ctdb: remove unused ctdb->client_ip_list and print debug on ctdb_tcp_list instead
[Samba.git] / auth / authn_policy.c
blob5929c0056775be5b60b4275371c3a2a1743c38e4
1 /*
2 Unix SMB/CIFS implementation.
3 Samba Active Directory authentication policy functions
5 Copyright (C) Catalyst.Net Ltd 2023
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "lib/replace/replace.h"
22 #include "auth/authn_policy.h"
23 #include "auth/authn_policy_impl.h"
25 bool authn_policy_is_enforced(const struct authn_policy *policy)
27 return policy->enforced;
30 /* Authentication policies for Kerberos clients. */
32 /* Is an authentication policy enforced? */
33 bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
35 return authn_policy_is_enforced(&policy->policy);
38 /* Get the raw TGT lifetime enforced by an authentication policy. */
39 int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
41 if (policy == NULL) {
42 return 0;
45 if (!authn_policy_is_enforced(&policy->policy)) {
46 return 0;
49 return policy->tgt_lifetime_raw;
52 /* Auditing information. */
54 enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
56 bool is_enforced;
58 if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
59 /* We didn’t get an error. */
60 return AUTH_EVT_ID_NONE;
63 if (audit_info->policy == NULL) {
65 * We got an error, but there’s no policy, so it must have
66 * stemmed from something else.
68 return AUTH_EVT_ID_NONE;
71 is_enforced = authn_policy_is_enforced(audit_info->policy);
73 switch (audit_info->event) {
74 case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
75 if (is_enforced) {
76 return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
79 return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
81 case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
82 if (is_enforced) {
83 return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
86 return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
88 case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
89 if (is_enforced) {
90 return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
93 /* No relevant event ID. */
94 break;
96 case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
97 case AUTHN_AUDIT_EVENT_OTHER_ERROR:
98 default:
99 /* No relevant event ID. */
100 break;
103 return AUTH_EVT_ID_NONE;
106 const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
108 if (audit_info->policy == NULL) {
109 return NULL;
112 return audit_info->policy->silo_name;
115 const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
117 if (audit_info->policy == NULL) {
118 return NULL;
121 return audit_info->policy->policy_name;
124 const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
126 if (audit_info->policy == NULL) {
127 return NULL;
130 return &audit_info->policy->enforced;
133 const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
135 return audit_info->client_info;
138 const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
140 switch (audit_info->event) {
141 case AUTHN_AUDIT_EVENT_OK:
142 return "OK";
143 case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
144 return "KERBEROS_DEVICE_RESTRICTION";
145 case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
146 return "KERBEROS_SERVER_RESTRICTION";
147 case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
148 return "NTLM_DEVICE_RESTRICTION";
149 case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
150 return "NTLM_SERVER_RESTRICTION";
151 case AUTHN_AUDIT_EVENT_OTHER_ERROR:
152 default:
153 return "OTHER_ERROR";
157 const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
159 switch (audit_info->reason) {
160 case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
161 return "DESCRIPTOR_INVALID";
162 case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
163 return "DESCRIPTOR_NO_OWNER";
164 case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
165 return "SECURITY_TOKEN_FAILURE";
166 case AUTHN_AUDIT_REASON_ACCESS_DENIED:
167 return "ACCESS_DENIED";
168 case AUTHN_AUDIT_REASON_FAST_REQUIRED:
169 return "FAST_REQUIRED";
170 case AUTHN_AUDIT_REASON_NONE:
171 default:
172 return NULL;
176 NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
178 return audit_info->policy_status;
181 const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
183 return audit_info->location;
186 struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
188 int64_t lifetime;
190 if (!audit_info->tgt_lifetime_raw.is_present) {
191 return authn_int64_none();
194 lifetime = audit_info->tgt_lifetime_raw.val;
195 lifetime /= INT64_C(1000) * 1000 * 10 * 60;
197 return authn_int64_some(lifetime);