search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libsmb: Use reparse_data_buffer_marshall() in py_reparse_put()
[Samba.git] / auth / authn_policy.c
blob5929c0056775be5b60b4275371c3a2a1743c38e4
1 /*
2 Unix SMB/CIFS implementation.
3 Samba Active Directory authentication policy functions
4
5 Copyright (C) Catalyst.Net Ltd 2023
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "lib/replace/replace.h"
22 #include "auth/authn_policy.h"
23 #include "auth/authn_policy_impl.h"
24
25 bool authn_policy_is_enforced(const struct authn_policy *policy)
26 {
27 return policy->enforced;
28 }
29
30 /* Authentication policies for Kerberos clients. */
31
32 /* Is an authentication policy enforced? */
33 bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
34 {
35 return authn_policy_is_enforced(&policy->policy);
36 }
37
38 /* Get the raw TGT lifetime enforced by an authentication policy. */
39 int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
40 {
41 if (policy == NULL) {
42 return 0;
43 }
44
45 if (!authn_policy_is_enforced(&policy->policy)) {
46 return 0;
47 }
48
49 return policy->tgt_lifetime_raw;
50 }
51
52 /* Auditing information. */
53
54 enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
55 {
56 bool is_enforced;
57
58 if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
59 /* We didn’t get an error. */
60 return AUTH_EVT_ID_NONE;
61 }
62
63 if (audit_info->policy == NULL) {
64 /*
65 * We got an error, but there’s no policy, so it must have
66 * stemmed from something else.
67 */
68 return AUTH_EVT_ID_NONE;
69 }
70
71 is_enforced = authn_policy_is_enforced(audit_info->policy);
72
73 switch (audit_info->event) {
74 case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
75 if (is_enforced) {
76 return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
77 }
78
79 return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
80
81 case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
82 if (is_enforced) {
83 return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
84 }
85
86 return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
87
88 case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
89 if (is_enforced) {
90 return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
91 }
92
93 /* No relevant event ID. */
94 break;
95
96 case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
97 case AUTHN_AUDIT_EVENT_OTHER_ERROR:
98 default:
99 /* No relevant event ID. */
100 break;
101 }
102
103 return AUTH_EVT_ID_NONE;
104 }
105
106 const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
107 {
108 if (audit_info->policy == NULL) {
109 return NULL;
110 }
111
112 return audit_info->policy->silo_name;
113 }
114
115 const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
116 {
117 if (audit_info->policy == NULL) {
118 return NULL;
119 }
120
121 return audit_info->policy->policy_name;
122 }
123
124 const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
125 {
126 if (audit_info->policy == NULL) {
127 return NULL;
128 }
129
130 return &audit_info->policy->enforced;
131 }
132
133 const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
134 {
135 return audit_info->client_info;
136 }
137
138 const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
139 {
140 switch (audit_info->event) {
141 case AUTHN_AUDIT_EVENT_OK:
142 return "OK";
143 case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
144 return "KERBEROS_DEVICE_RESTRICTION";
145 case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
146 return "KERBEROS_SERVER_RESTRICTION";
147 case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
148 return "NTLM_DEVICE_RESTRICTION";
149 case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
150 return "NTLM_SERVER_RESTRICTION";
151 case AUTHN_AUDIT_EVENT_OTHER_ERROR:
152 default:
153 return "OTHER_ERROR";
154 }
155 }
156
157 const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
158 {
159 switch (audit_info->reason) {
160 case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
161 return "DESCRIPTOR_INVALID";
162 case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
163 return "DESCRIPTOR_NO_OWNER";
164 case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
165 return "SECURITY_TOKEN_FAILURE";
166 case AUTHN_AUDIT_REASON_ACCESS_DENIED:
167 return "ACCESS_DENIED";
168 case AUTHN_AUDIT_REASON_FAST_REQUIRED:
169 return "FAST_REQUIRED";
170 case AUTHN_AUDIT_REASON_NONE:
171 default:
172 return NULL;
173 }
174 }
175
176 NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
177 {
178 return audit_info->policy_status;
179 }
180
181 const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
182 {
183 return audit_info->location;
184 }
185
186 struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
187 {
188 int64_t lifetime;
189
190 if (!audit_info->tgt_lifetime_raw.is_present) {
191 return authn_int64_none();
192 }
193
194 lifetime = audit_info->tgt_lifetime_raw.val;
195 lifetime /= INT64_C(1000) * 1000 * 10 * 60;
196
197 return authn_int64_some(lifetime);
198 }
Samba GIT mirror