	}
129
130	0	return &audit_info->policy->enforced;
131	0	}
132
133		const struct auth_user_info_dc authn_audit_info_client_info(const struct authn_audit_info audit_info)
134	0	{
135	0	return audit_info->client_info;
136	0	}
137
138		const char authn_audit_info_event(const struct authn_audit_info audit_info)
139	0	{
140	0	switch (audit_info->event) {
141	0	case AUTHN_AUDIT_EVENT_OK:
142	0	return "OK";
143	0	case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
144	0	return "KERBEROS_DEVICE_RESTRICTION";
145	0	case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
146	0	return "KERBEROS_SERVER_RESTRICTION";
147	0	case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
148	0	return "NTLM_DEVICE_RESTRICTION";
149	0	case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
150	0	return "NTLM_SERVER_RESTRICTION";
151	0	case AUTHN_AUDIT_EVENT_OTHER_ERROR:
152	0	default:
153	0	return "OTHER_ERROR";
154	0	}
155	0	}
156
157		const char authn_audit_info_reason(const struct authn_audit_info audit_info)
158	0	{
159	0	switch (audit_info->reason) {
160	0	case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
161	0	return "DESCRIPTOR_INVALID";
162	0	case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
163	0	return "DESCRIPTOR_NO_OWNER";
164	0	case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
165	0	return "SECURITY_TOKEN_FAILURE";
166	0	case AUTHN_AUDIT_REASON_ACCESS_DENIED:
167	0	return "ACCESS_DENIED";
168	0	case AUTHN_AUDIT_REASON_FAST_REQUIRED:
169	0	return "FAST_REQUIRED";
170	0	case AUTHN_AUDIT_REASON_NONE:
171	0	default:
172	0	return NULL;
173	0	}
174	0	}
175
176		NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
177	0	{
178	0	return audit_info->policy_status;
179	0	}
180
181		const char authn_audit_info_location(const struct authn_audit_info audit_info)
182	0	{
183	0	return audit_info->location;
184	0	}
185
186		struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
187	0	{
188	0	int64_t lifetime;
189
190	0	if (!audit_info->tgt_lifetime_raw.is_present) {
191	0	return authn_int64_none();
192	0	}
193
194	0	lifetime = audit_info->tgt_lifetime_raw.val;
195	0	lifetime /= INT64_C(1000) * 1000 * 10 * 60;
196
197	0	return authn_int64_some(lifetime);
198	0	}

Coverage Report

Created: 2026-02-14 07:07