From a4c6b81ce9e8a7c5d75ee0c9df6d8ce16aac4f63 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 2 Jan 2022 21:19:43 +1100
Subject: [PATCH] kdc: add audit plugin API to windc API

Allow the windc plugin to also implement an audit callback. As part of this
change, both the HDB and windc audit function signatures are changed to return
void.
---
 kdc/kerberos5.c      |  2 +-
 kdc/krb5tgs.c        |  2 +-
 kdc/misc.c           | 16 +++++-----
 kdc/windc.c          | 72 +++++++++++++++++++++++++++++---------------
 kdc/windc_plugin.h   | 26 +++++++++++-----
 tests/plugin/windc.c | 10 +++++-
 6 files changed, 87 insertions(+), 41 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 70fa1b6d0..8a6cc527f 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2738,7 +2738,7 @@ _kdc_as_rep(astgs_request_t r)
 
 out:
     r->ret = ret;
-    _kdc_hdb_audit(r);
+    _kdc_audit_request(r);
 
     /*
      * In case of a non proxy error, build an error message.
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 887c9a05b..55f851bf2 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2578,7 +2578,7 @@ _kdc_tgs_rep(astgs_request_t r)
 
 out:
     r->ret = ret;
-    _kdc_hdb_audit(r);
+    _kdc_audit_request(r);
 
     if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
 	METHOD_DATA error_method = { 0, NULL };
diff --git a/kdc/misc.c b/kdc/misc.c
index 1d7467261..296557300 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -343,18 +343,20 @@ _kdc_include_pac_p(astgs_request_t r)
 }
 
 /*
- * Notify the HDB backend of the audited event.
+ * Notify the HDB backend and windc plugin of the audited event.
  */
 
 krb5_error_code
-_kdc_hdb_audit(astgs_request_t r)
+_kdc_audit_request(astgs_request_t r)
 {
+    krb5_error_code ret;
     struct HDB *hdb;
 
-    hdb = r->clientdb ? r->clientdb : r->config->db[0];
+    ret = _kdc_windc_audit(r);
+    if (ret == 0 &&
+	(hdb = r->clientdb ? r->clientdb : r->config->db[0]) &&
+	hdb->hdb_audit)
+	ret = hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
 
-    if (hdb && hdb->hdb_audit)
-	return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
-
-    return 0;
+    return ret;
 }
diff --git a/kdc/windc.c b/kdc/windc.c
index e7e2b9d4d..e9ee99636 100644
--- a/kdc/windc.c
+++ b/kdc/windc.c
@@ -210,30 +210,6 @@ _kdc_check_access(astgs_request_t r)
     return ret;
 }
 
-static krb5_error_code KRB5_LIB_CALL
-finalize(krb5_context context, const void *plug, void *plugctx, void *userctx)
-{
-    krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
-
-    if (ft->finalize_reply == NULL)
-	return KRB5_PLUGIN_NO_HANDLE;
-    return ft->finalize_reply((void *)plug, userctx);
-}
-
-krb5_error_code
-_kdc_finalize_reply(astgs_request_t r)
-{
-    krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
-
-    if (have_plugin)
-        ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize);
-
-    if (ret == KRB5_PLUGIN_NO_HANDLE)
-        ret = 0;
-
-    return ret;
-}
-
 static krb5_error_code KRB5_LIB_CALL
 referral_policy(krb5_context context, const void *plug, void *plugctx, void *userctx)
 {
@@ -255,6 +231,54 @@ _kdc_referral_policy(astgs_request_t r)
     return ret;
 }
 
+static krb5_error_code KRB5_LIB_CALL
+finalize_reply(krb5_context context, const void *plug, void *plugctx, void *userctx)
+{
+    krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
+
+    if (ft->finalize_reply == NULL)
+	return KRB5_PLUGIN_NO_HANDLE;
+    return ft->finalize_reply((void *)plug, userctx);
+}
+
+krb5_error_code
+_kdc_finalize_reply(astgs_request_t r)
+{
+    krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
+
+    if (have_plugin)
+        ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize_reply);
+
+    if (ret == KRB5_PLUGIN_NO_HANDLE)
+        ret = 0;
+
+    return ret;
+}
+
+static krb5_error_code KRB5_LIB_CALL
+audit(krb5_context context, const void *plug, void *plugctx, void *userctx)
+{
+    krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
+
+    if (ft->audit == NULL)
+	return KRB5_PLUGIN_NO_HANDLE;
+    return ft->audit((void *)plug, userctx);
+}
+
+krb5_error_code
+_kdc_windc_audit(astgs_request_t r)
+{
+    krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
+
+    if (have_plugin)
+        ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, audit);
+
+    if (ret == KRB5_PLUGIN_NO_HANDLE)
+        ret = 0;
+
+    return ret;
+}
+
 uintptr_t KRB5_CALLCONV
 kdc_get_instance(const char *libname)
 {
diff --git a/kdc/windc_plugin.h b/kdc/windc_plugin.h
index 2ecfe70fc..433344e15 100644
--- a/kdc/windc_plugin.h
+++ b/kdc/windc_plugin.h
@@ -77,13 +77,6 @@ typedef krb5_error_code
 typedef krb5_error_code
 (KRB5_CALLCONV *krb5plugin_windc_client_access)(void *, astgs_request_t);
 
-/*
- * Update the AS or TGS reply immediately prior to encoding.
- */
-
-typedef krb5_error_code
-(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r);
-
 /*
  * A referral policy plugin can either rewrite the server principal
  * by resetting priv->server_princ, or it can disable referral
@@ -98,6 +91,24 @@ typedef krb5_error_code
 typedef krb5_error_code
 (KRB5_CALLCONV *krb5plugin_windc_referral_policy)(void *, astgs_request_t r);
 
+/*
+ * Update the AS or TGS reply immediately prior to encoding.
+ */
+
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r);
+
+/*
+ * Audit an AS or TGS request. This function is called after encoding the
+ * reply (on success), or before encoding the error message. If a HDB audit
+ * function is also present, it is called after this one.
+ *
+ * The request should not be modified by the plugin.
+ */
+
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5plugin_windc_audit)(void *, astgs_request_t r);
+
 #define KRB5_WINDC_PLUGIN_MINOR			8
 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
 
@@ -110,6 +121,7 @@ typedef struct krb5plugin_windc_ftable {
     krb5plugin_windc_client_access	client_access;
     krb5plugin_windc_referral_policy	referral_policy;
     krb5plugin_windc_finalize_reply	finalize_reply;
+    krb5plugin_windc_audit		audit;
 } krb5plugin_windc_ftable;
 
 #endif /* HEIMDAL_KDC_WINDC_PLUGIN_H */
diff --git a/tests/plugin/windc.c b/tests/plugin/windc.c
index 3168291ce..6d275f9a9 100644
--- a/tests/plugin/windc.c
+++ b/tests/plugin/windc.c
@@ -116,6 +116,13 @@ finalize_reply(void *ctx, astgs_request_t r)
     return 0;
 }
 
+static krb5_error_code KRB5_CALLCONV
+audit(void *ctx, astgs_request_t r)
+{
+    logit("audit", r);
+    return 0;
+}
+
 static krb5plugin_windc_ftable windc = {
     KRB5_WINDC_PLUGING_MINOR,
     windc_init,
@@ -124,7 +131,8 @@ static krb5plugin_windc_ftable windc = {
     pac_verify,
     client_access,
     NULL, /* referral_policy */
-    finalize_reply
+    finalize_reply,
+    audit
 };
 
 static const krb5plugin_windc_ftable *const windc_plugins[] = {