sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
c755bb5025
samba-mirror/source4/scripting/ejs/smbcalls_auth.c

209 lines
6.5 KiB
C
Raw Normal View History

r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
/*
Unix SMB/CIFS implementation.
ejs auth functions
Copyright (C) Simo Sorce 2005
Copyright (C) Andrew Tridgell 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
r8399: move the ejs and esp code closer to the directory layout used by the upstream sources. This makes it much easier to keep it up to date. I will separate out the mpr code into lib/appweb/mpr next (This used to be commit 52db7a052baeb0f11361ed69b71cb790039e3cc9)
2005-07-13 04:06:38 +04:00
#include "lib/appweb/ejs/ejs.h"
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
#include "auth/auth.h"
#include "scripting/ejs/smbcalls.h"
r12997: Feed the right event context to libnet in ejsnet and the auth code. This should give better behaviour in SWAT. Fix authentication as Samba, rather than System, users in SWAT. Andrew Bartlett (This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
2006-01-18 14:25:30 +03:00
#include "lib/events/events.h"
r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2006-07-31 18:05:08 +04:00
#include "lib/messaging/irpc.h"
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2005-12-14 10:22:25 +03:00
static int ejs_doauth(MprVarHandle eid,
TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username,
r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2006-01-10 01:12:53 +03:00
const char *password, const char *domain, const char *workstation,
r12997: Feed the right event context to libnet in ejsnet and the auth code. This should give better behaviour in SWAT. Fix authentication as Samba, rather than System, users in SWAT. Andrew Bartlett (This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
2006-01-18 14:25:30 +03:00
struct socket_address *remote_host, const char **auth_types)
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
{
struct auth_usersupplied_info *user_info = NULL;
struct auth_serversupplied_info *server_info = NULL;
r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2005-12-14 10:22:25 +03:00
struct auth_session_info *session_info = NULL;
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
struct auth_context *auth_context;
r12823: Fix up the provison and newuser code in SWAT. This also cleans up the main provision script a bit, as the argument list was getting out of control. (It has been replaced in part with an object). This also returns the session_info from the auth code into ejs. We still need access control allowing only root to re-provision. Andrew Bartlett (This used to be commit 002cdcf3cab6563909d31edc5d825e857dc0a732)
2006-01-10 13:35:47 +03:00
struct MprVar *session_info_obj;
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
NTSTATUS nt_status;
r17339: pass the event context and messaging context together to the smb ejs functions metze (This used to be commit 0397911b414518d54f6dba2a8c81a5872b90a034)
2006-07-31 17:34:00 +04:00
struct smbcalls_context *c;
struct event_context *ev;
r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2006-07-31 18:05:08 +04:00
struct messaging_context *msg;
r17339: pass the event context and messaging context together to the smb ejs functions metze (This used to be commit 0397911b414518d54f6dba2a8c81a5872b90a034)
2006-07-31 17:34:00 +04:00
/* Hope we can find an smbcalls_context somewhere up there... */
c = talloc_find_parent_bytype(tmp_ctx, struct smbcalls_context);
if (c) {
ev = c->event_ctx;
r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2006-07-31 18:05:08 +04:00
msg = c->msg_ctx;
r17339: pass the event context and messaging context together to the smb ejs functions metze (This used to be commit 0397911b414518d54f6dba2a8c81a5872b90a034)
2006-07-31 17:34:00 +04:00
} else {
/* Hope we can find the event context somewhere up there... */
ev = event_context_find(tmp_ctx);
r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2006-07-31 18:05:08 +04:00
msg = messaging_client_init(tmp_ctx, ev);
r17339: pass the event context and messaging context together to the smb ejs functions metze (This used to be commit 0397911b414518d54f6dba2a8c81a5872b90a034)
2006-07-31 17:34:00 +04:00
}
r12997: Feed the right event context to libnet in ejsnet and the auth code. This should give better behaviour in SWAT. Fix authentication as Samba, rather than System, users in SWAT. Andrew Bartlett (This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
2006-01-18 14:25:30 +03:00
r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2006-07-31 18:05:08 +04:00
nt_status = auth_context_create(tmp_ctx, auth_types, ev, msg, &auth_context);
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
if (!NT_STATUS_IS_OK(nt_status)) {
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
r8340: - added sys_gmtime() - added sys_unlink() - added sys_file_load() and sys_file_save() - use mprString() instead of mprCreateStringVar() to cope with NULL strings - removed smbcalls_irpc.c as its not needed any more - allow ldbAdd() and ldbModify() to take multiple ldif records - added a sprintf() function to ejs. Quite complex, but very useful! (This used to be commit 625628a3f6e78349d2240ebcc79081f350672070)
2005-07-12 09:53:51 +04:00
mprSetPropertyValue(auth, "report", mprString("Auth System Failure"));
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
goto done;
}
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
user_info = talloc(tmp_ctx, struct auth_usersupplied_info);
if (!user_info) {
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
mprSetPropertyValue(auth, "report", mprString("talloc failed"));
goto done;
}
user_info->mapped_state = True;
user_info->client.account_name = username;
user_info->mapped.account_name = username;
user_info->client.domain_name = domain;
user_info->mapped.domain_name = domain;
r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2006-01-10 01:12:53 +03:00
user_info->workstation_name = workstation;
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
r12819: Fix swat authentication again. We need to pass the socket_address structure around, so the auth code knows where the request came from. Andrew Bartlett (This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
2006-01-10 12:21:13 +03:00
user_info->remote_host = remote_host;
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
user_info->password_state = AUTH_PASSWORD_PLAIN;
user_info->password.plaintext = talloc_strdup(user_info, password);
user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
r11439: Make presedence on strcmp comparison clear, and fill in logon_parameters for the auth subsystem. Andrew Bartlett (This used to be commit 767c5ca7bec3737d1261e209cd895d1300354f25)
2005-11-01 16:32:09 +03:00
user_info->logon_parameters = 0;
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &server_info);
r12918: Don't tell the user the difference between 'no such user' and 'wrong password'. Andrew Bartlett (This used to be commit e13cb0ab175069eb670c8b2f57379ababacfcce3)
2006-01-14 01:55:23 +03:00
/* Don't give the game away (any difference between no such
* user and wrong password) */
nt_status = auth_nt_status_squash(nt_status);
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
if (!NT_STATUS_IS_OK(nt_status)) {
r12819: Fix swat authentication again. We need to pass the socket_address structure around, so the auth code knows where the request came from. Andrew Bartlett (This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
2006-01-10 12:21:13 +03:00
mprSetPropertyValue(auth, "report",
r12931: Remove some prefixes. We have: Login failed: Login Failed: Logon failure - please try again In SWAT currently... Andrew Bartlett (This used to be commit 51eded818093320e7d6b9e95ad11fa21a81c3f93)
2006-01-14 10:46:04 +03:00
mprString(talloc_strdup(mprMemCtx(), get_friendly_nt_error_msg(nt_status))));
r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2005-12-14 10:22:25 +03:00
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
goto done;
}
nt_status = auth_generate_session_info(tmp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
goto done;
}
r12823: Fix up the provison and newuser code in SWAT. This also cleans up the main provision script a bit, as the argument list was getting out of control. (It has been replaced in part with an object). This also returns the session_info from the auth code into ejs. We still need access control allowing only root to re-provision. Andrew Bartlett (This used to be commit 002cdcf3cab6563909d31edc5d825e857dc0a732)
2006-01-10 13:35:47 +03:00
session_info_obj = mprInitObject(eid, "session_info", 0, NULL);
mprSetPtrChild(session_info_obj, "session_info", session_info);
r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2005-12-14 10:22:25 +03:00
talloc_steal(mprMemCtx(), session_info);
r12823: Fix up the provison and newuser code in SWAT. This also cleans up the main provision script a bit, as the argument list was getting out of control. (It has been replaced in part with an object). This also returns the session_info from the auth code into ejs. We still need access control allowing only root to re-provision. Andrew Bartlett (This used to be commit 002cdcf3cab6563909d31edc5d825e857dc0a732)
2006-01-10 13:35:47 +03:00
mprSetProperty(auth, "session_info", session_info_obj);
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
mprSetPropertyValue(auth, "result", mprCreateBoolVar(server_info->authenticated));
r8340: - added sys_gmtime() - added sys_unlink() - added sys_file_load() and sys_file_save() - use mprString() instead of mprCreateStringVar() to cope with NULL strings - removed smbcalls_irpc.c as its not needed any more - allow ldbAdd() and ldbModify() to take multiple ldif records - added a sprintf() function to ejs. Quite complex, but very useful! (This used to be commit 625628a3f6e78349d2240ebcc79081f350672070)
2005-07-12 09:53:51 +04:00
mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
done:
return 0;
}
/*
perform user authentication, returning an array of results
*/
static int ejs_userAuth(MprVarHandle eid, int argc, struct MprVar **argv)
{
TALLOC_CTX *tmp_ctx;
const char *username;
const char *password;
const char *domain;
r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2006-01-10 01:12:53 +03:00
const char *workstation;
r9499: added error checking to the userAuth() call. SWAT is still failing, but at least it now tells us why (This used to be commit 4afb16d7b24b1d1ed359048a89950924b363e44a)
2005-08-23 06:05:53 +04:00
struct MprVar auth;
r9477: Convert popt options to an ejs object. Doesn't seem to break anything except of popt help (-h) option (unexpected ?). rafal (This used to be commit 1990793b23d6198a85ce1bdf6ad43e12015db203)
2005-08-22 18:32:58 +04:00
struct cli_credentials *creds;
r12819: Fix swat authentication again. We need to pass the socket_address structure around, so the auth code knows where the request came from. Andrew Bartlett (This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
2006-01-10 12:21:13 +03:00
struct socket_address *remote_host;
r12997: Feed the right event context to libnet in ejsnet and the auth code. This should give better behaviour in SWAT. Fix authentication as Samba, rather than System, users in SWAT. Andrew Bartlett (This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
2006-01-18 14:25:30 +03:00
const char *auth_types_unix[] = { "unix", NULL };
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
r12819: Fix swat authentication again. We need to pass the socket_address structure around, so the auth code knows where the request came from. Andrew Bartlett (This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
2006-01-10 12:21:13 +03:00
if (argc != 2 || argv[0]->type != MPR_TYPE_OBJECT || argv[1]->type != MPR_TYPE_OBJECT) {
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
ejsSetErrorMsg(eid, "userAuth invalid arguments, this function requires an object.");
return -1;
}
r9477: Convert popt options to an ejs object. Doesn't seem to break anything except of popt help (-h) option (unexpected ?). rafal (This used to be commit 1990793b23d6198a85ce1bdf6ad43e12015db203)
2005-08-22 18:32:58 +04:00
/* get credential values from credentials object */
creds = mprGetPtr(argv[0], "creds");
r9499: added error checking to the userAuth() call. SWAT is still failing, but at least it now tells us why (This used to be commit 4afb16d7b24b1d1ed359048a89950924b363e44a)
2005-08-23 06:05:53 +04:00
if (creds == NULL) {
r12819: Fix swat authentication again. We need to pass the socket_address structure around, so the auth code knows where the request came from. Andrew Bartlett (This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
2006-01-10 12:21:13 +03:00
ejsSetErrorMsg(eid, "userAuth requires a 'creds' first parameter");
return -1;
}
remote_host = mprGetPtr(argv[1], "socket_address");
if (remote_host == NULL) {
ejsSetErrorMsg(eid, "userAuth requires a socket address second parameter");
r9499: added error checking to the userAuth() call. SWAT is still failing, but at least it now tells us why (This used to be commit 4afb16d7b24b1d1ed359048a89950924b363e44a)
2005-08-23 06:05:53 +04:00
return -1;
}
r9755: Fix crash bug in SWAT login (This used to be commit 6e3e964fb4529260c2fcb09b41eda1a100e690eb)
2005-08-29 23:08:18 +04:00
tmp_ctx = talloc_new(mprMemCtx());
r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again. I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2005-09-22 05:50:58 +04:00
username = cli_credentials_get_username(creds);
r9477: Convert popt options to an ejs object. Doesn't seem to break anything except of popt help (-h) option (unexpected ?). rafal (This used to be commit 1990793b23d6198a85ce1bdf6ad43e12015db203)
2005-08-22 18:32:58 +04:00
password = cli_credentials_get_password(creds);
domain = cli_credentials_get_domain(creds);
r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2006-01-10 01:12:53 +03:00
workstation = cli_credentials_get_workstation(creds);
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
r8633: check for valid input to ejs_userAuth() (This used to be commit 8e788ae3094220e5ea195cdf85abb6763a834abd)
2005-07-20 09:41:29 +04:00
if (username == NULL || password == NULL || domain == NULL) {
mpr_Return(eid, mprCreateUndefinedVar());
r9755: Fix crash bug in SWAT login (This used to be commit 6e3e964fb4529260c2fcb09b41eda1a100e690eb)
2005-08-29 23:08:18 +04:00
talloc_free(tmp_ctx);
r8633: check for valid input to ejs_userAuth() (This used to be commit 8e788ae3094220e5ea195cdf85abb6763a834abd)
2005-07-20 09:41:29 +04:00
return 0;
}
r8320: make sure all our returned objects are full objects, which means they have the toString() and valueOf() default attributes this allows all our returned objects to be used in logical expressions (This used to be commit 570f071b1544b497d5f480b8ad50df097fe4c843)
2005-07-11 14:18:26 +04:00
auth = mprObject("auth");
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
r12819: Fix swat authentication again. We need to pass the socket_address structure around, so the auth code knows where the request came from. Andrew Bartlett (This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
2006-01-10 12:21:13 +03:00
if (domain && (strcmp("SYSTEM USER", domain) == 0)) {
r12997: Feed the right event context to libnet in ejsnet and the auth code. This should give better behaviour in SWAT. Fix authentication as Samba, rather than System, users in SWAT. Andrew Bartlett (This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
2006-01-18 14:25:30 +03:00
ejs_doauth(eid, tmp_ctx, &auth, username, password, domain, workstation, remote_host, auth_types_unix);
r8629: - moved the getDomainList() call out of smbcalls_auth.c and into libjs/auth.js - tried to make the ejs_userAuth() call work for the sam, not just for unix auth. I didn't get this working. Andrew, when you get a chance can you see what I'm doing wrong? I suspect its because we aren't supplying a challenge, but a challenge doesn't really make sense in a 'is this username/password' correct call. (This used to be commit 9e07c08a71908e99c2f44efc40a3249facd6850f)
2005-07-20 08:27:09 +04:00
} else {
r12997: Feed the right event context to libnet in ejsnet and the auth code. This should give better behaviour in SWAT. Fix authentication as Samba, rather than System, users in SWAT. Andrew Bartlett (This used to be commit 498d72c4ad4d57d10f43ca58830d6ee8292a55f4)
2006-01-18 14:25:30 +03:00
ejs_doauth(eid, tmp_ctx, &auth, username, password, domain, workstation, remote_host, lp_auth_methods());
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
}
mpr_Return(eid, auth);
talloc_free(tmp_ctx);
return 0;
}
r12746: An initial version of the kludge_acls module. This should be replaced with real ACLs, which tridge is working on. In the meantime, the rules are very simple: - SYSTEM and Administrators can read all. - Users and anonymous cannot read passwords, can read everything else - list of 'password' attributes is hard-coded Most of the difficult work in this was fighting with the C/js interface to add a system_session() all, as it still doesn't get on with me :-) Andrew Bartlett (This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
2006-01-07 00:04:32 +03:00
/*
initialise credentials ejs object
*/
static int ejs_system_session(MprVarHandle eid, int argc, struct MprVar **argv)
{
struct MprVar *obj = mprInitObject(eid, "session_info", argc, argv);
struct auth_session_info *session_info = system_session(mprMemCtx());
if (session_info == NULL) {
return -1;
}
mprSetPtrChild(obj, "session_info", session_info);
return 0;
}
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
/*
setup C functions that be called from ejs
*/
r15731: module init functions should return NTSTATUS, not void (This used to be commit c6d20c22454b87b4dea3527f0efcecd373679848)
2006-05-20 07:08:44 +04:00
NTSTATUS smb_setup_ejs_auth(void)
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
{
ejsDefineCFunction(-1, "userAuth", ejs_userAuth, NULL, MPR_VAR_SCRIPT_HANDLE);
r12746: An initial version of the kludge_acls module. This should be replaced with real ACLs, which tridge is working on. In the meantime, the rules are very simple: - SYSTEM and Administrators can read all. - Users and anonymous cannot read passwords, can read everything else - list of 'password' attributes is hard-coded Most of the difficult work in this was fighting with the C/js interface to add a system_session() all, as it still doesn't get on with me :-) Andrew Bartlett (This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
2006-01-07 00:04:32 +03:00
ejsDefineCFunction(-1, "system_session", ejs_system_session, NULL, MPR_VAR_SCRIPT_HANDLE);
r15731: module init functions should return NTSTATUS, not void (This used to be commit c6d20c22454b87b4dea3527f0efcecd373679848)
2006-05-20 07:08:44 +04:00
return NT_STATUS_OK;
r8296: - split out the ejs auth functions into a separate file - got rid of the one line ejs_returnlist() (This used to be commit 6961fe29058cffd8e69d9ce7e7d3902f973411c0)
2005-07-11 03:25:42 +04:00
}
Copy Permalink