1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:dsdb: Add parameters for claims and device SIDs to security_token_create()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-09-27 14:51:36 +13:00 committed by Joseph Sutton
parent 773c36baa0
commit c829dd1ba8
3 changed files with 83 additions and 1 deletions

View File

@ -176,6 +176,9 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
lp_ctx,
num_sids,
sids,
0 /* num_device_sids */,
NULL /* device_sids */,
(struct auth_claims) {},
session_info_flags,
&security_token);
if (!NT_STATUS_IS_OK(nt_status)) {

View File

@ -29,6 +29,7 @@
#include <ldb.h>
#include <ldb_errors.h>
#include "libcli/security/security.h"
#include "libcli/security/claims-conversions.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/ldap/ldap_ndr.h"
#include "system/time.h"
@ -165,6 +166,9 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
uint32_t num_sids,
const struct auth_SidAttr *sids,
uint32_t num_device_sids,
const struct auth_SidAttr *device_sids,
struct auth_claims auth_claims,
uint32_t session_info_flags,
struct security_token **token)
{
@ -172,6 +176,9 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
uint32_t i;
NTSTATUS status;
enum claims_evaluation_control evaluate_claims;
bool sids_are_valid = false;
bool device_sids_are_valid = false;
bool authentication_was_compounded = false;
/*
* Some special-case callers can't supply the lp_ctx, but do
@ -222,17 +229,61 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
}
if (check_sid_idx == ptoken->num_sids) {
const struct dom_sid *sid = &sids[i].sid;
sids_are_valid = sids_are_valid || dom_sid_equal(
sid, &global_sid_Claims_Valid);
authentication_was_compounded = authentication_was_compounded || dom_sid_equal(
sid, &global_sid_Compounded_Authentication);
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
if (ptoken->sids == NULL) {
talloc_free(ptoken);
return NT_STATUS_NO_MEMORY;
}
ptoken->sids[ptoken->num_sids] = sids[i].sid;
ptoken->sids[ptoken->num_sids] = *sid;
ptoken->num_sids++;
}
}
if (authentication_was_compounded) {
ptoken->device_sids = talloc_array(ptoken, struct dom_sid, num_device_sids);
if (ptoken->device_sids == NULL) {
talloc_free(ptoken);
return NT_STATUS_NO_MEMORY;
}
for (i = 0; i < num_device_sids; i++) {
uint32_t check_sid_idx;
for (check_sid_idx = 0;
check_sid_idx < ptoken->num_device_sids;
check_sid_idx++) {
if (dom_sid_equal(&ptoken->device_sids[check_sid_idx], &device_sids[i].sid)) {
break;
}
}
if (check_sid_idx == ptoken->num_device_sids) {
const struct dom_sid *device_sid = &device_sids[i].sid;
device_sids_are_valid = device_sids_are_valid || dom_sid_equal(
device_sid, &global_sid_Claims_Valid);
ptoken->device_sids = talloc_realloc(ptoken,
ptoken->device_sids,
struct dom_sid,
ptoken->num_device_sids + 1);
if (ptoken->device_sids == NULL) {
talloc_free(ptoken);
return NT_STATUS_NO_MEMORY;
}
ptoken->device_sids[ptoken->num_device_sids] = *device_sid;
ptoken->num_device_sids++;
}
}
}
/* The caller may have requested simple privileges, for example if there isn't a local DB */
if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
/* Shortcuts to prevent recursion and avoid lookups */
@ -258,6 +309,33 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
}
}
/*
* TODO: we might want to regard session_info_flags for the device
* SIDs as well as for the client SIDs.
*/
if (sids_are_valid) {
status = claims_data_security_claims(ptoken,
auth_claims.user_claims,
&ptoken->user_claims,
&ptoken->num_user_claims);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(ptoken);
return status;
}
}
if (device_sids_are_valid && authentication_was_compounded) {
status = claims_data_security_claims(ptoken,
auth_claims.device_claims,
&ptoken->device_claims,
&ptoken->num_device_claims);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(ptoken);
return status;
}
}
security_token_debug(0, 10, ptoken);
*token = ptoken;

View File

@ -45,6 +45,7 @@ enum dsdb_password_checked {
#include "librpc/gen_ndr/drsuapi.h"
#include "librpc/gen_ndr/drsblobs.h"
#include "dsdb/schema/schema.h"
#include "auth/session.h"
#include "dsdb/samdb/samdb_proto.h"
#include "dsdb/common/dsdb_dn.h"
#include "dsdb/common/util_links.h"