source4/kdc/authn_policy_util.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba Active Directory authentication policy utility functions
   4
   5    Copyright (C) Catalyst.Net Ltd 2023
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #ifndef KDC_AUTHN_POLICY_UTIL_H
  22 #define KDC_AUTHN_POLICY_UTIL_H
  23
  24 #include "lib/replace/replace.h"
  25 #include "auth/authn_policy.h"
  26 #include "auth/session.h"
  27 #include <talloc.h>
  28
  29 struct ldb_context;
  30 struct loadparm_context;
  31 struct ldb_message;
  32
  33 bool authn_policy_silos_and_policies_in_effect(struct ldb_context *samdb);
  34
  35 bool authn_policy_allowed_ntlm_network_auth_in_effect(struct ldb_context *samdb);
  36
  37 /*
  38  * Look up the silo assigned to an account. If one exists, returns its details
  39  * and whether it is enforced or not. ‘silo_attrs’ comprises the attributes to
  40  * include in the search result, the relevant set of which can differ depending
  41  * on the account’s objectClass.
  42  */
  43 int authn_policy_get_assigned_silo(struct ldb_context *samdb,
  44                                    TALLOC_CTX *mem_ctx,
  45                                    const struct ldb_message *msg,
  46                                    const char *const *silo_attrs,
  47                                    const struct ldb_message **silo_msg_out,
  48                                    bool *is_enforced);
  49
  50 struct auth_user_info_dc;
  51
  52 /* Authentication policies for Kerberos clients. */
  53
  54 /*
  55  * Get the applicable authentication policy for an account acting as a Kerberos
  56  * client.
  57  */
  58 int authn_policy_kerberos_client(struct ldb_context *samdb,
  59                                  TALLOC_CTX *mem_ctx,
  60                                  const struct ldb_message *msg,
  61                                  const struct authn_kerberos_client_policy **policy_out);
  62
  63 /*
  64  * Perform an access check for the device with which the client is
  65  * authenticating. ‘device_info’ must be talloc-allocated so that we can make a
  66  * reference to it.
  67  */
  68 NTSTATUS authn_policy_authenticate_from_device(TALLOC_CTX *mem_ctx,
  69                                                struct ldb_context *samdb,
  70                                                struct loadparm_context* lp_ctx,
  71                                                const struct auth_user_info_dc *device_info,
  72                                                const struct auth_claims auth_claims,
  73                                                const struct authn_kerberos_client_policy *client_policy,
  74                                                struct authn_audit_info **client_audit_info_out);
  75
  76 /* Return whether an authentication policy enforces device restrictions. */
  77 bool authn_policy_device_restrictions_present(const struct authn_kerberos_client_policy *policy);
  78
  79 /* Authentication policies for NTLM clients. */
  80
  81 struct authn_ntlm_client_policy;
  82
  83 /*
  84  * Get the applicable authentication policy for an account acting as an NTLM
  85  * client.
  86  */
  87 int authn_policy_ntlm_client(struct ldb_context *samdb,
  88                              TALLOC_CTX *mem_ctx,
  89                              const struct ldb_message *msg,
  90                              const struct authn_ntlm_client_policy **policy_out);
  91
  92 /* Check whether the client is allowed to authenticate using NTLM. */
  93 NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx,
  94                                                     const struct authn_ntlm_client_policy *client_policy,
  95                                                     struct authn_audit_info **client_audit_info_out);
  96
  97 /* Authentication policies for servers. */
  98
  99 struct authn_server_policy;
 100
 101 /*
 102  * Get the applicable authentication policy for an account acting as a
 103  * server.
 104  */
 105 int authn_policy_server(struct ldb_context *samdb,
 106                         TALLOC_CTX *mem_ctx,
 107                         const struct ldb_message *msg,
 108                         const struct authn_server_policy **policy_out);
 109
 110 /* Return whether an authentication policy enforces restrictions. */
 111 bool authn_policy_restrictions_present(const struct authn_server_policy *policy);
 112
 113 enum authn_policy_auth_type {
 114         AUTHN_POLICY_AUTH_TYPE_KERBEROS,
 115         AUTHN_POLICY_AUTH_TYPE_NTLM,
 116 };
 117
 118 struct authn_policy_flags {
 119         bool force_compounded_authentication : 1;
 120 };
 121
 122 /*
 123  * Perform an access check for the client attempting to authenticate to the
 124  * server. ‘user_info’ must be talloc-allocated so that we can make a reference
 125  * to it.
 126  */
 127 NTSTATUS authn_policy_authenticate_to_service(TALLOC_CTX *mem_ctx,
 128                                               struct ldb_context *samdb,
 129                                               struct loadparm_context* lp_ctx,
 130                                               enum authn_policy_auth_type auth_type,
 131                                               const struct auth_user_info_dc *user_info,
 132                                               const struct auth_user_info_dc *device_info,
 133                                               const struct auth_claims auth_claims,
 134                                               const struct authn_server_policy *server_policy,
 135                                               const struct authn_policy_flags authn_policy_flags,
 136                                               struct authn_audit_info **server_audit_info_out);
 137
 138 /* Create a structure containing auditing information. */
 139 NTSTATUS _authn_kerberos_client_policy_audit_info(
 140         TALLOC_CTX *mem_ctx,
 141         const struct authn_kerberos_client_policy *client_policy,
 142         const struct auth_user_info_dc *client_info,
 143         enum authn_audit_event event,
 144         enum authn_audit_reason reason,
 145         NTSTATUS policy_status,
 146         const char *location,
 147         struct authn_audit_info **audit_info_out);
 148
 149 /* Create a structure containing auditing information. */
 150 #define authn_kerberos_client_policy_audit_info( \
 151         mem_ctx, \
 152         policy, \
 153         client_info, \
 154         event, \
 155         reason, \
 156         policy_status, \
 157         audit_info_out) \
 158         _authn_kerberos_client_policy_audit_info( \
 159                 mem_ctx, \
 160                 policy, \
 161                 client_info, \
 162                 event, \
 163                 reason, \
 164                 policy_status, \
 165                 __location__, \
 166                 audit_info_out)
 167
 168 /* Create a structure containing auditing information. */
 169 NTSTATUS _authn_ntlm_client_policy_audit_info(
 170         TALLOC_CTX *mem_ctx,
 171         const struct authn_ntlm_client_policy *policy,
 172         const struct auth_user_info_dc *client_info,
 173         enum authn_audit_event event,
 174         enum authn_audit_reason reason,
 175         NTSTATUS policy_status,
 176         const char *location,
 177         struct authn_audit_info **audit_info_out);
 178
 179 /* Create a structure containing auditing information. */
 180 #define authn_ntlm_client_policy_audit_info( \
 181         mem_ctx, \
 182         policy, \
 183         client_info, \
 184         event, \
 185         reason, \
 186         policy_status, \
 187         audit_info_out) \
 188         _authn_ntlm_client_policy_audit_info( \
 189                 mem_ctx, \
 190                 policy, \
 191                 client_info, \
 192                 event, \
 193                 reason, \
 194                 policy_status, \
 195                 __location__, \
 196                 audit_info_out)
 197
 198 /* Create a structure containing auditing information. */
 199 NTSTATUS _authn_server_policy_audit_info(
 200         TALLOC_CTX *mem_ctx,
 201         const struct authn_server_policy *policy,
 202         const struct auth_user_info_dc *client_info,
 203         enum authn_audit_event event,
 204         enum authn_audit_reason reason,
 205         NTSTATUS policy_status,
 206         const char *location,
 207         struct authn_audit_info **audit_info_out);
 208
 209 /* Create a structure containing auditing information. */
 210 #define authn_server_policy_audit_info( \
 211         mem_ctx, \
 212         policy, \
 213         client_info, \
 214         event, \
 215         reason, \
 216         policy_status, \
 217         audit_info_out) \
 218         _authn_server_policy_audit_info( \
 219                 mem_ctx, \
 220                 policy, \
 221                 client_info, \
 222                 event, \
 223                 reason, \
 224                 policy_status, \
 225                 __location__, \
 226                 audit_info_out)
 227
 228 #endif