kdc: call HDB audit function in both AS and TGS

Call the HDB audit method, if present, in both AS and TGS, immediately prior to
generating an error response to send to the clinet.
This commit is contained in:
Luke Howard
2022-01-01 17:15:37 +11:00
parent 1e1c5dbbfc
commit 93c8d57091
4 changed files with 22 additions and 19 deletions

View File

@@ -77,23 +77,6 @@ audited_auth_event_p(astgs_request_t r)
return !!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT_TYPE);
}
/*
* Notify the HDB backend of the audited event.
*/
static krb5_error_code
notify_hdb_audit(astgs_request_t r)
{
struct HDB *hdb;
hdb = r->clientdb ? r->clientdb : r->config->db[0];
if (hdb && hdb->hdb_audit && audited_auth_event_p(r))
return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
return 0;
}
void
_kdc_fix_time(time_t **t)
{
@@ -2770,7 +2753,7 @@ _kdc_as_rep(astgs_request_t r)
out:
r->ret = ret;
notify_hdb_audit(r);
_kdc_hdb_audit(r);
/*
* In case of a non proxy error, build an error message.

View File

@@ -2575,6 +2575,7 @@ _kdc_tgs_rep(astgs_request_t r)
out:
r->ret = ret;
_kdc_hdb_audit(r);
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
METHOD_DATA error_method = { 0, NULL };

View File

@@ -341,3 +341,20 @@ _kdc_include_pac_p(astgs_request_t r)
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
}
/*
* Notify the HDB backend of the audited event.
*/
krb5_error_code
_kdc_hdb_audit(astgs_request_t r)
{
struct HDB *hdb;
hdb = r->clientdb ? r->clientdb : r->config->db[0];
if (hdb && hdb->hdb_audit)
return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
return 0;
}

View File

@@ -305,7 +305,9 @@ typedef struct HDB {
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
/**
* Authentication auditing
* Authentication auditing. Note that this function is called by
* both the AS and TGS, but currently only the AS sets the auth
* event type and details. This may change in a future version.
*
* Event details are available by querying the request using
* heim_audit_getkv(HDB_REQUEST_KV_...).