Line data    Source code

       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             :    Samba Active Directory authentication policy functions
       4             : 
       5             :    Copyright (C) Catalyst.Net Ltd 2023
       6             : 
       7             :    This program is free software; you can redistribute it and/or modify
       8             :    it under the terms of the GNU General Public License as published by
       9             :    the Free Software Foundation; either version 3 of the License, or
      10             :    (at your option) any later version.
      11             : 
      12             :    This program is distributed in the hope that it will be useful,
      13             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :    GNU General Public License for more details.
      16             : 
      17             :    You should have received a copy of the GNU General Public License
      18             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      19             : */
      20             : 
      21             : #include "lib/replace/replace.h"
      22             : #include "auth/authn_policy.h"
      23             : #include "auth/authn_policy_impl.h"
      24             : 
      25        1512 : bool authn_policy_is_enforced(const struct authn_policy *policy)
      26             : {
      27        1512 :         return policy->enforced;
      28             : }
      29             : 
      30             : /* Authentication policies for Kerberos clients. */
      31             : 
      32             : /* Is an authentication policy enforced? */
      33           3 : bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
      34             : {
      35           3 :         return authn_policy_is_enforced(&policy->policy);
      36             : }
      37             : 
      38             : /* Get the raw TGT lifetime enforced by an authentication policy. */
      39      299665 : int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
      40             : {
      41      299665 :         if (policy == NULL) {
      42      289090 :                 return 0;
      43             :         }
      44             : 
      45         433 :         if (!authn_policy_is_enforced(&policy->policy)) {
      46          10 :                 return 0;
      47             :         }
      48             : 
      49         423 :         return policy->tgt_lifetime_raw;
      50             : }
      51             : 
      52             : /* Auditing information. */
      53             : 
      54         745 : enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
      55             : {
      56           0 :         bool is_enforced;
      57             : 
      58         745 :         if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
      59             :                 /* We didn’t get an error. */
      60         333 :                 return AUTH_EVT_ID_NONE;
      61             :         }
      62             : 
      63         412 :         if (audit_info->policy == NULL) {
      64             :                 /*
      65             :                  * We got an error, but there’s no policy, so it must have
      66             :                  * stemmed from something else.
      67             :                  */
      68           0 :                 return AUTH_EVT_ID_NONE;
      69             :         }
      70             : 
      71         412 :         is_enforced = authn_policy_is_enforced(audit_info->policy);
      72             : 
      73         412 :         switch (audit_info->event) {
      74         260 :         case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
      75         260 :                 if (is_enforced) {
      76         258 :                         return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
      77             :                 }
      78             : 
      79           2 :                 return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
      80             : 
      81          58 :         case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
      82          58 :                 if (is_enforced) {
      83          57 :                         return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
      84             :                 }
      85             : 
      86           1 :                 return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
      87             : 
      88          38 :         case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
      89          38 :                 if (is_enforced) {
      90          38 :                         return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
      91             :                 }
      92             : 
      93             :                 /* No relevant event ID. */
      94           0 :                 break;
      95             : 
      96          56 :         case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
      97             :         case AUTHN_AUDIT_EVENT_OTHER_ERROR:
      98             :         default:
      99             :                 /* No relevant event ID. */
     100          56 :                 break;
     101             :         }
     102             : 
     103          56 :         return AUTH_EVT_ID_NONE;
     104             : }
     105             : 
     106         745 : const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
     107             : {
     108         745 :         if (audit_info->policy == NULL) {
     109           0 :                 return NULL;
     110             :         }
     111             : 
     112         745 :         return audit_info->policy->silo_name;
     113             : }
     114             : 
     115         745 : const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
     116             : {
     117         745 :         if (audit_info->policy == NULL) {
     118           0 :                 return NULL;
     119             :         }
     120             : 
     121         745 :         return audit_info->policy->policy_name;
     122             : }
     123             : 
     124         745 : const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
     125             : {
     126         745 :         if (audit_info->policy == NULL) {
     127           0 :                 return NULL;
     128             :         }
     129             : 
     130         745 :         return &audit_info->policy->enforced;
     131             : }
     132             : 
     133         745 : const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
     134             : {
     135         745 :         return audit_info->client_info;
     136             : }
     137             : 
     138         745 : const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
     139             : {
     140         745 :         switch (audit_info->event) {
     141         333 :         case AUTHN_AUDIT_EVENT_OK:
     142         333 :                 return "OK";
     143         260 :         case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
     144         260 :                 return "KERBEROS_DEVICE_RESTRICTION";
     145          58 :         case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
     146          58 :                 return "KERBEROS_SERVER_RESTRICTION";
     147          38 :         case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
     148          38 :                 return "NTLM_DEVICE_RESTRICTION";
     149          56 :         case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
     150          56 :                 return "NTLM_SERVER_RESTRICTION";
     151           0 :         case AUTHN_AUDIT_EVENT_OTHER_ERROR:
     152             :         default:
     153           0 :                 return "OTHER_ERROR";
     154             :         }
     155             : }
     156             : 
     157         745 : const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
     158             : {
     159         745 :         switch (audit_info->reason) {
     160           0 :         case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
     161           0 :                 return "DESCRIPTOR_INVALID";
     162          12 :         case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
     163          12 :                 return "DESCRIPTOR_NO_OWNER";
     164          16 :         case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
     165          16 :                 return "SECURITY_TOKEN_FAILURE";
     166         343 :         case AUTHN_AUDIT_REASON_ACCESS_DENIED:
     167         343 :                 return "ACCESS_DENIED";
     168           3 :         case AUTHN_AUDIT_REASON_FAST_REQUIRED:
     169           3 :                 return "FAST_REQUIRED";
     170         371 :         case AUTHN_AUDIT_REASON_NONE:
     171             :         default:
     172         371 :                 return NULL;
     173             :         }
     174             : }
     175             : 
     176         745 : NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
     177             : {
     178         745 :         return audit_info->policy_status;
     179             : }
     180             : 
     181         745 : const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
     182             : {
     183         745 :         return audit_info->location;
     184             : }
     185             : 
     186         745 : struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
     187             : {
     188           0 :         int64_t lifetime;
     189             : 
     190         745 :         if (!audit_info->tgt_lifetime_raw.is_present) {
     191         357 :                 return authn_int64_none();
     192             :         }
     193             : 
     194         388 :         lifetime = audit_info->tgt_lifetime_raw.val;
     195         388 :         lifetime /= INT64_C(1000) * 1000 * 10 * 60;
     196             : 
     197         388 :         return authn_int64_some(lifetime);
     198             : }