s4:kdc: Add functions to create structures of auditing information for authentication policies

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/authn_policy.h

@@ -41,6 +41,8 @@ NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_n
 						    const char *device_account_name,
 						    const struct authn_ntlm_client_policy *client_policy);
 
+struct authn_audit_info;
+
 enum authn_audit_event {
 	AUTHN_AUDIT_EVENT_OK = 0,
 	AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION,

source4/kdc/authn_policy_util.c

@@ -417,6 +417,124 @@ out:
 	return ret;
 }
 
+/*
+ * Reference an existing authentication policy onto a talloc context, returning
+ * ‘true’ on success.
+ */
+static bool authn_policy_ref(TALLOC_CTX *mem_ctx,
+			     struct authn_policy *policy_out,
+			     const struct authn_policy *policy)
+{
+	const char *silo_name = NULL;
+	const char *policy_name = NULL;
+
+	if (policy->silo_name != NULL) {
+		silo_name = talloc_strdup(mem_ctx, policy->silo_name);
+		if (silo_name == NULL) {
+			return false;
+		}
+	}
+
+	if (policy->policy_name != NULL) {
+		policy_name = talloc_strdup(mem_ctx, policy->policy_name);
+		if (policy_name == NULL) {
+			/*
+			 * We can’t free ‘silo_name’ here, as it is declared
+			 * const. It will be freed with the parent context.
+			 */
+			return false;
+		}
+	}
+
+	*policy_out = (struct authn_policy) {
+		.silo_name = silo_name,
+		.policy_name = policy_name,
+		.enforced = policy->enforced,
+	};
+
+	return true;
+}
+
+/* Create a structure containing auditing information. */
+static NTSTATUS _authn_policy_audit_info(TALLOC_CTX *mem_ctx,
+					 const struct authn_policy *policy,
+					 const struct authn_int64_optional tgt_lifetime_raw,
+					 const struct auth_user_info_dc *client_info,
+					 const enum authn_audit_event event,
+					 const enum authn_audit_reason reason,
+					 const NTSTATUS policy_status,
+					 const char *location,
+					 struct authn_audit_info **audit_info_out)
+{
+	struct authn_audit_info *audit_info = NULL;
+	bool ok;
+
+	if (audit_info_out == NULL) {
+		return NT_STATUS_OK;
+	}
+
+	audit_info = talloc_zero(mem_ctx, struct authn_audit_info);
+	if (audit_info == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (client_info != NULL) {
+		/*
+		 * Keep a reference to the client’s user information so that it
+		 * is available to be logged later.
+		 */
+		audit_info->client_info = talloc_reference(audit_info, client_info);
+		if (audit_info->client_info == NULL) {
+			talloc_free(audit_info);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	if (policy != NULL) {
+		audit_info->policy = talloc_zero(audit_info, struct authn_policy);
+		if (audit_info->policy == NULL) {
+			talloc_free(audit_info);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		ok = authn_policy_ref(audit_info, audit_info->policy, policy);
+		if (!ok) {
+			talloc_free(audit_info);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	audit_info->event = event;
+	audit_info->reason = reason;
+	audit_info->policy_status = policy_status;
+	audit_info->location = location;
+	audit_info->tgt_lifetime_raw = tgt_lifetime_raw;
+
+	*audit_info_out = audit_info;
+	return NT_STATUS_OK;
+}
+
+/* Create a structure containing auditing information. */
+#define authn_policy_audit_info( \
+	mem_ctx, \
+	policy, \
+	tgt_lifetime_raw, \
+	client_info, \
+	event, \
+	reason, \
+	policy_status, \
+	audit_info_out) \
+	_authn_policy_audit_info( \
+		mem_ctx, \
+		policy, \
+		tgt_lifetime_raw, \
+		client_info, \
+		event, \
+		reason, \
+		policy_status, \
+		__location__, \
+		audit_info_out)
+
 /* Return an authentication policy moved onto a talloc context. */
 static struct authn_policy authn_policy_move(TALLOC_CTX *mem_ctx,
 					     struct authn_policy *policy)
@@ -766,3 +884,89 @@ bool authn_policy_restrictions_present(const struct authn_server_policy *policy)
 {
 	return authn_policy_restrictions(policy) != NULL;
 }
+
+/* Create a structure containing auditing information. */
+NTSTATUS _authn_kerberos_client_policy_audit_info(
+	TALLOC_CTX *mem_ctx,
+	const struct authn_kerberos_client_policy *client_policy,
+	const struct auth_user_info_dc *client_info,
+	const enum authn_audit_event event,
+	const enum authn_audit_reason reason,
+	const NTSTATUS policy_status,
+	const char *location,
+	struct authn_audit_info **audit_info_out)
+{
+	const struct authn_policy *policy = NULL;
+	struct authn_int64_optional tgt_lifetime_raw = authn_int64_none();
+
+	if (client_policy != NULL) {
+		policy = &client_policy->policy;
+		tgt_lifetime_raw = authn_int64_some(client_policy->tgt_lifetime_raw);
+	}
+
+	return _authn_policy_audit_info(mem_ctx,
+					policy,
+					tgt_lifetime_raw,
+					client_info,
+					event,
+					reason,
+					policy_status,
+					location,
+					audit_info_out);
+}
+
+/* Create a structure containing auditing information. */
+NTSTATUS _authn_ntlm_client_policy_audit_info(
+	TALLOC_CTX *mem_ctx,
+	const struct authn_ntlm_client_policy *client_policy,
+	const struct auth_user_info_dc *client_info,
+	const enum authn_audit_event event,
+	const enum authn_audit_reason reason,
+	const NTSTATUS policy_status,
+	const char *location,
+	struct authn_audit_info **audit_info_out)
+{
+	const struct authn_policy *policy = NULL;
+
+	if (client_policy != NULL) {
+		policy = &client_policy->policy;
+	}
+
+	return _authn_policy_audit_info(mem_ctx,
+					policy,
+					authn_int64_none() /* tgt_lifetime_raw */,
+					client_info,
+					event,
+					reason,
+					policy_status,
+					location,
+					audit_info_out);
+}
+
+/* Create a structure containing auditing information. */
+NTSTATUS _authn_server_policy_audit_info(
+	TALLOC_CTX *mem_ctx,
+	const struct authn_server_policy *server_policy,
+	const struct auth_user_info_dc *client_info,
+	const enum authn_audit_event event,
+	const enum authn_audit_reason reason,
+	const NTSTATUS policy_status,
+	const char *location,
+	struct authn_audit_info **audit_info_out)
+{
+	const struct authn_policy *policy = NULL;
+
+	if (server_policy != NULL) {
+		policy = &server_policy->policy;
+	}
+
+	return _authn_policy_audit_info(mem_ctx,
+					policy,
+					authn_int64_none() /* tgt_lifetime_raw */,
+					client_info,
+					event,
+					reason,
+					policy_status,
+					location,
+					audit_info_out);
+}

source4/kdc/authn_policy_util.h

@@ -46,6 +46,8 @@ int authn_policy_get_assigned_silo(struct ldb_context *samdb,
 				   const struct ldb_message **silo_msg_out,
 				   bool *is_enforced);
 
+struct auth_user_info_dc;
+
 /* Authentication policies for Kerberos clients. */
 
 /*
@@ -87,4 +89,94 @@ int authn_policy_server(struct ldb_context *samdb,
 /* Return whether an authentication policy enforces restrictions. */
 bool authn_policy_restrictions_present(const struct authn_server_policy *policy);
 
+/* Create a structure containing auditing information. */
+NTSTATUS _authn_kerberos_client_policy_audit_info(
+	TALLOC_CTX *mem_ctx,
+	const struct authn_kerberos_client_policy *client_policy,
+	const struct auth_user_info_dc *client_info,
+	enum authn_audit_event event,
+	enum authn_audit_reason reason,
+	NTSTATUS policy_status,
+	const char *location,
+	struct authn_audit_info **audit_info_out);
+
+/* Create a structure containing auditing information. */
+#define authn_kerberos_client_policy_audit_info( \
+	mem_ctx, \
+	policy, \
+	client_info, \
+	event, \
+	reason, \
+	policy_status, \
+	audit_info_out) \
+	_authn_kerberos_client_policy_audit_info( \
+		mem_ctx, \
+		policy, \
+		client_info, \
+		event, \
+		reason, \
+		policy_status, \
+		__location__, \
+		audit_info_out)
+
+/* Create a structure containing auditing information. */
+NTSTATUS _authn_ntlm_client_policy_audit_info(
+	TALLOC_CTX *mem_ctx,
+	const struct authn_ntlm_client_policy *policy,
+	const struct auth_user_info_dc *client_info,
+	enum authn_audit_event event,
+	enum authn_audit_reason reason,
+	NTSTATUS policy_status,
+	const char *location,
+	struct authn_audit_info **audit_info_out);
+
+/* Create a structure containing auditing information. */
+#define authn_ntlm_client_policy_audit_info( \
+	mem_ctx, \
+	policy, \
+	client_info, \
+	event, \
+	reason, \
+	policy_status, \
+	audit_info_out) \
+	_authn_ntlm_client_policy_audit_info( \
+		mem_ctx, \
+		policy, \
+		client_info, \
+		event, \
+		reason, \
+		policy_status, \
+		__location__, \
+		audit_info_out)
+
+/* Create a structure containing auditing information. */
+NTSTATUS _authn_server_policy_audit_info(
+	TALLOC_CTX *mem_ctx,
+	const struct authn_server_policy *policy,
+	const struct auth_user_info_dc *client_info,
+	enum authn_audit_event event,
+	enum authn_audit_reason reason,
+	NTSTATUS policy_status,
+	const char *location,
+	struct authn_audit_info **audit_info_out);
+
+/* Create a structure containing auditing information. */
+#define authn_server_policy_audit_info( \
+	mem_ctx, \
+	policy, \
+	client_info, \
+	event, \
+	reason, \
+	policy_status, \
+	audit_info_out) \
+	_authn_server_policy_audit_info( \
+		mem_ctx, \
+		policy, \
+		client_info, \
+		event, \
+		reason, \
+		policy_status, \
+		__location__, \
+		audit_info_out)
+
 #endif