oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: refactor Samba-specific auditing API in terms of existing API

Browse Source 
Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
with a view towards unifying the two APIs in a future commit.

The term "auth status" is replaced with "auth event", and the HDB auth_status
method is replaced with a more general purpose audit method which has access to
the entire request structure.
This commit is contained in:
Luke Howard
2021-12-31 17:24:58 +11:00
parent 32032dec7e
commit b1dcc1a474
8 changed files with 291 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
lib/base/log.c
View File

@@ -655,32 +655,34 @@ heim_add_debug_dest(heim_context context, const char *program,
return 0;
}
static heim_string_t
struct heim_audit_kv_tuple {
heim_string_t key;
heim_object_t value;
};
static struct heim_audit_kv_tuple zero_tuple;
static struct heim_audit_kv_tuple
fmtkv(int flags, const char *k, const char *fmt, va_list ap)
__attribute__ ((__format__ (__printf__, 3, 0)))
{
heim_string_t str;
size_t i;
ssize_t j;
char *buf1;
char *buf2;
char *buf3;
int ret = vasprintf(&buf1, fmt, ap);
if (ret < 0 || !buf1)
return NULL;;
struct heim_audit_kv_tuple kv;
char *value;
char *value_vis;
j = asprintf(&buf2, "%s=%s", k, buf1);
free(buf1);
if (j < 0 || !buf2)
return NULL;;
j = vasprintf(&value, fmt, ap);
if (j < 0 || value == NULL)
return zero_tuple;
/* We optionally eat the whitespace. */
if (flags & HEIM_SVC_AUDIT_EATWHITE) {
for (i=0, j=0; buf2[i]; i++)
if (buf2[i] != ' ' && buf2[i] != '\t')
buf2[j++] = buf2[i];
buf2[j] = '\0';
for (i=0, j=0; value[i]; i++)
if (value[i] != ' ' && value[i] != '\t')
value[j++] = value[i];
value[j] = '\0';
}
if (flags & (HEIM_SVC_AUDIT_VIS | HEIM_SVC_AUDIT_VISLAST)) {
@@ -688,48 +690,50 @@ fmtkv(int flags, const char *k, const char *fmt, va_list ap)
if (flags & HEIM_SVC_AUDIT_VIS)
vis_flags |= VIS_WHITE;
buf3 = malloc((j + 1) * 4 + 1);
if (buf3)
strvisx(buf3, buf2, j, vis_flags);
free(buf2);
if (buf3 == NULL)
return NULL;
value_vis = malloc((j + 1) * 4 + 1);
if (value_vis)
strvisx(value_vis, value, j, vis_flags);
free(value);
if (value_vis == NULL)
return zero_tuple;
} else
buf3 = buf2;
value_vis = value;
str = heim_string_create(buf3);
free(buf3);
return str;
kv.key = heim_string_create(k);
kv.value = heim_string_ref_create(value_vis, free);
return kv;
}
void
heim_audit_vaddreason(heim_svc_req_desc r, const char *fmt, va_list ap)
__attribute__ ((__format__ (__printf__, 2, 0)))
{
heim_string_t str;
struct heim_audit_kv_tuple kv;
str = fmtkv(HEIM_SVC_AUDIT_VISLAST, "reason", fmt, ap);
if (!str) {
kv = fmtkv(HEIM_SVC_AUDIT_VISLAST, "reason", fmt, ap);
if (kv.key == NULL || kv.value == NULL) {
heim_log(r->hcontext, r->logf, 1, "heim_audit_vaddreason: "
"failed to add reason (out of memory)");
return;
}
heim_log(r->hcontext, r->logf, 7, "heim_audit_vaddreason(): "
"adding reason %s", heim_string_get_utf8(str));
"adding reason %s", heim_string_get_utf8(kv.value));
if (r->reason) {
heim_string_t str2;
str2 = heim_string_create_with_format("%s: %s",
heim_string_get_utf8(str),
heim_string_get_utf8(kv.value),
heim_string_get_utf8(r->reason));
if (str2) {
heim_release(str);
str = str2;
heim_release(kv.value);
kv.value = str2;
}
}
heim_release(r->reason);
r->reason = str;
r->reason = kv.value;
heim_release(kv.key);
}
void
@@ -754,19 +758,23 @@ heim_audit_vaddkv(heim_svc_req_desc r, int flags, const char *k,
const char *fmt, va_list ap)
__attribute__ ((__format__ (__printf__, 4, 0)))
{
heim_string_t str;
struct heim_audit_kv_tuple kv;
str = fmtkv(flags, k, fmt, ap);
if (!str) {
kv = fmtkv(flags, k, fmt, ap);
if (kv.key == NULL || kv.value == NULL) {
heim_log(r->hcontext, r->logf, 1, "heim_audit_vaddkv: "
"failed to add kv pair (out of memory)");
heim_release(kv.key);
heim_release(kv.value);
return;
}
heim_log(r->hcontext, r->logf, 7, "heim_audit_vaddkv(): "
"adding kv pair %s", heim_string_get_utf8(str));
heim_array_append_value(r->kv, str);
heim_release(str);
"adding kv pair %s=%s",
heim_string_get_utf8(kv.key), heim_string_get_utf8(kv.value));
heim_dict_set_value(r->kv, kv.key, kv.value);
heim_release(kv.key);
heim_release(kv.value);
}
void
@@ -808,14 +816,106 @@ heim_audit_addkv_timediff(heim_svc_req_desc r, const char *k,
heim_audit_addkv(r, 0, k, "%s%ld.%06d", sign, sec, usec);
}
void
heim_audit_addkv_object(heim_svc_req_desc r, const char *k, heim_object_t obj)
{
heim_string_t key = heim_string_create(k);
heim_string_t value;
if (key == NULL)
return;
value = heim_json_copy_serialize(obj, 0, NULL);
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_object(): "
"adding kv pair %s=%s",
k, value ? heim_string_get_utf8(value) : "<unprintable>");
heim_dict_set_value(r->kv, key, obj);
heim_release(key);
heim_release(value);
}
void
heim_audit_delkv(heim_svc_req_desc r, const char *k)
{
heim_string_t key = heim_string_create(k);
if (key == NULL)
return;
heim_log(r->hcontext, r->logf, 7, "heim_audit_delkv(): "
"deleting kv pair %s", k);
heim_dict_delete_key(r->kv, key);
heim_release(key);
}
heim_object_t
heim_audit_getkv(heim_svc_req_desc r, const char *k)
{
heim_string_t key;
heim_object_t value;
key = heim_string_create(k);
if (key == NULL)
return NULL;
value = heim_dict_get_value(r->kv, key);
heim_release(key);
return value;
}
struct heim_audit_kv_buf {
char buf[1024];
size_t pos;
};
static void
audit_trail_iterator(heim_object_t key, heim_object_t value, void *arg)
{
struct heim_audit_kv_buf *kvb = arg;
char num[32];
const char *k = heim_string_get_utf8(key), *v;
if (k == NULL || *k == '#')
return;
switch (heim_get_tid(value)) {
case HEIM_TID_STRING:
v = heim_string_get_utf8(value);
break;
case HEIM_TID_NUMBER:
snprintf(num, sizeof(num), "%d", heim_number_get_int(value));
v = num;
break;
case HEIM_TID_NULL:
v = "null";
break;
case HEIM_TID_BOOL:
v = heim_bool_val(value) ? "true" : "false";
break;
default:
v = NULL;
break;
}
if (v == NULL)
return;
if (kvb->pos < sizeof(kvb->buf) - 1)
kvb->buf[kvb->pos++] = ' ';
for (; *k && kvb->pos < sizeof(kvb->buf) - 1; kvb->pos++)
kvb->buf[kvb->pos] = *k++;
if (kvb->pos < sizeof(kvb->buf) - 1)
kvb->buf[kvb->pos++] = '=';
for (; *v && kvb->pos < sizeof(kvb->buf) - 1; kvb->pos++)
kvb->buf[kvb->pos] = *v++;
}
void
heim_audit_trail(heim_svc_req_desc r, heim_error_code ret, const char *retname)
{
const char *retval;
char kvbuf[1024];
struct heim_audit_kv_buf kvb;
char retvalbuf[30]; /* Enough for UNKNOWN-%d */
size_t nelem;
size_t i, j;
#define CASE(x) case x : retval = #x; break
if (retname) {
@@ -838,26 +938,14 @@ heim_audit_trail(heim_svc_req_desc r, heim_error_code ret, const char *retname)
if (r->e_text && r->kv)
heim_audit_addkv(r, HEIM_SVC_AUDIT_VIS, "e-text", "%s", r->e_text);
nelem = r->kv ? heim_array_get_length(r->kv) : 0;
for (i=0, j=0; i < nelem; i++) {
heim_string_t s;
const char *kvpair;
/* We know these are strings... */
s = heim_array_get_value(r->kv, i);
kvpair = heim_string_get_utf8(s);
if (j < sizeof(kvbuf) - 1)
kvbuf[j++] = ' ';
for (; *kvpair && j < sizeof(kvbuf) - 1; j++)
kvbuf[j] = *kvpair++;
}
kvbuf[j] = '\0';
kvb.pos = 0;
heim_dict_iterate_f(r->kv, &kvb, audit_trail_iterator);
kvb.buf[kvb.pos] = '\0';
heim_log(r->hcontext, r->logf, 3, "%s %s %s %s %s%s%s%s",
r->reqtype, retval, r->from,
r->cname ? r->cname : "<unknown>",
r->sname ? r->sname : "<unknown>",
kvbuf, r->reason ? " " : "",
kvb.buf, r->reason ? " reason=" : "",
r->reason ? heim_string_get_utf8(r->reason) : "");
}