auth: Add functionality to log client and server policy information

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_log.c

@@ -44,9 +44,9 @@
  * increment the major version.
  */
 #define AUTH_MAJOR 1
-#define AUTH_MINOR 2
+#define AUTH_MINOR 3
 #define AUTHZ_MAJOR 1
-#define AUTHZ_MINOR 1
+#define AUTHZ_MINOR 2
 #define KDC_AUTHZ_MAJOR 1
 #define KDC_AUTHZ_MINOR 0
 
@@ -149,11 +149,15 @@ static void log_authentication_event_json(
 	const char *domain_name,
 	const char *account_name,
 	struct dom_sid *sid,
+	const struct authn_audit_info *client_audit_info,
+	const struct authn_audit_info *server_audit_info,
 	enum event_id_type event_id,
 	int debug_level)
 {
 	struct json_object wrapper = json_empty_object;
 	struct json_object authentication = json_empty_object;
+	struct json_object client_policy = json_null_object();
+	struct json_object server_policy = json_null_object();
 	char logon_id[19];
 	int rc = 0;
 	const char *clientDomain = ui->orig_client.domain_name ?
@@ -285,6 +289,30 @@ static void log_authentication_event_json(
 		goto failure;
 	}
 
+	if (client_audit_info != NULL) {
+		client_policy = json_from_audit_info(client_audit_info);
+		if (json_is_invalid(&client_policy)) {
+			goto failure;
+		}
+	}
+
+	rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy);
+	if (rc != 0) {
+		goto failure;
+	}
+
+	if (server_audit_info != NULL) {
+		server_policy = json_from_audit_info(server_audit_info);
+		if (json_is_invalid(&server_policy)) {
+			goto failure;
+		}
+	}
+
+	rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy);
+	if (rc != 0) {
+		goto failure;
+	}
+
 	wrapper = json_new_object();
 	if (json_is_invalid(&wrapper)) {
 		goto failure;
@@ -327,6 +355,8 @@ static void log_authentication_event_json(
 	json_free(&wrapper);
 	return;
 failure:
+	json_free(&server_policy);
+	json_free(&client_policy);
 	/*
 	 * On a failure authentication will not have been added to wrapper so it
 	 * needs to be freed to avoid a leak.
@@ -365,10 +395,14 @@ static void log_successful_authz_event_json(
 	const char *auth_type,
 	const char *transport_protection,
 	struct auth_session_info *session_info,
+	const struct authn_audit_info *client_audit_info,
+	const struct authn_audit_info *server_audit_info,
 	int debug_level)
 {
 	struct json_object wrapper = json_empty_object;
 	struct json_object authorization = json_empty_object;
+	struct json_object client_policy = json_null_object();
+	struct json_object server_policy = json_null_object();
 	int rc = 0;
 
 	authorization = json_new_object();
@@ -431,6 +465,30 @@ static void log_successful_authz_event_json(
 		goto failure;
 	}
 
+	if (client_audit_info != NULL) {
+		client_policy = json_from_audit_info(client_audit_info);
+		if (json_is_invalid(&client_policy)) {
+			goto failure;
+		}
+	}
+
+	rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy);
+	if (rc != 0) {
+		goto failure;
+	}
+
+	if (server_audit_info != NULL) {
+		server_policy = json_from_audit_info(server_audit_info);
+		if (json_is_invalid(&server_policy)) {
+			goto failure;
+		}
+	}
+
+	rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
+	if (rc != 0) {
+		goto failure;
+	}
+
 	wrapper = json_new_object();
 	if (json_is_invalid(&wrapper)) {
 		goto failure;
@@ -456,6 +514,8 @@ static void log_successful_authz_event_json(
 	json_free(&wrapper);
 	return;
 failure:
+	json_free(&server_policy);
+	json_free(&client_policy);
 	/*
 	 * On a failure authorization will not have been added to wrapper so it
 	 * needs to be freed to avoid a leak.
@@ -490,6 +550,7 @@ static void log_authz_event_json(
 	struct loadparm_context *lp_ctx,
 	const struct tsocket_address *remote,
 	const struct tsocket_address *local,
+	const struct authn_audit_info *server_audit_info,
 	const char *service_description,
 	const char *auth_type,
 	const char *domain_name,
@@ -502,6 +563,7 @@ static void log_authz_event_json(
 {
 	struct json_object wrapper = json_empty_object;
 	struct json_object authorization = json_empty_object;
+	struct json_object server_policy = json_null_object();
 	int rc = 0;
 
 	authorization = json_new_object();
@@ -554,6 +616,18 @@ static void log_authz_event_json(
 		goto failure;
 	}
 
+	if (server_audit_info != NULL) {
+		server_policy = json_from_audit_info(server_audit_info);
+		if (json_is_invalid(&server_policy)) {
+			goto failure;
+		}
+	}
+
+	rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
+	if (rc != 0) {
+		goto failure;
+	}
+
 	wrapper = json_new_object();
 	if (json_is_invalid(&wrapper)) {
 		goto failure;
@@ -579,6 +653,7 @@ static void log_authz_event_json(
 	json_free(&wrapper);
 	return;
 failure:
+	json_free(&server_policy);
 	/*
 	 * On a failure authorization will not have been added to wrapper so it
 	 * needs to be freed to avoid a leak.
@@ -619,6 +694,8 @@ static void log_authentication_event_json(
 	const char *domain_name,
 	const char *account_name,
 	struct dom_sid *sid,
+	const struct authn_audit_info *client_audit_info,
+	const struct authn_audit_info *server_audit_info,
 	enum event_id_type event_id,
 	int debug_level)
 {
@@ -634,6 +711,8 @@ static void log_successful_authz_event_json(
 	const char *auth_type,
 	const char *transport_protection,
 	struct auth_session_info *session_info,
+	const struct authn_audit_info *client_audit_info,
+	const struct authn_audit_info *server_audit_info,
 	int debug_level)
 {
 	log_no_json(msg_ctx, lp_ctx);
@@ -644,6 +723,7 @@ static void log_authz_event_json(
 	struct loadparm_context *lp_ctx,
 	const struct tsocket_address *remote,
 	const struct tsocket_address *local,
+	const struct authn_audit_info *server_audit_info,
 	const char *service_description,
 	const char *auth_type,
 	const char *domain_name,
@@ -813,7 +893,9 @@ void log_authentication_event(
 	NTSTATUS status,
 	const char *domain_name,
 	const char *account_name,
-	struct dom_sid *sid)
+	struct dom_sid *sid,
+	const struct authn_audit_info *client_audit_info,
+	const struct authn_audit_info *server_audit_info)
 {
 	/* set the log level */
 	int debug_level = AUTH_FAILURE_LEVEL;
@@ -845,6 +927,8 @@ void log_authentication_event(
 					      domain_name,
 					      account_name,
 					      sid,
+					      client_audit_info,
+					      server_audit_info,
 					      event_id,
 					      debug_level);
 	}
@@ -918,7 +1002,9 @@ void log_successful_authz_event(
 	const char *service_description,
 	const char *auth_type,
 	const char *transport_protection,
-	struct auth_session_info *session_info)
+	struct auth_session_info *session_info,
+	const struct authn_audit_info *client_audit_info,
+	const struct authn_audit_info *server_audit_info)
 {
 	int debug_level = AUTHZ_SUCCESS_LEVEL;
 
@@ -944,6 +1030,8 @@ void log_successful_authz_event(
 						auth_type,
 						transport_protection,
 						session_info,
+						client_audit_info,
+						server_audit_info,
 						debug_level);
 	}
 }
@@ -959,6 +1047,7 @@ void log_authz_event(
 	struct loadparm_context *lp_ctx,
 	const struct tsocket_address *remote,
 	const struct tsocket_address *local,
+	const struct authn_audit_info *server_audit_info,
 	const char *service_description,
 	const char *auth_type,
 	const char *domain_name,
@@ -980,6 +1069,7 @@ void log_authz_event(
 		log_authz_event_json(msg_ctx, lp_ctx,
 				     remote,
 				     local,
+				     server_audit_info,
 				     service_description,
 				     auth_type,
 				     domain_name,

auth/common_auth.h

@@ -177,6 +177,7 @@ struct auth4_context {
  * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
  * authentication events over the message bus.
  */
+struct authn_audit_info;
 void log_authentication_event(struct imessaging_context *msg_ctx,
 			      struct loadparm_context *lp_ctx,
 			      const struct timeval *start_time,
@@ -184,7 +185,9 @@ void log_authentication_event(struct imessaging_context *msg_ctx,
 			      NTSTATUS status,
 			      const char *domain_name,
 			      const char *account_name,
-			      struct dom_sid *sid);
+			      struct dom_sid *sid,
+			      const struct authn_audit_info *client_audit_info,
+			      const struct authn_audit_info *server_audit_info);
 
 /*
  * Log details of a successful authorization to a service.
@@ -206,7 +209,9 @@ void log_successful_authz_event(struct imessaging_context *msg_ctx,
 				const char *service_description,
 				const char *auth_type,
 				const char *transport_protection,
-				struct auth_session_info *session_info);
+				struct auth_session_info *session_info,
+				const struct authn_audit_info *client_audit_info,
+				const struct authn_audit_info *server_audit_info);
 
 /*
  * Log details of an authorization to a service.
@@ -219,6 +224,7 @@ void log_authz_event(
 	struct loadparm_context *lp_ctx,
 	const struct tsocket_address *remote,
 	const struct tsocket_address *local,
+	const struct authn_audit_info *server_audit_info,
 	const char *service_description,
 	const char *auth_type,
 	const char *domain_name,

auth/gensec/gensec.c

@@ -242,7 +242,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
 				   service_description,
 				   final_auth_type,
 				   transport_protection,
-				   session_info);
+				   session_info,
+				   NULL /* client_audit_info */,
+				   NULL /* server_audit_info */);
 }
 
 

python/samba/tests/krb5/authn_policy_tests.py

@@ -59,8 +59,8 @@ HRES_SEC_E_INVALID_TOKEN = 0x80090308
 HRES_SEC_E_LOGON_DENIED = 0x8009030C
 
 
-AUTHN_VERSION = {'major': 1, 'minor': 2}
-AUTHZ_VERSION = {'major': 1, 'minor': 1}
+AUTHN_VERSION = {'major': 1, 'minor': 3}
+AUTHZ_VERSION = {'major': 1, 'minor': 2}
 KDC_AUTHZ_VERSION = {'major': 1, 'minor': 0}
 
 

source3/auth/auth.c

@@ -319,7 +319,9 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				 nt_status,
 				 server_info->info3->base.logon_domain.string,
 				 server_info->info3->base.account_name.string,
-				 &sid);
+				 &sid,
+				 NULL /* client_audit_info */,
+				 NULL /* server_audit_info */);
 
 	DEBUG(server_info->guest ? 5 : 2,
 	      ("check_ntlm_password:  %sauthentication for user "
@@ -354,7 +356,9 @@ fail:
 				 nt_status,
 				 NULL,
 				 NULL,
-				 NULL);
+				 NULL,
+				 NULL /* client_audit_info */,
+				 NULL /* server_audit_info */);
 
 	ZERO_STRUCTP(pserver_info);
 

source3/auth/auth_generic.c

@@ -549,7 +549,9 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
 				   user_info->service_description,
 				   user_info->auth_description,
 				   AUTHZ_TRANSPORT_PROTECTION_SMB,
-				   *session_info);
+				   *session_info,
+				   NULL /* client_audit_info */,
+				   NULL /* server_audit_info */);
 
 	return nt_status;
 }

source3/rpc_server/rpc_server.c

@@ -126,7 +126,9 @@ void dcesrv_log_successful_authz(
 				   "DCE/RPC",
 				   auth_type,
 				   transport_protection,
-				   auth->session_info);
+				   auth->session_info,
+				   NULL /* client_audit_info */,
+				   NULL /* server_audit_info */);
 
 	auth->auth_audited = true;
 

source3/winbindd/winbindd_pam.c

@@ -2178,7 +2178,9 @@ static void log_authentication(
 	    result,
 	    base_info != NULL ? base_info->logon_domain.string : "",
 	    base_info != NULL ? base_info->account_name.string : "",
-	    sid);
+	    sid,
+	    NULL /* client_audit_info */,
+	    NULL /* server_audit_info */);
 	TALLOC_FREE(ui);
 }
 

source4/auth/ntlm/auth.c

@@ -404,7 +404,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 					 state->auth_ctx->lp_ctx,
 					 &state->auth_ctx->start_time,
 					 state->user_info, status,
-					 NULL, NULL, NULL);
+					 NULL, NULL, NULL,
+					 NULL /* client_audit_info */,
+					 NULL /* server_audit_info */);
 		tevent_req_received(req);
 		return status;
 	}
@@ -421,7 +423,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 				 state->user_info, status,
 				 state->user_info_dc->info->domain_name,
 				 state->user_info_dc->info->account_name,
-				 &state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid);
+				 &state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid,
+				 NULL /* client_audit_info */,
+				 NULL /* server_audit_info */);
 
 	/* Release our handle to state->user_info_dc. */
 	*user_info_dc = talloc_reparent(state, mem_ctx, state->user_info_dc);

source4/auth/ntlm/auth_simple.c

@@ -115,7 +115,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
 		log_authentication_event(msg, lp_ctx,
 					 &state->auth_context->start_time,
 					 user_info, status,
-					 NULL, NULL, NULL);
+					 NULL, NULL, NULL,
+					 NULL /* client_audit_info */,
+					 NULL /* server_audit_info */);
 	}
 	if (tevent_req_nterror(req, status)) {
 		return tevent_req_post(req, ev);
@@ -190,7 +192,9 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
 				   "LDAP",
 				   "simple bind",
 				   transport_protection,
-				   state->session_info);
+				   state->session_info,
+				   NULL /* client_audit_info */,
+				   NULL /* server_audit_info */);
 
 	tevent_req_done(req);
 }

source4/dsdb/samdb/ldb_modules/password_hash.c

@@ -3247,7 +3247,9 @@ static int check_password_restrictions_and_log(struct setup_password_fields_io *
 					 status,
 					 domain_name,
 					 io->u.sAMAccountName,
-					 io->u.account_sid);
+					 io->u.account_sid,
+					 NULL /* client_audit_info */,
+					 NULL /* server_audit_info */);
 
 	}
 	return ret;

source4/kdc/hdb-samba4.c

@@ -622,6 +622,7 @@ static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *k
 			kdc_db_ctx->lp_ctx,
 			remote_host,
 			NULL /* local */,
+			NULL /* server_audit_info */,
 			r->sname,
 			"TGS-REQ with Ticket-Granting Ticket",
 			domain_name,
@@ -911,7 +912,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 					 status,
 					 domain_name,
 					 account_name,
-					 sid);
+					 sid,
+					 NULL /* client_audit_info */,
+					 NULL /* server_audit_info */);
 		if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
 			/*
 			 * If we're running under make test
@@ -951,7 +954,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 					 &ui,
 					 NT_STATUS_NO_SUCH_USER,
 					 NULL, NULL,
-					 NULL);
+					 NULL,
+					 NULL /* client_audit_info */,
+					 NULL /* server_audit_info */);
 		TALLOC_FREE(frame);
 		break;
 	}

source4/ldap_server/ldap_backend.c

@@ -1596,7 +1596,9 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
 						   "LDAP",
 						   "no bind",
 						   transport_protection,
-						   call->conn->session_info);
+						   call->conn->session_info,
+						   NULL /* client_audit_info */,
+						   NULL /* server_audit_info */);
 
 			call->conn->authz_logged = true;
 		}

source4/rpc_server/dcerpc_server.c

@@ -667,7 +667,9 @@ void log_successful_dcesrv_authz_event(
 				   "DCE/RPC",
 				   auth_type,
 				   transport_protection,
-				   auth->session_info);
+				   auth->session_info,
+				   NULL /* client_audit_info */,
+				   NULL /* server_audit_info */);
 
 	auth->auth_audited = true;
 }

source4/rpc_server/netlogon/dcerpc_netlogon.c

@@ -839,7 +839,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(
 		status,
 		lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx),
 		trust_account_in_db,
-		sid);
+		sid,
+		NULL /* client_audit_info */,
+		NULL /* server_audit_info */);
 
 	return status;
 }

source4/rpc_server/samr/samr_password.c

@@ -81,7 +81,9 @@ static void log_password_change_event(struct imessaging_context *msg_ctx,
 				 status,
 				 ui.mapped.domain_name,
 				 ui.mapped.account_name,
-				 sid);
+				 sid,
+				 NULL /* client_audit_info */,
+				 NULL /* server_audit_info */);
 }
 /*
   samr_ChangePasswordUser

source4/smb_server/smb/sesssetup.c

@@ -61,7 +61,9 @@ void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req,
 				   "SMB",
 				   "bare-NTLM",
 				   AUTHZ_TRANSPORT_PROTECTION_SMB,
-				   session_info);
+				   session_info,
+				   NULL /* client_audit_info */,
+				   NULL /* server_audit_info */);
 
 	talloc_free(frame);
 	return;