From c829dd1ba842ecf6196d5645f3f8161a41054f2f Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 27 Sep 2023 14:51:36 +1300
Subject: [PATCH] s4:dsdb: Add parameters for claims and device SIDs to
 security_token_create()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/session.c     |  3 ++
 source4/dsdb/samdb/samdb.c | 80 +++++++++++++++++++++++++++++++++++++-
 source4/dsdb/samdb/samdb.h |  1 +
 3 files changed, 83 insertions(+), 1 deletion(-)

diff --git a/source4/auth/session.c b/source4/auth/session.c
index 9c647f2734a..61e3d7ca021 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -176,6 +176,9 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
 					  lp_ctx,
 					  num_sids,
 					  sids,
+					  0 /* num_device_sids */,
+					  NULL /* device_sids */,
+					  (struct auth_claims) {},
 					  session_info_flags,
 					  &security_token);
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index ca3f5d5371e..33cad4b1746 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -29,6 +29,7 @@
 #include <ldb.h>
 #include <ldb_errors.h>
 #include "libcli/security/security.h"
+#include "libcli/security/claims-conversions.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/ldap/ldap_ndr.h"
 #include "system/time.h"
@@ -165,6 +166,9 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 			       struct loadparm_context *lp_ctx,
 			       uint32_t num_sids,
 			       const struct auth_SidAttr *sids,
+			       uint32_t num_device_sids,
+			       const struct auth_SidAttr *device_sids,
+			       struct auth_claims auth_claims,
 			       uint32_t session_info_flags,
 			       struct security_token **token)
 {
@@ -172,6 +176,9 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 	uint32_t i;
 	NTSTATUS status;
 	enum claims_evaluation_control evaluate_claims;
+	bool sids_are_valid = false;
+	bool device_sids_are_valid = false;
+	bool authentication_was_compounded = false;
 
 	/*
 	 * Some special-case callers can't supply the lp_ctx, but do
@@ -222,17 +229,61 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 		}
 
 		if (check_sid_idx == ptoken->num_sids) {
+			const struct dom_sid *sid = &sids[i].sid;
+
+			sids_are_valid = sids_are_valid || dom_sid_equal(
+				sid, &global_sid_Claims_Valid);
+			authentication_was_compounded = authentication_was_compounded || dom_sid_equal(
+				sid, &global_sid_Compounded_Authentication);
+
 			ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
 			if (ptoken->sids == NULL) {
 				talloc_free(ptoken);
 				return NT_STATUS_NO_MEMORY;
 			}
 
-			ptoken->sids[ptoken->num_sids] = sids[i].sid;
+			ptoken->sids[ptoken->num_sids] = *sid;
 			ptoken->num_sids++;
 		}
 	}
 
+	if (authentication_was_compounded) {
+		ptoken->device_sids = talloc_array(ptoken, struct dom_sid, num_device_sids);
+		if (ptoken->device_sids == NULL) {
+			talloc_free(ptoken);
+			return NT_STATUS_NO_MEMORY;
+		}
+		for (i = 0; i < num_device_sids; i++) {
+			uint32_t check_sid_idx;
+			for (check_sid_idx = 0;
+			     check_sid_idx < ptoken->num_device_sids;
+			     check_sid_idx++) {
+				if (dom_sid_equal(&ptoken->device_sids[check_sid_idx], &device_sids[i].sid)) {
+					break;
+				}
+			}
+
+			if (check_sid_idx == ptoken->num_device_sids) {
+				const struct dom_sid *device_sid = &device_sids[i].sid;
+
+				device_sids_are_valid = device_sids_are_valid || dom_sid_equal(
+					device_sid, &global_sid_Claims_Valid);
+
+				ptoken->device_sids = talloc_realloc(ptoken,
+								     ptoken->device_sids,
+								     struct dom_sid,
+								     ptoken->num_device_sids + 1);
+				if (ptoken->device_sids == NULL) {
+					talloc_free(ptoken);
+					return NT_STATUS_NO_MEMORY;
+				}
+
+				ptoken->device_sids[ptoken->num_device_sids] = *device_sid;
+				ptoken->num_device_sids++;
+			}
+		}
+	}
+
 	/* The caller may have requested simple privileges, for example if there isn't a local DB */
 	if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
 		/* Shortcuts to prevent recursion and avoid lookups */
@@ -258,6 +309,33 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 		}
 	}
 
+	/*
+	 * TODO: we might want to regard ‘session_info_flags’ for the device
+	 * SIDs as well as for the client SIDs.
+	 */
+
+	if (sids_are_valid) {
+		status = claims_data_security_claims(ptoken,
+						     auth_claims.user_claims,
+						     &ptoken->user_claims,
+						     &ptoken->num_user_claims);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_free(ptoken);
+			return status;
+		}
+	}
+
+	if (device_sids_are_valid && authentication_was_compounded) {
+		status = claims_data_security_claims(ptoken,
+						     auth_claims.device_claims,
+						     &ptoken->device_claims,
+						     &ptoken->num_device_claims);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_free(ptoken);
+			return status;
+		}
+	}
+
 	security_token_debug(0, 10, ptoken);
 
 	*token = ptoken;
diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index 7ca6d26f67a..645e95aa628 100644
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -45,6 +45,7 @@ enum dsdb_password_checked {
 #include "librpc/gen_ndr/drsuapi.h"
 #include "librpc/gen_ndr/drsblobs.h"
 #include "dsdb/schema/schema.h"
+#include "auth/session.h"
 #include "dsdb/samdb/samdb_proto.h"
 #include "dsdb/common/dsdb_dn.h"
 #include "dsdb/common/util_links.h"