sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-24 13:57:43 +03:00
Code

auth: Move auth_session_info into IDL

Browse Source 
This changes auth_session_info_transport to just be a wrapper, rather
than a copy that has to be kept in sync.

As auth_session_info was already wrapped in python, this required
changes to the existing pyauth wrapper and it's users.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2011-04-05 16:15:27 +10:00
parent f261266c9d
commit 663dc94e63
15 changed files with 231 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libcli/security/session.h
View File

@ -35,16 +35,7 @@ struct cli_credentials;
struct security_token;
struct auth_user_info;
struct auth_user_info_torture;
struct auth_session_info {
struct security_token *security_token;
struct security_unix_token *unix_token;
struct auth_user_info *info;
struct auth_user_info_unix *unix_info;
struct auth_user_info_torture *torture;
DATA_BLOB session_key;
struct cli_credentials *credentials;
};
struct auth_session_info;
enum security_user_level security_session_user_level(struct auth_session_info *session_info,
const struct dom_sid *domain_sid);

18
librpc/idl/auth.idl
View File

@ -1,10 +1,20 @@
#include "idl_types.h"
/*
security IDL structures
Authentication IDL structures
These are NOT public network structures, but it is helpful to define
these things in IDL. They may change without ABI breakage or
warning.
*/
import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
[
pyhelper("librpc/ndr/py_auth.c"),
helper("../librpc/ndr/ndr_auth.h"),
helpstring("internal Samba authentication structures")
]
interface auth
{
@ -79,7 +89,13 @@ interface auth
security_unix_token *unix_token;
auth_user_info *info;
auth_user_info_unix *unix_info;
[value(NULL), ignore] auth_user_info_torture *torture;
DATA_BLOB session_key;
[value(NULL), ignore] cli_credentials *credentials;
} auth_session_info;
typedef [public] struct {
auth_session_info *session_info;
DATA_BLOB exported_gssapi_credentials;
} auth_session_info_transport;
}

44
librpc/ndr/ndr_auth.c Normal file
View File

@ -0,0 +1,44 @@
/*
Unix SMB/CIFS implementation.
Helper routines for marshalling the internal 'auth.idl'
Copyright (C) Andrew Bartlett 2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "librpc/ndr/ndr_auth.h"
#include "librpc/ndr/libndr.h"
_PUBLIC_ void ndr_print_cli_credentials(struct ndr_print *ndr, const char *name, struct cli_credentials *v)
{
ndr->print(ndr, "%-25s: NULL", name);
}
/*
cli_credentials does not have a network representation, just pull/push a NULL pointer
*/
_PUBLIC_ enum ndr_err_code ndr_pull_cli_credentials(struct ndr_pull *ndr, int ndr_flags, struct cli_credentials *v)
{
return NDR_ERR_SUCCESS;
}
_PUBLIC_ enum ndr_err_code ndr_push_cli_credentials(struct ndr_push *ndr, int ndr_flags, struct cli_credentials *v)
{
return ndr_push_pointer(ndr, ndr_flags, NULL);
}

32
librpc/ndr/ndr_auth.h Normal file
View File

@ -0,0 +1,32 @@
/*
Unix SMB/CIFS implementation.
Helper routines for marshalling the internal 'auth.idl'
Copyright (C) Andrew Bartlett 2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
cli_credentials does not have a network representation, just pull/push a NULL pointer
*/
#include "librpc/gen_ndr/ndr_auth.h"
struct cli_credentials;
_PUBLIC_ enum ndr_err_code ndr_pull_cli_credentials(struct ndr_pull *ndr, int ndr_flags, struct cli_credentials *v);
_PUBLIC_ enum ndr_err_code ndr_push_cli_credentials(struct ndr_push *ndr, int ndr_flags, struct cli_credentials *v);
_PUBLIC_ void ndr_print_cli_credentials(struct ndr_print *ndr, const char *name, struct cli_credentials *v);

2
librpc/wscript_build
View File

@ -9,7 +9,7 @@ bld.SAMBA_SUBSYSTEM('NDR_AUDIOSRV',
)
bld.SAMBA_SUBSYSTEM('NDR_AUTH',
source='gen_ndr/ndr_auth.c',
source='gen_ndr/ndr_auth.c ndr/ndr_auth.c',
public_headers='gen_ndr/auth.h',
header_path='gen_ndr',
public_deps='ndr NDR_SECURITY ndr-krb5pac'

2
source3/Makefile.in
View File

@ -711,7 +711,7 @@ RPC_EVENTLOG_OBJ = rpc_server/eventlog/srv_eventlog_nt.o \
NPA_TSTREAM_OBJ = ../libcli/named_pipe_auth/npa_tstream.o \
librpc/gen_ndr/ndr_named_pipe_auth.o \
../auth/auth_sam_reply.o librpc/gen_ndr/ndr_auth.o
../auth/auth_sam_reply.o librpc/gen_ndr/ndr_auth.o ../librpc/ndr/ndr_auth.o
RPC_NCACN_NP = rpc_server/srv_pipe_register.o rpc_server/rpc_ncacn_np.o \
rpc_server/rpc_handles.o rpc_server/srv_access_check.o

33
source3/rpc_server/rpc_ncacn_np.c
View File

@ -607,6 +607,7 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
struct tevent_context *ev;
struct tevent_req *subreq;
struct auth_session_info_transport *session_info_t;
struct auth_session_info *session_info_npa;
struct auth_user_info_dc *user_info_dc;
union netr_Validation val;
NTSTATUS status;
@ -651,20 +652,20 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
goto fail;
}
session_info_t = talloc_zero(talloc_tos(), struct auth_session_info_transport);
if (session_info_t == NULL) {
session_info_npa = talloc_zero(talloc_tos(), struct auth_session_info);
if (session_info_npa == NULL) {
DEBUG(0, ("talloc failed\n"));
goto fail;
}
/* Send the named_pipe_auth server the user's full token */
session_info_t->security_token = session_info->security_token;
session_info_t->session_key = session_info->session_key;
session_info_npa->security_token = session_info->security_token;
session_info_npa->session_key = session_info->session_key;
val.sam3 = session_info->info3;
/* Convert into something we can build a struct
* auth_session_info_transport from. Most of the work here
* auth_session_info from. Most of the work here
* will be to convert the SIDS, which we will then ignore, but
* this is the easier way to handle it */
status = make_user_info_dc_netlogon_validation(talloc_tos(), "", 3, &val, &user_info_dc);
@ -673,9 +674,17 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
goto fail;
}
session_info_t->info = talloc_move(session_info_t, &user_info_dc->info);
session_info_npa->info = talloc_move(session_info_npa, &user_info_dc->info);
talloc_free(user_info_dc);
session_info_t = talloc_zero(talloc_tos(), struct auth_session_info_transport);
if (session_info_npa == NULL) {
DEBUG(0, ("talloc failed\n"));
goto fail;
}
session_info_t->session_info = talloc_steal(session_info_t, session_info_npa);
become_root();
subreq = tstream_npa_connect_send(talloc_tos(), ev,
socket_np_dir,
@ -689,8 +698,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
unbecome_root();
DEBUG(0, ("tstream_npa_connect_send to %s for pipe %s and "
"user %s\\%s failed\n",
socket_np_dir, pipe_name, session_info_t->info->domain_name,
session_info_t->info->account_name));
socket_np_dir, pipe_name, session_info_t->session_info->info->domain_name,
session_info_t->session_info->info->account_name));
goto fail;
}
ok = tevent_req_poll(subreq, ev);
@ -698,8 +707,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
if (!ok) {
DEBUG(0, ("tevent_req_poll to %s for pipe %s and user %s\\%s "
"failed for tstream_npa_connect: %s\n",
socket_np_dir, pipe_name, session_info_t->info->domain_name,
session_info_t->info->account_name,
socket_np_dir, pipe_name, session_info_t->session_info->info->domain_name,
session_info_t->session_info->info->account_name,
strerror(errno)));
goto fail;
@ -714,8 +723,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
if (ret != 0) {
DEBUG(0, ("tstream_npa_connect_recv to %s for pipe %s and "
"user %s\\%s failed: %s\n",
socket_np_dir, pipe_name, session_info_t->info->domain_name,
session_info_t->info->account_name,
socket_np_dir, pipe_name, session_info_t->session_info->info->domain_name,
session_info_t->session_info->info->account_name,
strerror(sys_errno)));
goto fail;
}

18
source3/rpc_server/rpc_server.c
View File

@ -32,15 +32,15 @@
#define SERVER_TCP_HIGH_PORT 1300
static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
struct auth_session_info_transport **session_info)
struct auth_session_info **session_info)
{
struct auth_session_info_transport *i;
struct auth_session_info *i;
struct auth_serversupplied_info *s;
struct auth_user_info_dc *u;
union netr_Validation val;
NTSTATUS status;
i = talloc_zero(mem_ctx, struct auth_session_info_transport);
i = talloc_zero(mem_ctx, struct auth_session_info);
if (i == NULL) {
return NT_STATUS_NO_MEMORY;
}
@ -81,7 +81,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
bool ncalrpc_as_system,
const char *client_address,
const char *server_address,
struct auth_session_info_transport *session_info,
struct auth_session_info *session_info,
struct pipes_struct **_p,
int *perrno)
{
@ -355,7 +355,7 @@ struct named_pipe_client {
char *client_name;
struct tsocket_address *server;
char *server_name;
struct auth_session_info_transport *session_info;
struct auth_session_info *session_info;
struct pipes_struct *p;
@ -433,6 +433,7 @@ static void named_pipe_packet_done(struct tevent_req *subreq);
static void named_pipe_accept_done(struct tevent_req *subreq)
{
struct auth_session_info_transport *session_info_transport;
struct named_pipe_client *npc =
tevent_req_callback_data(subreq, struct named_pipe_client);
const char *cli_addr;
@ -445,7 +446,10 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
&npc->client_name,
&npc->server,
&npc->server_name,
&npc->session_info);
&session_info_transport);
npc->session_info = talloc_move(npc, &session_info_transport->session_info);
TALLOC_FREE(subreq);
if (ret != 0) {
DEBUG(2, ("Failed to accept named pipe connection! (%s)\n",
@ -996,7 +1000,7 @@ struct dcerpc_ncacn_conn {
char *client_name;
struct tsocket_address *server;
char *server_name;
struct auth_session_info_transport *session_info;
struct auth_session_info *session_info;
struct iovec *iov;
size_t count;

2
source4/auth/gensec/pygensec.c
View File

@ -271,7 +271,7 @@ static PyObject *py_gensec_session_info(PyObject *self)
return NULL;
}
py_session_info = py_return_ndr_struct("samba.auth", "AuthSession",
py_session_info = py_return_ndr_struct("samba.dcerpc.auth", "session_info",
info, info);
return py_session_info;
}

76
source4/auth/pyauth.c
View File

@ -46,72 +46,9 @@ typedef intargfunc ssizeargfunc;
#define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None
#endif
static PyObject *py_auth_session_get_security_token(PyObject *self, void *closure)
static PyObject *PyAuthSession_FromSession(struct auth_session_info *session)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
PyObject *py_security_token;
py_security_token = py_return_ndr_struct("samba.dcerpc.security", "token",
session->security_token, session->security_token);
return py_security_token;
}
static int py_auth_session_set_security_token(PyObject *self, PyObject *value, void *closure)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
session->security_token = talloc_reference(session, py_talloc_get_ptr(value));
return 0;
}
static PyObject *py_auth_session_get_session_key(PyObject *self, void *closure)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
return PyString_FromStringAndSize((char *)session->session_key.data, session->session_key.length);
}
static int py_auth_session_set_session_key(PyObject *self, PyObject *value, void *closure)
{
DATA_BLOB val;
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
val.data = (uint8_t *)PyString_AsString(value);
val.length = PyString_Size(value);
session->session_key = data_blob_talloc(session, val.data, val.length);
return 0;
}
static PyObject *py_auth_session_get_credentials(PyObject *self, void *closure)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
PyObject *py_credentials;
/* This is evil, as the credentials are not IDL structures */
py_credentials = py_return_ndr_struct("samba.credentials", "Credentials", session->credentials, session->credentials);
return py_credentials;
}
static int py_auth_session_set_credentials(PyObject *self, PyObject *value, void *closure)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
session->credentials = talloc_reference(session, PyCredentials_AsCliCredentials(value));
return 0;
}
static PyGetSetDef py_auth_session_getset[] = {
{ discard_const_p(char, "security_token"), (getter)py_auth_session_get_security_token, (setter)py_auth_session_set_security_token, NULL },
{ discard_const_p(char, "session_key"), (getter)py_auth_session_get_session_key, (setter)py_auth_session_set_session_key, NULL },
{ discard_const_p(char, "credentials"), (getter)py_auth_session_get_credentials, (setter)py_auth_session_set_credentials, NULL },
{ NULL }
};
static PyTypeObject PyAuthSession = {
.tp_name = "AuthSession",
.tp_basicsize = sizeof(py_talloc_Object),
.tp_flags = Py_TPFLAGS_DEFAULT,
.tp_getset = py_auth_session_getset,
};
PyObject *PyAuthSession_FromSession(struct auth_session_info *session)
{
return py_talloc_reference(&PyAuthSession, session);
return py_return_ndr_struct("samba.dcerpc.auth", "session_info", session, session);
}
static PyObject *py_system_session(PyObject *module, PyObject *args)
@ -378,13 +315,6 @@ void initauth(void)
{
PyObject *m;
PyAuthSession.tp_base = PyTalloc_GetObjectType();
if (PyAuthSession.tp_base == NULL)
return;
if (PyType_Ready(&PyAuthSession) < 0)
return;
PyAuthContext.tp_base = PyTalloc_GetObjectType();
if (PyAuthContext.tp_base == NULL)
return;
@ -397,8 +327,6 @@ void initauth(void)
if (m == NULL)
return;
Py_INCREF(&PyAuthSession);
PyModule_AddObject(m, "AuthSession", (PyObject *)&PyAuthSession);
Py_INCREF(&PyAuthContext);
PyModule_AddObject(m, "AuthContext", (PyObject *)&PyAuthContext);

2
source4/auth/pyauth.h
View File

@ -24,8 +24,6 @@
#include "auth/session.h"
#define PyAuthSession_AsSession(obj) py_talloc_get_type(obj, struct auth_session_info)
#define PyAuthSession_Check(obj) PyObject_TypeCheck(obj, &PyAuthSession)
struct auth_session_info *PyObject_AsSession(PyObject *obj);
PyObject *PyAuthSession_FromSession(struct auth_session_info *session);
#endif /* _PYAUTH_H */

40
source4/auth/session.c
View File

@ -155,9 +155,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
/* Create a session_info structure from the
* auth_session_info_transport we were forwarded over named pipe
* forwarding.
/* Fill out the auth_session_info with a cli_credentials based on the
* auth_session_info we were forwarded over named pipe forwarding.
*
* NOTE: The stucture members of session_info_transport are stolen
* with talloc_move() into auth_session_info for long term use
@ -168,16 +167,7 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
const char **reason)
{
struct auth_session_info *session_info;
session_info = talloc_zero(mem_ctx, struct auth_session_info);
if (!session_info) {
*reason = "failed to allocate session_info";
return NULL;
}
session_info->security_token = talloc_move(session_info, &session_info_transport->security_token);
session_info->info = talloc_move(session_info, &session_info_transport->info);
session_info->session_key = session_info_transport->session_key;
session_info->session_key.data = talloc_move(session_info, &session_info_transport->session_key.data);
session_info = talloc_steal(mem_ctx, session_info_transport->session_info);
if (session_info_transport->exported_gssapi_credentials.length) {
struct cli_credentials *creds;
@ -236,9 +226,8 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
/* Create a auth_session_info_transport from an auth_session_info.
*
* NOTE: Members of the auth_session_info_transport structure are not talloc_referenced, but simply assigned. They are only valid for the lifetime of the struct auth_session_info
*
* This isn't normally an issue, as the auth_session_info has a very long typical life
* NOTE: Members of the auth_session_info_transport structure are
* talloc_referenced() into this structure, and should not be changed.
*/
NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
@ -247,18 +236,15 @@ NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
struct auth_session_info_transport **transport_out)
{
struct auth_session_info_transport *session_info_transport = talloc_zero(mem_ctx, struct auth_session_info_transport);
session_info_transport->security_token = talloc_reference(session_info, session_info->security_token);
NT_STATUS_HAVE_NO_MEMORY(session_info_transport->security_token);
session_info_transport->info = talloc_reference(session_info, session_info->info);
NT_STATUS_HAVE_NO_MEMORY(session_info_transport->info);
session_info_transport->session_key = session_info->session_key;
session_info_transport->session_key.data = talloc_reference(session_info, session_info->session_key.data);
if (!session_info_transport->session_key.data && session_info->session_key.length) {
struct auth_session_info_transport *session_info_transport
= talloc_zero(mem_ctx, struct auth_session_info_transport);
if (!session_info_transport) {
return NT_STATUS_NO_MEMORY;
}
};
session_info_transport->session_info = talloc_reference(session_info_transport, session_info);
if (!session_info_transport->session_info) {
return NT_STATUS_NO_MEMORY;
};
if (session_info->credentials) {
struct gssapi_creds_container *gcc;

4
source4/lib/ldb-samba/pyldb.c
View File

@ -174,11 +174,11 @@ static PyObject *py_ldb_set_session_info(PyObject *self, PyObject *args)
PyObject *PyAuthSession_Type;
bool ret;
mod_samba_auth = PyImport_ImportModule("samba.auth");
mod_samba_auth = PyImport_ImportModule("samba.dcerpc.auth");
if (mod_samba_auth == NULL)
return NULL;
PyAuthSession_Type = PyObject_GetAttrString(mod_samba_auth, "AuthSession");
PyAuthSession_Type = PyObject_GetAttrString(mod_samba_auth, "session_info");
if (PyAuthSession_Type == NULL)
return NULL;

74
source4/librpc/ndr/py_auth.c Normal file
View File

@ -0,0 +1,74 @@
/*
Unix SMB/CIFS implementation.
Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <Python.h>
#include "includes.h"
#include "libcli/util/pyerrors.h"
#include "pyauth.h"
#include "auth/auth.h"
#include "auth/credentials/pycredentials.h"
#include "librpc/rpc/pyrpc_util.h"
#ifndef Py_RETURN_NONE
#define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None
#endif
static void PyType_AddGetSet(PyTypeObject *type, PyGetSetDef *getset)
{
PyObject *dict;
int i;
if (type->tp_dict == NULL)
type->tp_dict = PyDict_New();
dict = type->tp_dict;
for (i = 0; getset[i].name; i++) {
PyObject *descr;
descr = PyDescr_NewGetSet(type, &getset[i]);
PyDict_SetItemString(dict, getset[i].name,
descr);
}
}
static PyObject *py_auth_session_get_credentials(PyObject *self, void *closure)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
PyObject *py_credentials;
/* This is evil, as the credentials are not IDL structures */
py_credentials = py_return_ndr_struct("samba.credentials", "Credentials", session->credentials, session->credentials);
return py_credentials;
}
static int py_auth_session_set_credentials(PyObject *self, PyObject *value, void *closure)
{
struct auth_session_info *session = py_talloc_get_type(self, struct auth_session_info);
session->credentials = talloc_reference(session, PyCredentials_AsCliCredentials(value));
return 0;
}
static PyGetSetDef py_auth_session_extra_getset[] = {
{ discard_const_p(char, "credentials"), (getter)py_auth_session_get_credentials, (setter)py_auth_session_set_credentials, NULL },
{ NULL }
};
static void py_auth_session_info_patch(PyTypeObject *type)
{
PyType_AddGetSet(type, py_auth_session_extra_getset);
}
#define PY_SESSION_INFO_PATCH py_auth_session_info_patch

11
source4/librpc/wscript_build
View File

@ -199,6 +199,17 @@ bld.SAMBA_PYTHON('python_echo',
realname='samba/dcerpc/echo.so'
)
bld.SAMBA_PYTHON('python_auth',
source='../../librpc/gen_ndr/py_auth.c',
deps='NDR_AUTH pytalloc-util pyrpc_util',
realname='samba/dcerpc/auth.so'
)
bld.SAMBA_PYTHON('python_krb5pac',
source='../../librpc/gen_ndr/py_krb5pac.c',
deps='ndr-krb5pac pytalloc-util pyrpc_util',
realname='samba/dcerpc/krb5pac.so'
)
bld.SAMBA_PYTHON('python_winreg',
source='../../librpc/gen_ndr/py_winreg.c',