Line data Source code
1 : /* 2 : Unix SMB/CIFS implementation. 3 : Samba Active Directory authentication policy functions 4 : 5 : Copyright (C) Catalyst.Net Ltd 2023 6 : 7 : This program is free software; you can redistribute it and/or modify 8 : it under the terms of the GNU General Public License as published by 9 : the Free Software Foundation; either version 3 of the License, or 10 : (at your option) any later version. 11 : 12 : This program is distributed in the hope that it will be useful, 13 : but WITHOUT ANY WARRANTY; without even the implied warranty of 14 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 : GNU General Public License for more details. 16 : 17 : You should have received a copy of the GNU General Public License 18 : along with this program. If not, see <http://www.gnu.org/licenses/>. 19 : */ 20 : 21 : #include "lib/replace/replace.h" 22 : #include "auth/authn_policy.h" 23 : #include "auth/authn_policy_impl.h" 24 : 25 1558 : bool authn_policy_is_enforced(const struct authn_policy *policy) 26 : { 27 1558 : return policy->enforced; 28 : } 29 : 30 : /* Authentication policies for Kerberos clients. */ 31 : 32 : /* Is an authentication policy enforced? */ 33 3 : bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy) 34 : { 35 3 : return authn_policy_is_enforced(&policy->policy); 36 : } 37 : 38 : /* Get the raw TGT lifetime enforced by an authentication policy. */ 39 301507 : int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy) 40 : { 41 301507 : if (policy == NULL) { 42 290914 : return 0; 43 : } 44 : 45 451 : if (!authn_policy_is_enforced(&policy->policy)) { 46 10 : return 0; 47 : } 48 : 49 441 : return policy->tgt_lifetime_raw; 50 : } 51 : 52 : /* Auditing information. */ 53 : 54 760 : enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info) 55 : { 56 0 : bool is_enforced; 57 : 58 760 : if (audit_info->event == AUTHN_AUDIT_EVENT_OK) { 59 : /* We didn’t get an error. */ 60 338 : return AUTH_EVT_ID_NONE; 61 : } 62 : 63 422 : if (audit_info->policy == NULL) { 64 : /* 65 : * We got an error, but there’s no policy, so it must have 66 : * stemmed from something else. 67 : */ 68 0 : return AUTH_EVT_ID_NONE; 69 : } 70 : 71 422 : is_enforced = authn_policy_is_enforced(audit_info->policy); 72 : 73 422 : switch (audit_info->event) { 74 264 : case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION: 75 264 : if (is_enforced) { 76 262 : return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION; 77 : } 78 : 79 2 : return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT; 80 : 81 64 : case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION: 82 64 : if (is_enforced) { 83 63 : return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION; 84 : } 85 : 86 1 : return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT; 87 : 88 38 : case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION: 89 38 : if (is_enforced) { 90 38 : return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION; 91 : } 92 : 93 : /* No relevant event ID. */ 94 0 : break; 95 : 96 56 : case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION: 97 : case AUTHN_AUDIT_EVENT_OTHER_ERROR: 98 : default: 99 : /* No relevant event ID. */ 100 56 : break; 101 : } 102 : 103 56 : return AUTH_EVT_ID_NONE; 104 : } 105 : 106 760 : const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info) 107 : { 108 760 : if (audit_info->policy == NULL) { 109 0 : return NULL; 110 : } 111 : 112 760 : return audit_info->policy->silo_name; 113 : } 114 : 115 760 : const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info) 116 : { 117 760 : if (audit_info->policy == NULL) { 118 0 : return NULL; 119 : } 120 : 121 760 : return audit_info->policy->policy_name; 122 : } 123 : 124 760 : const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info) 125 : { 126 760 : if (audit_info->policy == NULL) { 127 0 : return NULL; 128 : } 129 : 130 760 : return &audit_info->policy->enforced; 131 : } 132 : 133 760 : const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info) 134 : { 135 760 : return audit_info->client_info; 136 : } 137 : 138 760 : const char *authn_audit_info_event(const struct authn_audit_info *audit_info) 139 : { 140 760 : switch (audit_info->event) { 141 338 : case AUTHN_AUDIT_EVENT_OK: 142 338 : return "OK"; 143 264 : case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION: 144 264 : return "KERBEROS_DEVICE_RESTRICTION"; 145 64 : case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION: 146 64 : return "KERBEROS_SERVER_RESTRICTION"; 147 38 : case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION: 148 38 : return "NTLM_DEVICE_RESTRICTION"; 149 56 : case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION: 150 56 : return "NTLM_SERVER_RESTRICTION"; 151 0 : case AUTHN_AUDIT_EVENT_OTHER_ERROR: 152 : default: 153 0 : return "OTHER_ERROR"; 154 : } 155 : } 156 : 157 760 : const char *authn_audit_info_reason(const struct authn_audit_info *audit_info) 158 : { 159 760 : switch (audit_info->reason) { 160 0 : case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID: 161 0 : return "DESCRIPTOR_INVALID"; 162 12 : case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER: 163 12 : return "DESCRIPTOR_NO_OWNER"; 164 17 : case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE: 165 17 : return "SECURITY_TOKEN_FAILURE"; 166 352 : case AUTHN_AUDIT_REASON_ACCESS_DENIED: 167 352 : return "ACCESS_DENIED"; 168 3 : case AUTHN_AUDIT_REASON_FAST_REQUIRED: 169 3 : return "FAST_REQUIRED"; 170 376 : case AUTHN_AUDIT_REASON_NONE: 171 : default: 172 376 : return NULL; 173 : } 174 : } 175 : 176 760 : NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info) 177 : { 178 760 : return audit_info->policy_status; 179 : } 180 : 181 760 : const char *authn_audit_info_location(const struct authn_audit_info *audit_info) 182 : { 183 760 : return audit_info->location; 184 : } 185 : 186 760 : struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info) 187 : { 188 0 : int64_t lifetime; 189 : 190 760 : if (!audit_info->tgt_lifetime_raw.is_present) { 191 366 : return authn_int64_none(); 192 : } 193 : 194 394 : lifetime = audit_info->tgt_lifetime_raw.val; 195 394 : lifetime /= INT64_C(1000) * 1000 * 10 * 60; 196 : 197 394 : return authn_int64_some(lifetime); 198 : }