source4/kdc/authn_policy_util.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba Active Directory authentication policy utility functions
   4
   5    Copyright (C) Catalyst.Net Ltd 2023
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #ifndef KDC_AUTHN_POLICY_UTIL_H
  22 #define KDC_AUTHN_POLICY_UTIL_H
  23
  24 #include "lib/replace/replace.h"
  25 #include "auth/authn_policy.h"
  26 #include <talloc.h>
  27
  28 struct ldb_context;
  29 struct loadparm_context;
  30 struct ldb_message;
  31
  32 bool authn_policy_silos_and_policies_in_effect(struct ldb_context *samdb);
  33
  34 bool authn_policy_allowed_ntlm_network_auth_in_effect(struct ldb_context *samdb);
  35
  36 /*
  37  * Look up the silo assigned to an account. If one exists, returns its details
  38  * and whether it is enforced or not. ‘silo_attrs’ comprises the attributes to
  39  * include in the search result, the relevant set of which can differ depending
  40  * on the account’s objectClass.
  41  */
  42 int authn_policy_get_assigned_silo(struct ldb_context *samdb,
  43                                    TALLOC_CTX *mem_ctx,
  44                                    const struct ldb_message *msg,
  45                                    const char *const *silo_attrs,
  46                                    const struct ldb_message **silo_msg_out,
  47                                    bool *is_enforced);
  48
  49 struct auth_user_info_dc;
  50
  51 /* Authentication policies for Kerberos clients. */
  52
  53 /*
  54  * Get the applicable authentication policy for an account acting as a Kerberos
  55  * client.
  56  */
  57 int authn_policy_kerberos_client(struct ldb_context *samdb,
  58                                  TALLOC_CTX *mem_ctx,
  59                                  const struct ldb_message *msg,
  60                                  const struct authn_kerberos_client_policy **policy_out);
  61
  62 /*
  63  * Perform an access check for the device with which the client is
  64  * authenticating. ‘device_info’ must be talloc-allocated so that we can make a
  65  * reference to it.
  66  */
  67 NTSTATUS authn_policy_authenticate_from_device(TALLOC_CTX *mem_ctx,
  68                                                struct ldb_context *samdb,
  69                                                struct loadparm_context* lp_ctx,
  70                                                const struct auth_user_info_dc *device_info,
  71                                                const struct authn_kerberos_client_policy *client_policy,
  72                                                struct authn_audit_info **client_audit_info_out);
  73
  74 /* Return whether an authentication policy enforces device restrictions. */
  75 bool authn_policy_device_restrictions_present(const struct authn_kerberos_client_policy *policy);
  76
  77 /* Authentication policies for NTLM clients. */
  78
  79 struct authn_ntlm_client_policy;
  80
  81 /*
  82  * Get the applicable authentication policy for an account acting as an NTLM
  83  * client.
  84  */
  85 int authn_policy_ntlm_client(struct ldb_context *samdb,
  86                              TALLOC_CTX *mem_ctx,
  87                              const struct ldb_message *msg,
  88                              const struct authn_ntlm_client_policy **policy_out);
  89
  90 /* Check whether the client is allowed to authenticate using NTLM. */
  91 NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx,
  92                                                     const struct authn_ntlm_client_policy *client_policy,
  93                                                     struct authn_audit_info **client_audit_info_out);
  94
  95 /* Authentication policies for servers. */
  96
  97 struct authn_server_policy;
  98
  99 /*
 100  * Get the applicable authentication policy for an account acting as a
 101  * server.
 102  */
 103 int authn_policy_server(struct ldb_context *samdb,
 104                         TALLOC_CTX *mem_ctx,
 105                         const struct ldb_message *msg,
 106                         const struct authn_server_policy **policy_out);
 107
 108 /* Return whether an authentication policy enforces restrictions. */
 109 bool authn_policy_restrictions_present(const struct authn_server_policy *policy);
 110
 111 enum authn_policy_auth_type {
 112         AUTHN_POLICY_AUTH_TYPE_KERBEROS,
 113         AUTHN_POLICY_AUTH_TYPE_NTLM,
 114 };
 115
 116 /*
 117  * Perform an access check for the client attempting to authenticate to the
 118  * server. ‘user_info’ must be talloc-allocated so that we can make a reference
 119  * to it.
 120  */
 121 NTSTATUS authn_policy_authenticate_to_service(TALLOC_CTX *mem_ctx,
 122                                               struct ldb_context *samdb,
 123                                               struct loadparm_context* lp_ctx,
 124                                               enum authn_policy_auth_type auth_type,
 125                                               const struct auth_user_info_dc *user_info,
 126                                               const struct authn_server_policy *server_policy,
 127                                               struct authn_audit_info **server_audit_info_out);
 128
 129 /* Create a structure containing auditing information. */
 130 NTSTATUS _authn_kerberos_client_policy_audit_info(
 131         TALLOC_CTX *mem_ctx,
 132         const struct authn_kerberos_client_policy *client_policy,
 133         const struct auth_user_info_dc *client_info,
 134         enum authn_audit_event event,
 135         enum authn_audit_reason reason,
 136         NTSTATUS policy_status,
 137         const char *location,
 138         struct authn_audit_info **audit_info_out);
 139
 140 /* Create a structure containing auditing information. */
 141 #define authn_kerberos_client_policy_audit_info( \
 142         mem_ctx, \
 143         policy, \
 144         client_info, \
 145         event, \
 146         reason, \
 147         policy_status, \
 148         audit_info_out) \
 149         _authn_kerberos_client_policy_audit_info( \
 150                 mem_ctx, \
 151                 policy, \
 152                 client_info, \
 153                 event, \
 154                 reason, \
 155                 policy_status, \
 156                 __location__, \
 157                 audit_info_out)
 158
 159 /* Create a structure containing auditing information. */
 160 NTSTATUS _authn_ntlm_client_policy_audit_info(
 161         TALLOC_CTX *mem_ctx,
 162         const struct authn_ntlm_client_policy *policy,
 163         const struct auth_user_info_dc *client_info,
 164         enum authn_audit_event event,
 165         enum authn_audit_reason reason,
 166         NTSTATUS policy_status,
 167         const char *location,
 168         struct authn_audit_info **audit_info_out);
 169
 170 /* Create a structure containing auditing information. */
 171 #define authn_ntlm_client_policy_audit_info( \
 172         mem_ctx, \
 173         policy, \
 174         client_info, \
 175         event, \
 176         reason, \
 177         policy_status, \
 178         audit_info_out) \
 179         _authn_ntlm_client_policy_audit_info( \
 180                 mem_ctx, \
 181                 policy, \
 182                 client_info, \
 183                 event, \
 184                 reason, \
 185                 policy_status, \
 186                 __location__, \
 187                 audit_info_out)
 188
 189 /* Create a structure containing auditing information. */
 190 NTSTATUS _authn_server_policy_audit_info(
 191         TALLOC_CTX *mem_ctx,
 192         const struct authn_server_policy *policy,
 193         const struct auth_user_info_dc *client_info,
 194         enum authn_audit_event event,
 195         enum authn_audit_reason reason,
 196         NTSTATUS policy_status,
 197         const char *location,
 198         struct authn_audit_info **audit_info_out);
 199
 200 /* Create a structure containing auditing information. */
 201 #define authn_server_policy_audit_info( \
 202         mem_ctx, \
 203         policy, \
 204         client_info, \
 205         event, \
 206         reason, \
 207         policy_status, \
 208         audit_info_out) \
 209         _authn_server_policy_audit_info( \
 210                 mem_ctx, \
 211                 policy, \
 212                 client_info, \
 213                 event, \
 214                 reason, \
 215                 policy_status, \
 216                 __location__, \
 217                 audit_info_out)
 218
 219 #endif