source4/dsdb/gmsa/util.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    msDS-ManagedPassword attribute for Group Managed Service Accounts
   4
   5    Copyright (C) Catalyst.Net Ltd 2024
   6
   7    This program is free software: you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation, either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <https://www.gnu.org/licenses/>.
  19 */
  20
  21 #ifndef DSDB_GMSA_UTIL_H
  22 #define DSDB_GMSA_UTIL_H
  23
  24 #include "ldb.h"
  25 #include "ldb_module.h"
  26 #include <talloc.h>
  27
  28 #include "lib/crypto/gkdi.h"
  29 #include "lib/crypto/gmsa.h"
  30 #include "lib/util/data_blob.h"
  31 #include "lib/util/time.h"
  32
  33 struct gmsa_update {
  34         /* The DN of the gMSA to be updated. */
  35         struct ldb_dn *dn;
  36         /*
  37          * The managed password ID (if any) found in the database at the time of
  38          * preparing this update.
  39          */
  40         const DATA_BLOB *found_pwd_id;
  41         /* An optional request to set the previous password. */
  42         struct ldb_request *old_pw_req;
  43         /* A request to set the current password. */
  44         struct ldb_request *new_pw_req;
  45         /* An request to set the managed password ID. */
  46         struct ldb_request *pwd_id_req;
  47 };
  48
  49 struct gmsa_update_pwd_part {
  50         const struct ProvRootKey *root_key;
  51         struct Gkid gkid;
  52 };
  53
  54 struct gmsa_update_pwd {
  55         struct gmsa_update_pwd_part prev_id;
  56         struct gmsa_update_pwd_part new_id;
  57 };
  58
  59 struct dom_sid;
  60 int gmsa_allowed_to_view_managed_password(TALLOC_CTX *mem_ctx,
  61                                           struct ldb_context *ldb,
  62                                           const struct ldb_message *msg,
  63                                           const struct dom_sid *account_sid,
  64                                           bool *allowed_out);
  65
  66 struct KeyEnvelope;
  67 void gmsa_update_managed_pwd_id(struct KeyEnvelope *pwd_id,
  68                                 const struct gmsa_update_pwd_part *new_pwd);
  69
  70 NTSTATUS gmsa_pack_managed_pwd_id(TALLOC_CTX *mem_ctx,
  71                                   const struct KeyEnvelope *pwd_id,
  72                                   DATA_BLOB *pwd_id_out);
  73
  74 int gmsa_generate_blobs(struct ldb_context *ldb,
  75                         TALLOC_CTX *mem_ctx,
  76                         const NTTIME current_time,
  77                         const struct dom_sid *const account_sid,
  78                         DATA_BLOB *pwd_id_blob_out,
  79                         struct gmsa_null_terminated_password **password_out);
  80
  81 NTSTATUS gmsa_pack_managed_pwd(TALLOC_CTX *mem_ctx,
  82                                const uint8_t *new_password,
  83                                const uint8_t *old_password,
  84                                uint64_t query_interval,
  85                                uint64_t unchanged_interval,
  86                                DATA_BLOB *managed_pwd_out);
  87
  88 bool dsdb_account_is_gmsa(struct ldb_context *ldb,
  89                           const struct ldb_message *msg);
  90
  91 const struct KeyEnvelopeId *gmsa_get_managed_pwd_id(
  92         const struct ldb_message *msg,
  93         struct KeyEnvelopeId *key_env_out);
  94
  95 struct gmsa_return_pwd {
  96         struct gmsa_null_terminated_password *prev_pwd;
  97         struct gmsa_null_terminated_password *new_pwd;
  98         NTTIME query_interval;
  99         NTTIME unchanged_interval;
 100 };
 101
 102 bool samdb_gmsa_key_is_recent(const struct ldb_message *msg,
 103                               const NTTIME current_time);
 104
 105 /*
 106  * Recalculate the managed password of an account. The account referred to by
 107  * ‘msg’ should be a Group Managed Service Account.
 108  *
 109  * Updated passwords are returned in ‘update_out’.
 110  *
 111  * Pass in a non‐NULL pointer for ‘return_out’ if you want the passwords as
 112  * reflected by the msDS-ManagedPassword operational attribute.
 113  */
 114 int gmsa_recalculate_managed_pwd(TALLOC_CTX *mem_ctx,
 115                                  struct ldb_context *ldb,
 116                                  const struct ldb_message *msg,
 117                                  const NTTIME current_time,
 118                                  struct gmsa_update **update_out,
 119                                  struct gmsa_return_pwd *return_out);
 120
 121 int dsdb_update_gmsa_entry_keys(TALLOC_CTX *mem_ctx,
 122                                 struct ldb_context *ldb,
 123                                 const struct gmsa_update *gmsa_update);
 124
 125 int dsdb_update_gmsa_keys(TALLOC_CTX *mem_ctx,
 126                           struct ldb_context *ldb,
 127                           const struct ldb_result *res,
 128                           bool *retry_out);
 129
 130 #define DSDB_GMSA_TIME_OPAQUE ("dsdb_gmsa_time_opaque")
 131
 132 bool dsdb_gmsa_current_time(struct ldb_context *ldb, NTTIME *current_time_out);
 133
 134 #endif /* DSDB_GMSA_UTIL_H */