kdc: call HDB audit function in both AS and TGS
Call the HDB audit method, if present, in both AS and TGS, immediately prior to generating an error response to send to the clinet.
This commit is contained in:
Luke Howard
@@ -77,23 +77,6 @@ audited_auth_event_p(astgs_request_t r)
|
||||
return !!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT_TYPE);
|
||||
}
|
||||
|
||||
/*
|
||||
* Notify the HDB backend of the audited event.
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
notify_hdb_audit(astgs_request_t r)
|
||||
{
|
||||
struct HDB *hdb;
|
||||
|
||||
hdb = r->clientdb ? r->clientdb : r->config->db[0];
|
||||
|
||||
if (hdb && hdb->hdb_audit && audited_auth_event_p(r))
|
||||
return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
_kdc_fix_time(time_t **t)
|
||||
{
|
||||
@@ -2770,7 +2753,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
|
||||
out:
|
||||
r->ret = ret;
|
||||
notify_hdb_audit(r);
|
||||
_kdc_hdb_audit(r);
|
||||
|
||||
/*
|
||||
* In case of a non proxy error, build an error message.
|
||||
|
||||
@@ -2575,6 +2575,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
||||
|
||||
out:
|
||||
r->ret = ret;
|
||||
_kdc_hdb_audit(r);
|
||||
|
||||
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
|
||||
METHOD_DATA error_method = { 0, NULL };
|
||||
|
||||
17
kdc/misc.c
17
kdc/misc.c
@@ -341,3 +341,20 @@ _kdc_include_pac_p(astgs_request_t r)
|
||||
|
||||
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
|
||||
}
|
||||
|
||||
/*
|
||||
* Notify the HDB backend of the audited event.
|
||||
*/
|
||||
|
||||
krb5_error_code
|
||||
_kdc_hdb_audit(astgs_request_t r)
|
||||
{
|
||||
struct HDB *hdb;
|
||||
|
||||
hdb = r->clientdb ? r->clientdb : r->config->db[0];
|
||||
|
||||
if (hdb && hdb->hdb_audit)
|
||||
return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -305,7 +305,9 @@ typedef struct HDB {
|
||||
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
|
||||
|
||||
/**
|
||||
* Authentication auditing
|
||||
* Authentication auditing. Note that this function is called by
|
||||
* both the AS and TGS, but currently only the AS sets the auth
|
||||
* event type and details. This may change in a future version.
|
||||
*
|
||||
* Event details are available by querying the request using
|
||||
* heim_audit_getkv(HDB_REQUEST_KV_...).
|
||||
|
||||
Reference in New Issue
Block a user