1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/source4/auth/session.h
Joseph Sutton 3e5aba62ec s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims
Having the lifetime of the encoded claims be tied in a predictable
fashion to a caller‐controlled memory context is less prone to error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00

153 lines
5.7 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Unix SMB/CIFS implementation.
Process and provide the logged on user's authorization token
Copyright (C) Andrew Bartlett 2001
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _SAMBA_AUTH_SESSION_H
#define _SAMBA_AUTH_SESSION_H
#include "lib/util/data_blob.h"
#include "librpc/gen_ndr/security.h"
#include "libcli/util/werror.h"
#include "lib/util/time.h"
#include "librpc/gen_ndr/netlogon.h"
#include "librpc/gen_ndr/auth.h"
struct loadparm_context;
struct tevent_context;
struct ldb_context;
struct ldb_dn;
/* Create a security token for a session SYSTEM (the most
* trusted/privileged account), including the local machine account as
* the off-host credentials */
struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
enum claims_data_present {
CLAIMS_DATA_ENCODED_CLAIMS_PRESENT = 0x01,
CLAIMS_DATA_CLAIMS_PRESENT = 0x02,
CLAIMS_DATA_SECURITY_CLAIMS_PRESENT = 0x04,
};
struct claims_data {
DATA_BLOB encoded_claims_set;
struct CLAIMS_SET *claims_set;
/*
* These security claims are here treated as only a product — the result
* of conversion from another format — and ought not to be treated as
* authoritative.
*/
struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *security_claims;
uint32_t n_security_claims;
enum claims_data_present flags;
};
struct auth_claims {
struct claims_data *user_claims;
struct claims_data *device_claims;
};
NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_user_info_dc **interim_info);
NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
const struct auth_user_info_dc *user_info_dc,
const struct auth_user_info_dc *device_info_dc,
const struct auth_claims auth_claims,
uint32_t session_info_flags,
struct security_token **_security_token);
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
const struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info);
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **session_info);
struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
struct auth_session_info_transport *session_info_transport,
struct loadparm_context *lp_ctx,
const char **reason);
NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info_transport **transport_out);
/* Produce a session_info for an arbitrary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
* Supply either a principal or a DN
*/
NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *sam_ctx,
const char *principal,
struct ldb_dn *user_dn,
uint32_t session_info_flags,
struct auth_session_info **session_info);
struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx);
struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct dom_sid *domain_sid);
NTSTATUS encode_claims_set(TALLOC_CTX *mem_ctx,
struct CLAIMS_SET *claims_set,
DATA_BLOB *claims_blob);
/*
* Construct a claims_data structure from a claims blob, such as is found in a
* PAC.
*/
NTSTATUS claims_data_from_encoded_claims_set(TALLOC_CTX *claims_data_ctx,
const DATA_BLOB *encoded_claims_set,
struct claims_data **out);
/*
* Construct a claims_data structure from a tallocallocated claims set, such
* as we might build from searching the database. If this function returns
* successfully, it assumes ownership of the claims set.
*/
NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx,
struct CLAIMS_SET *claims_set,
struct claims_data **out);
/*
* From a claims_data structure, return an encoded claims blob that can be put
* into a PAC.
*/
NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
struct claims_data *claims_data,
DATA_BLOB *encoded_claims_set_out);
/*
* From a claims_data structure, return an array of security claims that can
* be put in a security token for access checks.
*/
NTSTATUS claims_data_security_claims(TALLOC_CTX *mem_ctx,
struct claims_data *claims_data,
struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **security_claims_out,
uint32_t *n_security_claims_out);
#endif /* _SAMBA_AUTH_SESSION_H */