sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code
7dac035896
samba-mirror/source4/auth/session.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

153 lines
5.7 KiB
C
Raw Normal View History

r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
/*
Unix SMB/CIFS implementation.
Add documentation to session token functions. (This used to be commit ec4a108d1d35cd4bb2170f1bb122546266b9b745)
2008-04-24 16:30:36 +04:00
Process and provide the logged on user's authorization token
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
Copyright (C) Andrew Bartlett 2001
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _SAMBA_AUTH_SESSION_H
#define _SAMBA_AUTH_SESSION_H
s4:auth: Include missing headers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 06:14:55 +03:00
#include "lib/util/data_blob.h"
Fix public header not to include private (not installed) ones. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-14 18:01:47 +03:00
#include "librpc/gen_ndr/security.h"
s4:auth: Include missing headers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 06:14:55 +03:00
#include "libcli/util/werror.h"
#include "lib/util/time.h"
r26572: Fix warnings in the Python code. (This used to be commit 15038d9586d0b58f301ca8c39c21ef10c4283f28)
2007-12-24 05:56:41 +03:00
#include "librpc/gen_ndr/netlogon.h"
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
#include "librpc/gen_ndr/auth.h"
s4: fix LIBEVENTS dependencies and use more forward declarations We should only include events.h where we really need it and prefer forward declarations of 'struct event_context' metze
2008-12-17 02:06:34 +03:00
s4:auth: Include missing headers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 06:14:55 +03:00
struct loadparm_context;
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
struct tevent_context;
s4:auth/session.h - use a forward declaration for type "struct ldb_context" And remove the now obsolete one for "struct tevent_context" Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Dec 21 11:17:34 CET 2010 on sn-devel-104
2010-12-21 12:13:41 +03:00
struct ldb_context;
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
struct ldb_dn;
Add documentation to session token functions. (This used to be commit ec4a108d1d35cd4bb2170f1bb122546266b9b745)
2008-04-24 16:30:36 +04:00
/* Create a security token for a session SYSTEM (the most
s4:auth: Fix typos Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 05:06:23 +03:00
* trusted/privileged account), including the local machine account as
Add documentation to session token functions. (This used to be commit ec4a108d1d35cd4bb2170f1bb122546266b9b745)
2008-04-24 16:30:36 +04:00
* the off-host credentials */
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
Add documentation to session token functions. (This used to be commit ec4a108d1d35cd4bb2170f1bb122546266b9b745)
2008-04-24 16:30:36 +04:00
s4:auth: Add functions to convert between different claims formats The new ‘claims_data’ structure can store claims in three different representations — as an encoded blob, as a CLAIMS_SET structure, or as a series of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claims. Given a set of claims, the accompanying functions provide a way to convert them into the desired format. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 06:13:20 +03:00
enum claims_data_present {
CLAIMS_DATA_ENCODED_CLAIMS_PRESENT = 0x01,
CLAIMS_DATA_CLAIMS_PRESENT = 0x02,
CLAIMS_DATA_SECURITY_CLAIMS_PRESENT = 0x04,
};
struct claims_data {
DATA_BLOB encoded_claims_set;
struct CLAIMS_SET *claims_set;
/*
* These security claims are here treated as only a product the result
* of conversion from another format and ought not to be treated as
* authoritative.
*/
struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *security_claims;
uint32_t n_security_claims;
enum claims_data_present flags;
};
struct auth_claims {
struct claims_data *user_claims;
struct claims_data *device_claims;
};
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_user_info_dc **interim_info);
s4:auth: Split out new function to generate a security token Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 05:30:40 +03:00
NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
const struct auth_user_info_dc *user_info_dc,
s4:auth: Add parameters for claims and device info to auth_generate_security_token() Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 05:16:21 +03:00
const struct auth_user_info_dc *device_info_dc,
const struct auth_claims auth_claims,
s4:auth: Split out new function to generate a security token Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 05:30:40 +03:00
uint32_t session_info_flags,
struct security_token **_security_token);
s4:auth Change auth_generate_session_info to take an auth context The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-13 06:00:06 +04:00
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
s4:auth: Fix typos Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 05:06:23 +03:00
struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21 02:19:53 +03:00
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
s4:auth: Rename parameter to match function implementation Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 05:08:26 +03:00
const struct auth_user_info_dc *user_info_dc,
s4:auth Change auth_generate_session_info to take flags This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-04-19 09:51:57 +04:00
uint32_t session_info_flags,
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
struct auth_session_info **session_info);
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
struct auth_session_info **session_info);
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
struct auth_session_info_transport *session_info_transport,
struct loadparm_context *lp_ctx,
const char **reason);
NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info_transport **transport_out);
s4:auth: Fix code spelling Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-20 12:34:28 +03:00
/* Produce a session_info for an arbitrary DN or principal in the local
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
* DB, assuming the local DB holds all the groups
*
* Supply either a principal or a DN
*/
NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *sam_ctx,
const char *principal,
struct ldb_dn *user_dn,
uint32_t session_info_flags,
struct auth_session_info **session_info);
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx);
Added "admin_session" method. The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-03 15:39:40 +04:00
struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct dom_sid *domain_sid);
s4:kdc: Move encode_claims_set() into the auth_session subsystem Some functions in the auth_session subsystem will need to be able to call encode_claims_set(). Moving said function lets them do that whilst avoiding circular dependencies and additional public dependencies. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 05:48:02 +03:00
NTSTATUS encode_claims_set(TALLOC_CTX *mem_ctx,
struct CLAIMS_SET *claims_set,
DATA_BLOB *claims_blob);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
s4:auth: Add functions to convert between different claims formats The new ‘claims_data’ structure can store claims in three different representations — as an encoded blob, as a CLAIMS_SET structure, or as a series of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claims. Given a set of claims, the accompanying functions provide a way to convert them into the desired format. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 06:13:20 +03:00
/*
* Construct a claims_data structure from a claims blob, such as is found in a
* PAC.
*/
NTSTATUS claims_data_from_encoded_claims_set(TALLOC_CTX *claims_data_ctx,
const DATA_BLOB *encoded_claims_set,
struct claims_data **out);
/*
* Construct a claims_data structure from a tallocallocated claims set, such
* as we might build from searching the database. If this function returns
* successfully, it assumes ownership of the claims set.
*/
NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx,
struct CLAIMS_SET *claims_set,
struct claims_data **out);
/*
* From a claims_data structure, return an encoded claims blob that can be put
* into a PAC.
*/
s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims Having the lifetime of the encoded claims be tied in a predictable fashion to a caller‐controlled memory context is less prone to error. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-05 05:11:42 +03:00
NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
struct claims_data *claims_data,
s4:auth: Add functions to convert between different claims formats The new ‘claims_data’ structure can store claims in three different representations — as an encoded blob, as a CLAIMS_SET structure, or as a series of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claims. Given a set of claims, the accompanying functions provide a way to convert them into the desired format. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-21 06:13:20 +03:00
DATA_BLOB *encoded_claims_set_out);
/*
* From a claims_data structure, return an array of security claims that can
* be put in a security token for access checks.
*/
NTSTATUS claims_data_security_claims(TALLOC_CTX *mem_ctx,
struct claims_data *claims_data,
struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **security_claims_out,
uint32_t *n_security_claims_out);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
#endif /* _SAMBA_AUTH_SESSION_H */
Copy Permalink