/*
Unix SMB/CIFS implementation.
Samba Active Directory claims utility functions
Copyright (C) Catalyst.Net Ltd 2023
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
*/
#include "lib/replace/replace.h"
#include "lib/util/debug.h"
#include "lib/util/samba_util.h"
#include "source4/kdc/ad_claims.h"
#include "source4/kdc/authn_policy_util.h"
#include "ldb_module.h"
#include "libcli/security/security.h"
#include "libcli/util/werror.h"
#include "dsdb/samdb/samdb.h"
#include "dsdb/samdb/ldb_modules/util.h"
#include "librpc/gen_ndr/claims.h"
#include "librpc/gen_ndr/ndr_claims.h"
#include "librpc/gen_ndr/krb5pac.h"
#include "librpc/gen_ndr/ndr_krb5pac.h"
#include "lzxpress_huffman.h"
#include "lib/util/binsearch.h"
#undef strcasecmp
bool ad_claims_are_issued(struct ldb_context *samdb)
{
/*
* Claims aren’t issued by Samba unless the DC is at
* FL2012. This is to match Windows, which will offer
* this feature as soon as the DC is upgraded.
*/
const int functional_level = dsdb_dc_functional_level(samdb);
return functional_level >= DS_DOMAIN_FUNCTION_2012;
}
static int acl_attr_cmp_fn(const char *a, const char * const *b)
{
return ldb_attr_cmp(a, *b);
}
/*
* Add a single attribute to a list of attributes if it is not already
* present. The list is maintained in case-insensitive sorted order.
*/
static int add_attr_unique(TALLOC_CTX *mem_ctx,
const char **attrs,
unsigned *ad_claim_attrs_count,
const char *attr)
{
const unsigned count = *ad_claim_attrs_count;
const char * const *exact = NULL;
const char * const *next = NULL;
BINARY_ARRAY_SEARCH_GTE(attrs,
count,
attr,
acl_attr_cmp_fn,
exact,
next);
if (exact != NULL) {
/* The attribute is already present; there's nothing to do. */
return LDB_SUCCESS;
}
/* Make sure we don't overflow the array. */
SMB_ASSERT(count < talloc_array_length(attrs));
*ad_claim_attrs_count = count + 1;
if (next == NULL) {
/* Just add the new element on the end. */
attrs[count] = attr;
} else {
/* Shift all following elements over to make room. */
size_t next_idx = next - attrs;
size_t bytes_to_move = (count - next_idx) * sizeof (attrs[0]);
memmove(&attrs[next_idx + 1],
&attrs[next_idx],
bytes_to_move);
attrs[next_idx] = attr;
}
return LDB_SUCCESS;
}
/*
* Return true if a data_blob, interpreted as a string, is equal to another
* string. This is more efficient than strcmp(), particularly when comparing
* against a string constant. This assumes the data_blob's length does not
* include the zero-terminator.
*/
static inline bool data_blob_equals_str(const DATA_BLOB val, const char *str)
{
size_t len = strlen(str);
if (val.length != len) {
return false;
}
return memcmp(val.data, str, len) == 0;
}
static int fill_claim_int64(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message_element *principal_attribute,
const struct ldb_val name,
struct CLAIM_INT64 *claim)
{
uint32_t i;
claim->value_count = 0;
claim->values = talloc_array(mem_ctx,
int64_t,
principal_attribute->num_values);
if (claim->values == NULL) {
return ldb_oom(ldb);
}
for (i = 0; i < principal_attribute->num_values; ++i) {
const struct ldb_val *value = &principal_attribute->values[i];
int ret = ldb_val_as_int64(value, &claim->values[i]);
if (ret) {
char buf[1024];
const char *reason = NULL;
int err = strerror_r(ret, buf, sizeof(buf));
if (err == 0) {
reason = buf;
} else {
reason = "Unknown error";
}
DBG_WARNING("Failed to interpret value %s as INT64 "
"while creating claim %s for attribute %s (%s); "
"skipping value\n",
(value->data != NULL) ? (const char *)value->data : "",
name.data, principal_attribute->name,
reason);
continue;
}
++claim->value_count;
}
/* Shrink the array to fit. */
claim->values = talloc_realloc(mem_ctx,
claim->values,
int64_t,
claim->value_count);
if (claim->value_count && claim->values == NULL) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
static int fill_claim_uint64(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message_element *principal_attribute,
const struct ldb_val name,
struct CLAIM_UINT64 *claim)
{
uint32_t i;
claim->value_count = 0;
claim->values = talloc_array(mem_ctx,
uint64_t,
principal_attribute->num_values);
if (claim->values == NULL) {
return ldb_oom(ldb);
}
for (i = 0; i < principal_attribute->num_values; ++i) {
const struct ldb_val *value = &principal_attribute->values[i];
int ret = ldb_val_as_uint64(value, &claim->values[i]);
if (ret) {
char buf[1024];
const char *reason = NULL;
int err = strerror_r(ret, buf, sizeof(buf));
if (err == 0) {
reason = buf;
} else {
reason = "Unknown error";
}
DBG_WARNING("Failed to interpret value %s as UINT64 "
"while creating claim %s for attribute %s (%s); "
"skipping value\n",
(value->data != NULL) ? (const char *)value->data : "",
name.data, principal_attribute->name,
reason);
continue;
}
++claim->value_count;
}
/* Shrink the array to fit. */
claim->values = talloc_realloc(mem_ctx,
claim->values,
uint64_t,
claim->value_count);
if (claim->value_count && claim->values == NULL) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
static int fill_claim_uint64_oid_syntax(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct dsdb_schema *schema,
const struct ldb_message_element *principal_attribute,
const struct ldb_val name,
struct CLAIM_UINT64 *claim)
{
uint32_t i;
claim->value_count = 0;
claim->values = talloc_array(mem_ctx,
uint64_t,
principal_attribute->num_values);
if (claim->values == NULL) {
return ldb_oom(ldb);
}
for (i = 0; i < principal_attribute->num_values; ++i) {
const struct dsdb_class *class_val = NULL;
/*
* OID values for objectClass
* are presented in reverse
* order.
*/
const struct ldb_val *display_name = &principal_attribute->values[
principal_attribute->num_values - 1 - i];
class_val = dsdb_class_by_lDAPDisplayName_ldb_val(schema, display_name);
if (class_val == NULL) {
DBG_WARNING("Failed to look up OID for value %s "
"while creating claim %s for attribute %s; "
"skipping value\n",
(display_name->data != NULL) ? (const char *)display_name->data : "",
name.data, principal_attribute->name);
continue;
}
claim->values[i] = class_val->governsID_id;
++claim->value_count;
}
/* Shrink the array to fit. */
claim->values = talloc_realloc(mem_ctx,
claim->values,
uint64_t,
claim->value_count);
if (claim->value_count && claim->values == NULL) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
static int fill_claim_boolean(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message_element *principal_attribute,
const struct ldb_val name,
struct CLAIM_UINT64 *claim)
{
uint32_t i;
claim->value_count = 0;
claim->values = talloc_array(mem_ctx,
uint64_t,
principal_attribute->num_values);
if (claim->values == NULL) {
return ldb_oom(ldb);
}
for (i = 0; i < principal_attribute->num_values; ++i) {
const struct ldb_val *value = &principal_attribute->values[i];
bool val = false;
int ret = ldb_val_as_bool(value, &val);
if (ret) {
char buf[1024];
const char *reason = NULL;
int err = strerror_r(ret, buf, sizeof(buf));
if (err == 0) {
reason = buf;
} else {
reason = "Unknown error";
}
DBG_WARNING("Failed to interpret value %s as BOOL "
"while creating claim %s for attribute %s (%s); "
"skipping value\n",
(value->data != NULL) ? (const char *)value->data : "",
name.data, principal_attribute->name,
reason);
continue;
}
claim->values[i] = val;
++claim->value_count;
}
/* Shrink the array to fit. */
claim->values = talloc_realloc(mem_ctx,
claim->values,
uint64_t,
claim->value_count);
if (claim->value_count && claim->values == NULL) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
static int fill_claim_string(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message_element *principal_attribute,
struct CLAIM_STRING *claim)
{
uint32_t i;
claim->value_count = 0;
claim->values = talloc_array(mem_ctx,
const char *,
principal_attribute->num_values);
if (claim->values == NULL) {
return ldb_oom(ldb);
}
for (i = 0; i < principal_attribute->num_values; ++i) {
const char *val = NULL;
const struct ldb_val *v = &principal_attribute->values[i];
if (v == NULL || v->data == NULL) {
continue;
}
val = talloc_strndup(claim->values,
(const char *)v->data,
v->length);
if (val == NULL) {
return ldb_oom(ldb);
}
claim->values[i] = val;
++claim->value_count;
}
/* Shrink the array to fit. */
claim->values = talloc_realloc(mem_ctx,
claim->values,
const char *,
claim->value_count);
if (claim->value_count && claim->values == NULL) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
static int fill_claim_string_sec_desc_syntax(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message_element *principal_attribute,
struct CLAIM_STRING *claim)
{
TALLOC_CTX *tmp_ctx = NULL;
const struct dom_sid *domain_sid = NULL;
uint32_t i;
claim->value_count = 0;
claim->values = talloc_array(mem_ctx,
const char *,
principal_attribute->num_values);
if (claim->values == NULL) {
return ldb_oom(ldb);
}
domain_sid = samdb_domain_sid(ldb);
if (domain_sid == NULL) {
return ldb_oom(ldb);
}
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
for (i = 0; i < principal_attribute->num_values; ++i) {
const struct ldb_val *v = &principal_attribute->values[i];
enum ndr_err_code ndr_err;
struct security_descriptor desc = {};
const char *sddl = NULL;
if (v == NULL || v->data == NULL) {
continue;
}
ndr_err = ndr_pull_struct_blob(v,
tmp_ctx,
&desc,
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
DBG_ERR("security_descriptor pull failed: %s\n",
nt_errstr(nt_status));
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
sddl = sddl_encode(mem_ctx,
&desc,
domain_sid);
if (sddl == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
claim->values[i] = sddl;
++claim->value_count;
}
talloc_free(tmp_ctx);
/* Shrink the array to fit. */
claim->values = talloc_realloc(mem_ctx,
claim->values,
const char *,
claim->value_count);
if (claim->value_count && claim->values == NULL) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
static int fill_claim_entry(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct dsdb_schema *schema,
const struct ldb_message_element *principal_attribute,
const struct ldb_val name,
const DATA_BLOB syntax,
enum CLAIM_TYPE claim_type,
struct CLAIM_ENTRY *claim_entry)
{
claim_entry->id = talloc_strndup(mem_ctx,
(const char *)name.data,
name.length);
if (claim_entry->id == NULL) {
return ldb_oom(ldb);
}
claim_entry->type = claim_type;
switch (claim_type) {
case CLAIM_TYPE_INT64:
return fill_claim_int64(mem_ctx,
ldb,
principal_attribute,
name,
&claim_entry->values.claim_int64);
case CLAIM_TYPE_UINT64:
if (syntax.data != NULL && data_blob_equals_str(syntax, "2.5.5.2")) {
return fill_claim_uint64_oid_syntax(mem_ctx,
ldb,
schema,
principal_attribute,
name,
&claim_entry->values.claim_uint64);
} else {
return fill_claim_uint64(mem_ctx,
ldb,
principal_attribute,
name,
&claim_entry->values.claim_uint64);
}
case CLAIM_TYPE_BOOLEAN:
return fill_claim_boolean(mem_ctx,
ldb,
principal_attribute,
name,
&claim_entry->values.claim_boolean);
case CLAIM_TYPE_STRING:
default:
if (syntax.data != NULL && data_blob_equals_str(syntax, "2.5.5.15")) {
return fill_claim_string_sec_desc_syntax(mem_ctx,
ldb,
principal_attribute,
&claim_entry->values.claim_string);
} else {
return fill_claim_string(mem_ctx,
ldb,
principal_attribute,
&claim_entry->values.claim_string);
}
}
}
/*
* Determine whether a claim applies to the most specific objectClass of the
* principal.
*/
static int claim_applies_to_class(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct dsdb_schema *schema,
const struct ldb_message *claim_msg,
const uint32_t principal_class_id,
bool *applies)
{
struct ldb_message_element *applies_to_class = NULL;
unsigned i;
applies_to_class = ldb_msg_find_element(claim_msg,
"msDS-ClaimTypeAppliesToClass");
if (applies_to_class == NULL) {
*applies = false;
return LDB_SUCCESS;
}
for (i = 0; i < applies_to_class->num_values; ++i) {
struct ldb_dn *class_dn = NULL;
const struct dsdb_class *class_val = NULL;
const struct ldb_val *class_rdn = NULL;
class_dn = ldb_dn_from_ldb_val(mem_ctx,
ldb,
&applies_to_class->values[i]);
if (class_dn == NULL) {
return ldb_oom(ldb);
}
class_rdn = ldb_dn_get_rdn_val(class_dn);
if (class_rdn == NULL) {
TALLOC_FREE(class_dn);
continue;
}
class_val = dsdb_class_by_cn_ldb_val(schema, class_rdn);
TALLOC_FREE(class_dn);
if (class_val == NULL) {
continue;
}
if (class_val->governsID_id == principal_class_id) {
*applies = true;
return LDB_SUCCESS;
}
}
*applies = false;
return LDB_SUCCESS;
}
struct assigned_silo {
const char *name;
bool is_initialised;
bool is_assigned;
};
static struct assigned_silo new_assigned_silo(void)
{
return (struct assigned_silo) {
.name = NULL,
.is_initialised = false,
.is_assigned = false,
};
}
static bool silo_is_maybe_assigned(struct assigned_silo silo)
{
return !silo.is_initialised || silo.is_assigned;
}
static int get_assigned_silo(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_message *principal,
struct assigned_silo *assigned_silo)
{
TALLOC_CTX *tmp_ctx = NULL;
int ret;
const struct ldb_message *silo_msg = NULL;
static const char * const silo_attrs[] = {
"msDS-AuthNPolicySiloEnforced",
"msDS-AuthNPolicySiloMembers",
"name",
NULL
};
bool is_silo_enforced = false;
const char *silo_name = NULL;
if (assigned_silo->is_initialised) {
return LDB_SUCCESS;
}
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
if (!authn_policy_silos_and_policies_in_effect(ldb)) {
/* No assigned silo. */
assigned_silo->is_assigned = false;
assigned_silo->is_initialised = true;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/* Check whether the user is assigned to an enforced silo. */
ret = authn_policy_get_assigned_silo(ldb,
tmp_ctx,
principal,
silo_attrs,
&silo_msg,
&is_silo_enforced);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
if (silo_msg == NULL || !is_silo_enforced) {
/* No assigned silo. */
assigned_silo->is_assigned = false;
assigned_silo->is_initialised = true;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/* The user does belong to a silo, so return the name of the silo. */
silo_name = ldb_msg_find_attr_as_string(silo_msg,
"name",
NULL);
assigned_silo->name = talloc_steal(mem_ctx, silo_name);
assigned_silo->is_assigned = true;
assigned_silo->is_initialised = true;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static inline struct ldb_val talloc_steal_ldb_val(TALLOC_CTX *mem_ctx, struct ldb_val val)
{
val.data = talloc_steal(mem_ctx, val.data);
return val;
}
static uint32_t claim_get_value_count(const struct CLAIM_ENTRY *claim)
{
switch (claim->type) {
case CLAIM_TYPE_INT64:
return claim->values.claim_int64.value_count;
case CLAIM_TYPE_UINT64:
return claim->values.claim_uint64.value_count;
case CLAIM_TYPE_STRING:
return claim->values.claim_string.value_count;
case CLAIM_TYPE_BOOLEAN:
return claim->values.claim_boolean.value_count;
}
smb_panic(__location__ ": unknown claim type");
return 0;
}
static NTSTATUS encode_claims_set(TALLOC_CTX *mem_ctx,
struct CLAIMS_SET *claims_set,
DATA_BLOB *claims_blob)
{
TALLOC_CTX *tmp_ctx = NULL;
enum ndr_err_code ndr_err;
struct CLAIMS_SET_NDR *claims_set_info = NULL;
struct CLAIMS_SET_METADATA *metadata = NULL;
struct CLAIMS_SET_METADATA_NDR *metadata_ndr = NULL;
if (claims_blob == NULL) {
return NT_STATUS_INVALID_PARAMETER_3;
}
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
metadata_ndr = talloc_zero(tmp_ctx, struct CLAIMS_SET_METADATA_NDR);
if (metadata_ndr == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
metadata = talloc_zero(metadata_ndr, struct CLAIMS_SET_METADATA);
if (metadata == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
claims_set_info = talloc_zero(metadata, struct CLAIMS_SET_NDR);
if (claims_set_info == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
metadata_ndr->claims.metadata = metadata;
metadata->claims_set = claims_set_info;
metadata->compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF;
claims_set_info->claims.claims = claims_set;
ndr_err = ndr_push_struct_blob(claims_blob, mem_ctx, metadata_ndr,
(ndr_push_flags_fn_t)ndr_push_CLAIMS_SET_METADATA_NDR);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
DBG_ERR("CLAIMS_SET_METADATA_NDR push failed: %s\n",
nt_errstr(nt_status));
talloc_free(tmp_ctx);
return nt_status;
}
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
static bool is_schema_dn(struct ldb_dn *dn,
struct ldb_dn *schema_dn)
{
if (ldb_dn_get_comp_num(dn) != (ldb_dn_get_comp_num(schema_dn) + 1)) {
return false;
}
return ldb_dn_compare_base(schema_dn, dn) == 0;
}
static bool is_valid_claim_attribute_syntax(const DATA_BLOB source_syntax,
uint64_t claim_value_type)
{
switch (claim_value_type) {
case CLAIM_TYPE_STRING:
if (data_blob_equals_str(source_syntax, "2.5.5.1")) {
return true;
}
if (data_blob_equals_str(source_syntax, "2.5.5.12")) {
return true;
}
if (data_blob_equals_str(source_syntax, "2.5.5.15")) {
return true;
}
break;
case CLAIM_TYPE_UINT64:
if (data_blob_equals_str(source_syntax, "2.5.5.2")) {
return true;
}
break;
case CLAIM_TYPE_INT64:
if (data_blob_equals_str(source_syntax, "2.5.5.9")) {
return true;
}
if (data_blob_equals_str(source_syntax, "2.5.5.16")) {
return true;
}
break;
case CLAIM_TYPE_BOOLEAN:
/* Note: MS-ADTS has a typo (2.2.5.8 instead of 2.5.5.8) */
if (data_blob_equals_str(source_syntax, "2.5.5.8")) {
return true;
}
break;
default:
break;
}
return false;
}
static int get_all_claims(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_message *principal,
uint32_t principal_class_id,
struct CLAIMS_SET **claims_set_out)
{
TALLOC_CTX *tmp_ctx = NULL;
const struct dsdb_schema *schema = NULL;
struct ldb_dn *claim_config_container = NULL;
struct ldb_dn *claim_types_child = NULL;
struct ldb_dn *config_dn = ldb_get_config_basedn(ldb);
struct ldb_dn *schema_dn = ldb_get_schema_basedn(ldb);
bool ok;
int ret;
struct ldb_result *res = NULL;
static const char * const attrs[] = {
"Enabled",
"msDS-ClaimAttributeSource",
"msDS-ClaimSource",
"msDS-ClaimSourceType",
"msDS-ClaimTypeAppliesToClass",
"msDS-ClaimValueType",
"name",
NULL
};
const char **ad_claim_attrs = NULL;
unsigned int ad_claim_attrs_count;
struct ad_claim_info {
struct ldb_val name;
DATA_BLOB syntax;
const char *attribute;
enum CLAIM_TYPE claim_type;
} *ad_claims = NULL;
unsigned ad_claims_count;
unsigned i;
/* The structure which we'll use to build up the claims. */
struct CLAIMS_SET *claims_set = NULL;
struct CLAIMS_ARRAY *ad_sourced_constructed = NULL;
struct assigned_silo assigned_silo = new_assigned_silo();
*claims_set_out = NULL;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
claims_set = talloc_zero(tmp_ctx, struct CLAIMS_SET);
if (claims_set == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
schema = dsdb_get_schema(ldb, tmp_ctx);
if (schema == NULL) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
/* Get the DN of the claims container. */
claim_config_container = ldb_dn_copy(tmp_ctx, config_dn);
if (claim_config_container == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
claim_types_child = ldb_dn_new(tmp_ctx, ldb,
"CN=Claim Types,CN=Claims Configuration,CN=Services");
if (claim_types_child == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ok = ldb_dn_add_child(claim_config_container, claim_types_child);
TALLOC_FREE(claim_types_child);
if (!ok) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
/* Search for the claims container's children. */
ret = ldb_search(ldb, tmp_ctx, &res,
claim_config_container,
LDB_SCOPE_ONELEVEL,
attrs, NULL);
if (ret) {
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
ret = LDB_SUCCESS;
}
talloc_free(tmp_ctx);
return ret;
}
/*
* Allocate enough space for all AD claim attributes, followed by space
* for a NULL marker (so it can be passed as the attributes filter to an
* LDB search).
*/
ad_claim_attrs = talloc_array(tmp_ctx,
const char *,
res->count + 1);
if (ad_claim_attrs == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ad_claims = talloc_array(tmp_ctx,
struct ad_claim_info,
res->count);
if (ad_claims == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ad_claims_count = ad_claim_attrs_count = 0;
/* Loop through each child of the claims container. */
for (i = 0; i < res->count; ++i) {
bool claim_applies = false;
int enabled;
uint64_t claim_value_type;
const char *claim_source_type = NULL;
const struct ldb_val *claim_attribute_source = NULL;
const char *claim_source = NULL;
/*
* Does this claim apply to the most specific objectClass of the
* principal?
*/
ret = claim_applies_to_class(tmp_ctx,
ldb,
schema,
res->msgs[i],
principal_class_id,
&claim_applies);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
if (!claim_applies) {
/* If the claim doesn't apply, skip it. */
continue;
}
enabled = ldb_msg_find_attr_as_bool(res->msgs[i], "Enabled", 0);
if (!enabled) {
/* If the claim isn't enabled, skip it. */
continue;
}
claim_value_type = ldb_msg_find_attr_as_uint64(res->msgs[i],
"msDS-ClaimValueType",
0);
if (!claim_value_type) {
continue;
}
claim_source_type = ldb_msg_find_attr_as_string(res->msgs[i],
"msDS-ClaimSourceType",
"");
/* Get the attribute used by the claim. */
claim_attribute_source = ldb_msg_find_ldb_val(res->msgs[i],
"msDS-ClaimAttributeSource");
claim_source = ldb_msg_find_attr_as_string(res->msgs[i],
"msDS-ClaimSource",
NULL);
if (strcasecmp(claim_source_type, "AD") == 0) {
struct ldb_dn *claim_attribute_source_dn = NULL;
const struct ldb_val *claim_attribute_source_rdn = NULL;
const struct dsdb_attribute *claim_attribute_source_class = NULL;
DATA_BLOB source_syntax;
const char *attribute = NULL;
const struct ldb_val *name = NULL;
if (claim_attribute_source == NULL) {
continue;
}
claim_attribute_source_dn = ldb_val_as_dn(ldb,
tmp_ctx,
claim_attribute_source);
if (claim_attribute_source_dn == NULL) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
if (!is_schema_dn(claim_attribute_source_dn, schema_dn)) {
/* This DN doesn't belong to the schema. */
continue;
}
claim_attribute_source_rdn = ldb_dn_get_rdn_val(claim_attribute_source_dn);
if (claim_attribute_source_rdn == NULL) {
/* No RDN, skip it. */
continue;
}
claim_attribute_source_class = dsdb_attribute_by_cn_ldb_val(schema,
claim_attribute_source_rdn);
claim_attribute_source_rdn = NULL;
TALLOC_FREE(claim_attribute_source_dn);
if (claim_attribute_source_class == NULL) {
continue;
}
source_syntax = data_blob_string_const(claim_attribute_source_class->attributeSyntax_oid);
if (source_syntax.data == NULL) {
continue;
}
if (!is_valid_claim_attribute_syntax(source_syntax, claim_value_type)) {
continue;
}
attribute = claim_attribute_source_class->lDAPDisplayName;
if (attribute == NULL) {
continue;
}
ret = add_attr_unique(tmp_ctx,
ad_claim_attrs,
&ad_claim_attrs_count,
attribute);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
name = ldb_msg_find_ldb_val(res->msgs[i], "name");
if (name == NULL) {
name = &data_blob_null;
}
ad_claims[ad_claims_count++] = (struct ad_claim_info) {
.name = *name,
.syntax = source_syntax,
.attribute = attribute,
.claim_type = claim_value_type,
};
} else if (silo_is_maybe_assigned(assigned_silo)
&& strcasecmp(claim_source_type, "Constructed") == 0)
{
const struct ldb_val *name = NULL;
struct CLAIM_STRING *claim = NULL;
struct CLAIM_ENTRY *claim_entry = NULL;
const char *claim_value = NULL;
if (claim_attribute_source != NULL) {
continue;
}
if (claim_source != NULL) {
continue;
}
name = ldb_msg_find_ldb_val(res->msgs[i], "name");
if (name == NULL || name->data == NULL) {
continue;
}
/* Does the claim ID match exactly in case? */
if (strcmp((const char *)name->data, "ad://ext/AuthenticationSilo") != 0) {
continue;
}
ret = get_assigned_silo(ldb, tmp_ctx, principal, &assigned_silo);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
if (!assigned_silo.is_assigned) {
continue;
}
if (ad_sourced_constructed == NULL) {
claims_set->claims_arrays = talloc_realloc(claims_set,
claims_set->claims_arrays,
struct CLAIMS_ARRAY,
claims_set->claims_array_count + 1);
if (claims_set->claims_arrays == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ad_sourced_constructed = &claims_set->claims_arrays[claims_set->claims_array_count++];
*ad_sourced_constructed = (struct CLAIMS_ARRAY) {
.claims_source_type = CLAIMS_SOURCE_TYPE_AD,
};
}
/* Add the claim to the array. */
ad_sourced_constructed->claim_entries = talloc_realloc(
claims_set->claims_arrays,
ad_sourced_constructed->claim_entries,
struct CLAIM_ENTRY,
ad_sourced_constructed->claims_count + 1);
if (ad_sourced_constructed->claim_entries == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
claim_entry = &ad_sourced_constructed->claim_entries[ad_sourced_constructed->claims_count++];
/* Fill in the claim details and return the claim. */
claim_entry->id = "ad://ext/AuthenticationSilo";
claim_entry->type = CLAIM_TYPE_STRING;
claim = &claim_entry->values.claim_string;
claim->value_count = 1;
claim->values = talloc_array(ad_sourced_constructed->claim_entries,
const char *,
claim->value_count);
if (claim->values == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
claim_value = talloc_strdup(claim->values, assigned_silo.name);
if (claim_value == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
claim->values[0] = claim_value;
}
}
if (ad_claims_count) {
struct ldb_message *principal_msg = NULL;
/* Shrink the arrays to remove any unused space. */
ad_claim_attrs = talloc_realloc(tmp_ctx,
ad_claim_attrs,
const char *,
ad_claim_attrs_count + 1);
if (ad_claim_attrs == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ad_claim_attrs[ad_claim_attrs_count] = NULL;
ad_claims = talloc_realloc(tmp_ctx,
ad_claims,
struct ad_claim_info,
ad_claims_count);
if (ad_claims == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = dsdb_search_one(ldb,
tmp_ctx,
&principal_msg,
principal->dn,
LDB_SCOPE_BASE,
ad_claim_attrs,
0,
NULL);
if (ret != LDB_SUCCESS) {
const char *dn = ldb_dn_get_linearized(principal->dn);
DBG_ERR("Failed to find principal %s to construct claims\n",
dn != NULL ? dn : "");
talloc_free(tmp_ctx);
return ret;
}
/*
* Ensure that only the attrs we asked for end up in the results
* (it's fine if some are missing)
*/
SMB_ASSERT(principal_msg->num_elements <= ad_claim_attrs_count);
for (i = 0; i < ad_claims_count; ++i) {
const struct ldb_message_element *principal_attribute = NULL;
struct CLAIM_ENTRY *claim_entry = NULL;
uint32_t new_claims_array_count = claims_set->claims_array_count;
/* Get the value of the claim attribute for the principal. */
principal_attribute = ldb_msg_find_element(principal_msg,
ad_claims[i].attribute);
if (principal_attribute == NULL) {
continue;
}
/* Add the claim to the array. */
if (ad_sourced_constructed == NULL) {
claims_set->claims_arrays = talloc_realloc(claims_set,
claims_set->claims_arrays,
struct CLAIMS_ARRAY,
new_claims_array_count + 1);
if (claims_set->claims_arrays == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ad_sourced_constructed = &claims_set->claims_arrays[new_claims_array_count++];
*ad_sourced_constructed = (struct CLAIMS_ARRAY) {
.claims_source_type = CLAIMS_SOURCE_TYPE_AD,
};
}
ad_sourced_constructed->claim_entries = talloc_realloc(
claims_set->claims_arrays,
ad_sourced_constructed->claim_entries,
struct CLAIM_ENTRY,
ad_sourced_constructed->claims_count + 1);
if (ad_sourced_constructed->claim_entries == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
claim_entry = &ad_sourced_constructed->claim_entries[
ad_sourced_constructed->claims_count];
ret = fill_claim_entry(ad_sourced_constructed->claim_entries,
ldb,
schema,
principal_attribute,
ad_claims[i].name,
ad_claims[i].syntax,
ad_claims[i].claim_type,
claim_entry);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
if (claim_get_value_count(claim_entry) > 0) {
/*
* If the claim contains values, add it to the
* array(s).
*/
++ad_sourced_constructed->claims_count;
claims_set->claims_array_count = new_claims_array_count;
}
}
}
if (claims_set->claims_array_count) {
*claims_set_out = talloc_steal(mem_ctx, claims_set);
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
int get_claims_set_for_principal(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_message *principal,
struct CLAIMS_SET **claims_set_out)
{
struct ldb_message_element *principal_class_el = NULL;
struct dsdb_schema *schema = NULL;
const struct dsdb_class *principal_class = NULL;
*claims_set_out = NULL;
if (!ad_claims_are_issued(ldb)) {
return LDB_SUCCESS;
}
principal_class_el = ldb_msg_find_element(principal,
"objectClass");
if (principal_class_el == NULL) {
return ldb_operr(ldb);
}
schema = dsdb_get_schema(ldb, mem_ctx);
if (schema == NULL) {
return ldb_operr(ldb);
}
principal_class = dsdb_get_last_structural_class(schema, principal_class_el);
if (principal_class == NULL) {
return ldb_operr(ldb);
}
return get_all_claims(ldb,
mem_ctx,
principal,
principal_class->governsID_id,
claims_set_out);
}
int get_claims_blob_for_principal(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_message *principal,
DATA_BLOB *claims_blob_out)
{
struct CLAIMS_SET *claims_set = NULL;
int ret;
NTSTATUS status;
*claims_blob_out = data_blob_null;
ret = get_claims_set_for_principal(ldb,
mem_ctx,
principal,
&claims_set);
if (ret) {
return ret;
}
if (claims_set == NULL) {
return LDB_SUCCESS;
}
/* Encode the claims ready to go into a PAC buffer. */
status = encode_claims_set(mem_ctx, claims_set, claims_blob_out);
if (!NT_STATUS_IS_OK(status)) {
ret = LDB_ERR_OPERATIONS_ERROR;
talloc_free(claims_set);
}
return ret;
}