kdc: add audit plugin API to windc API

Allow the windc plugin to also implement an audit callback. As part of this
change, both the HDB and windc audit function signatures are changed to return
void.
This commit is contained in:
Luke Howard
2022-01-02 21:19:43 +11:00
parent 98070b5eaa
commit a4c6b81ce9
6 changed files with 87 additions and 41 deletions

View File

@@ -2738,7 +2738,7 @@ _kdc_as_rep(astgs_request_t r)
out:
r->ret = ret;
_kdc_hdb_audit(r);
_kdc_audit_request(r);
/*
* In case of a non proxy error, build an error message.

View File

@@ -2578,7 +2578,7 @@ _kdc_tgs_rep(astgs_request_t r)
out:
r->ret = ret;
_kdc_hdb_audit(r);
_kdc_audit_request(r);
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
METHOD_DATA error_method = { 0, NULL };

View File

@@ -343,18 +343,20 @@ _kdc_include_pac_p(astgs_request_t r)
}
/*
* Notify the HDB backend of the audited event.
* Notify the HDB backend and windc plugin of the audited event.
*/
krb5_error_code
_kdc_hdb_audit(astgs_request_t r)
_kdc_audit_request(astgs_request_t r)
{
krb5_error_code ret;
struct HDB *hdb;
hdb = r->clientdb ? r->clientdb : r->config->db[0];
ret = _kdc_windc_audit(r);
if (ret == 0 &&
(hdb = r->clientdb ? r->clientdb : r->config->db[0]) &&
hdb->hdb_audit)
ret = hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
if (hdb && hdb->hdb_audit)
return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
return 0;
return ret;
}

View File

@@ -210,30 +210,6 @@ _kdc_check_access(astgs_request_t r)
return ret;
}
static krb5_error_code KRB5_LIB_CALL
finalize(krb5_context context, const void *plug, void *plugctx, void *userctx)
{
krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
if (ft->finalize_reply == NULL)
return KRB5_PLUGIN_NO_HANDLE;
return ft->finalize_reply((void *)plug, userctx);
}
krb5_error_code
_kdc_finalize_reply(astgs_request_t r)
{
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
if (have_plugin)
ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize);
if (ret == KRB5_PLUGIN_NO_HANDLE)
ret = 0;
return ret;
}
static krb5_error_code KRB5_LIB_CALL
referral_policy(krb5_context context, const void *plug, void *plugctx, void *userctx)
{
@@ -255,6 +231,54 @@ _kdc_referral_policy(astgs_request_t r)
return ret;
}
static krb5_error_code KRB5_LIB_CALL
finalize_reply(krb5_context context, const void *plug, void *plugctx, void *userctx)
{
krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
if (ft->finalize_reply == NULL)
return KRB5_PLUGIN_NO_HANDLE;
return ft->finalize_reply((void *)plug, userctx);
}
krb5_error_code
_kdc_finalize_reply(astgs_request_t r)
{
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
if (have_plugin)
ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize_reply);
if (ret == KRB5_PLUGIN_NO_HANDLE)
ret = 0;
return ret;
}
static krb5_error_code KRB5_LIB_CALL
audit(krb5_context context, const void *plug, void *plugctx, void *userctx)
{
krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
if (ft->audit == NULL)
return KRB5_PLUGIN_NO_HANDLE;
return ft->audit((void *)plug, userctx);
}
krb5_error_code
_kdc_windc_audit(astgs_request_t r)
{
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
if (have_plugin)
ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, audit);
if (ret == KRB5_PLUGIN_NO_HANDLE)
ret = 0;
return ret;
}
uintptr_t KRB5_CALLCONV
kdc_get_instance(const char *libname)
{

View File

@@ -77,13 +77,6 @@ typedef krb5_error_code
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_windc_client_access)(void *, astgs_request_t);
/*
* Update the AS or TGS reply immediately prior to encoding.
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r);
/*
* A referral policy plugin can either rewrite the server principal
* by resetting priv->server_princ, or it can disable referral
@@ -98,6 +91,24 @@ typedef krb5_error_code
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_windc_referral_policy)(void *, astgs_request_t r);
/*
* Update the AS or TGS reply immediately prior to encoding.
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r);
/*
* Audit an AS or TGS request. This function is called after encoding the
* reply (on success), or before encoding the error message. If a HDB audit
* function is also present, it is called after this one.
*
* The request should not be modified by the plugin.
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_windc_audit)(void *, astgs_request_t r);
#define KRB5_WINDC_PLUGIN_MINOR 8
#define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
@@ -110,6 +121,7 @@ typedef struct krb5plugin_windc_ftable {
krb5plugin_windc_client_access client_access;
krb5plugin_windc_referral_policy referral_policy;
krb5plugin_windc_finalize_reply finalize_reply;
krb5plugin_windc_audit audit;
} krb5plugin_windc_ftable;
#endif /* HEIMDAL_KDC_WINDC_PLUGIN_H */

View File

@@ -116,6 +116,13 @@ finalize_reply(void *ctx, astgs_request_t r)
return 0;
}
static krb5_error_code KRB5_CALLCONV
audit(void *ctx, astgs_request_t r)
{
logit("audit", r);
return 0;
}
static krb5plugin_windc_ftable windc = {
KRB5_WINDC_PLUGING_MINOR,
windc_init,
@@ -124,7 +131,8 @@ static krb5plugin_windc_ftable windc = {
pac_verify,
client_access,
NULL, /* referral_policy */
finalize_reply
finalize_reply,
audit
};
static const krb5plugin_windc_ftable *const windc_plugins[] = {