auth/authn_policy.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba Active Directory authentication policy functions
   4
   5    Copyright (C) Catalyst.Net Ltd 2023
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "lib/replace/replace.h"
  22 #include "auth/authn_policy.h"
  23 #include "auth/authn_policy_impl.h"
  24
  25 bool authn_policy_is_enforced(const struct authn_policy *policy)
  26 {
  27         return policy->enforced;
  28 }
  29
  30 /* Authentication policies for Kerberos clients. */
  31
  32 /* Is an authentication policy enforced? */
  33 bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
  34 {
  35         return authn_policy_is_enforced(&policy->policy);
  36 }
  37
  38 /* Get the raw TGT lifetime enforced by an authentication policy. */
  39 int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
  40 {
  41         if (policy == NULL) {
  42                 return 0;
  43         }
  44
  45         if (!authn_policy_is_enforced(&policy->policy)) {
  46                 return 0;
  47         }
  48
  49         return policy->tgt_lifetime_raw;
  50 }
  51
  52 /* Auditing information. */
  53
  54 enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
  55 {
  56         bool is_enforced;
  57
  58         if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
  59                 /* We didn’t get an error. */
  60                 return AUTH_EVT_ID_NONE;
  61         }
  62
  63         if (audit_info->policy == NULL) {
  64                 /*
  65                  * We got an error, but there’s no policy, so it must have
  66                  * stemmed from something else.
  67                  */
  68                 return AUTH_EVT_ID_NONE;
  69         }
  70
  71         is_enforced = authn_policy_is_enforced(audit_info->policy);
  72
  73         switch (audit_info->event) {
  74         case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
  75                 if (is_enforced) {
  76                         return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
  77                 }
  78
  79                 return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
  80
  81         case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
  82                 if (is_enforced) {
  83                         return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
  84                 }
  85
  86                 return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
  87
  88         case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
  89                 if (is_enforced) {
  90                         return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
  91                 }
  92
  93                 /* No relevant event ID. */
  94                 break;
  95
  96         case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
  97         case AUTHN_AUDIT_EVENT_OTHER_ERROR:
  98         default:
  99                 /* No relevant event ID. */
 100                 break;
 101         }
 102
 103         return AUTH_EVT_ID_NONE;
 104 }
 105
 106 const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
 107 {
 108         if (audit_info->policy == NULL) {
 109                 return NULL;
 110         }
 111
 112         return audit_info->policy->silo_name;
 113 }
 114
 115 const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
 116 {
 117         if (audit_info->policy == NULL) {
 118                 return NULL;
 119         }
 120
 121         return audit_info->policy->policy_name;
 122 }
 123
 124 const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
 125 {
 126         if (audit_info->policy == NULL) {
 127                 return NULL;
 128         }
 129
 130         return &audit_info->policy->enforced;
 131 }
 132
 133 const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
 134 {
 135         return audit_info->client_info;
 136 }
 137
 138 const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
 139 {
 140         switch (audit_info->event) {
 141         case AUTHN_AUDIT_EVENT_OK:
 142                 return "OK";
 143         case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
 144                 return "KERBEROS_DEVICE_RESTRICTION";
 145         case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
 146                 return "KERBEROS_SERVER_RESTRICTION";
 147         case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
 148                 return "NTLM_DEVICE_RESTRICTION";
 149         case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
 150                 return "NTLM_SERVER_RESTRICTION";
 151         case AUTHN_AUDIT_EVENT_OTHER_ERROR:
 152         default:
 153                 return "OTHER_ERROR";
 154         }
 155 }
 156
 157 const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
 158 {
 159         switch (audit_info->reason) {
 160         case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
 161                 return "DESCRIPTOR_INVALID";
 162         case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
 163                 return "DESCRIPTOR_NO_OWNER";
 164         case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
 165                 return "SECURITY_TOKEN_FAILURE";
 166         case AUTHN_AUDIT_REASON_ACCESS_DENIED:
 167                 return "ACCESS_DENIED";
 168         case AUTHN_AUDIT_REASON_FAST_REQUIRED:
 169                 return "FAST_REQUIRED";
 170         case AUTHN_AUDIT_REASON_NONE:
 171         default:
 172                 return NULL;
 173         }
 174 }
 175
 176 NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
 177 {
 178         return audit_info->policy_status;
 179 }
 180
 181 const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
 182 {
 183         return audit_info->location;
 184 }
 185
 186 struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
 187 {
 188         int64_t lifetime;
 189
 190         if (!audit_info->tgt_lifetime_raw.is_present) {
 191                 return authn_int64_none();
 192         }
 193
 194         lifetime = audit_info->tgt_lifetime_raw.val;
 195         lifetime /= INT64_C(1000) * 1000 * 10 * 60;
 196
 197         return authn_int64_some(lifetime);
 198 }