base: s/addkv_{bool,number,object}/setkv

Now heim_audit_addkv() correctly supports multiple values, the other functions
that (by design) replace existing values with a single value should use the
heim_audit_setkv prefix.

A subsequent commit could add variants that support multiple values for
non-string types.
This commit is contained in:
Luke Howard
2022-01-04 09:04:58 +11:00
parent c8656863ba
commit b27026996a
10 changed files with 65 additions and 64 deletions

View File

@@ -485,7 +485,7 @@ bad_reqv(struct bx509_request_desc *r,
char *formatted = NULL;
char *msg = NULL;
heim_audit_addkv_number((heim_svc_req_desc)r, "http-status-code",
heim_audit_setkv_number((heim_svc_req_desc)r, "http-status-code",
http_status_code);
(void) gettimeofday(&r->tv_end, NULL);
if (code == ENOMEM) {
@@ -669,13 +669,13 @@ bx509_param_cb(void *d,
&oid);
der_free_oid(&oid);
} else if (strcmp(key, "csr") == 0 && val) {
heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_csr", TRUE);
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_csr", TRUE);
r->ret = 0; /* Handled upstairs */
} else if (strcmp(key, "lifetime") == 0 && val) {
r->req_life = parse_time(val, "day");
} else {
/* Produce error for unknown params */
heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, r->ret = ENOTSUP,
"Query parameter %s not supported", key);
}
@@ -1638,7 +1638,7 @@ bnegotiate(struct bx509_request_desc *r)
if (ret == 0) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS, "target", "%s",
r->target ? r->target : "<unknown>");
heim_audit_addkv_bool((heim_svc_req_desc)r, "redir", !!r->redir);
heim_audit_setkv_bool((heim_svc_req_desc)r, "redir", !!r->redir);
ret = validate_token(r);
}
/* bnegotiate_get_target() and validate_token() call bad_req() */
@@ -1737,7 +1737,7 @@ get_tgt_param_cb(void *d,
r->req_life = parse_time(val, "day");
} else {
/* Produce error for unknown params */
heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, r->ret = ENOTSUP,
"Query parameter %s not supported", key);
}

View File

@@ -700,7 +700,7 @@ bad_reqv(kadmin_request_desc r,
if (r && r->context)
context = r->context;
if (r && r->hcontext && r->kv)
heim_audit_addkv_number((heim_svc_req_desc)r, "http-status-code",
heim_audit_setkv_number((heim_svc_req_desc)r, "http-status-code",
http_status_code);
(void) gettimeofday(&r->tv_end, NULL);
if (code == ENOMEM) {
@@ -1046,7 +1046,7 @@ param_cb(void *d,
#endif
} else {
/* Produce error for unknown params */
heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, ret = ENOTSUP,
"Query parameter %s not supported", key);
}

View File

@@ -442,13 +442,13 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
endtime_str[100], renewtime_str[100];
if (authtime)
_kdc_audit_addkv_number((kdc_request_t)r, "auth", authtime);
_kdc_audit_setkv_number((kdc_request_t)r, "auth", authtime);
if (starttime && *starttime)
_kdc_audit_addkv_number((kdc_request_t)r, "start", *starttime);
_kdc_audit_setkv_number((kdc_request_t)r, "start", *starttime);
if (endtime)
_kdc_audit_addkv_number((kdc_request_t)r, "end", endtime);
_kdc_audit_setkv_number((kdc_request_t)r, "end", endtime);
if (renew_till && *renew_till)
_kdc_audit_addkv_number((kdc_request_t)r, "renew", *renew_till);
_kdc_audit_setkv_number((kdc_request_t)r, "renew", *renew_till);
krb5_format_time(r->context, authtime,
authtime_str, sizeof(authtime_str), TRUE);
@@ -488,7 +488,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
_kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s",
r->cname);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_PKINIT_FAILED);
goto out;
}
@@ -500,7 +500,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
if (ret) {
_kdc_set_e_text(r, "PKINIT certificate not allowed to "
"impersonate principal");
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED);
goto out;
}
@@ -520,7 +520,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
ret = _kdc_add_initial_verified_cas(r->context, r->config,
pkp, &r->et);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_PKINIT_SUCCEEDED);
out:
@@ -553,7 +553,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
if (ret) {
_kdc_set_e_text(r, "GSS-API client not allowed to "
"impersonate principal");
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED);
goto out;
}
@@ -562,7 +562,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
_kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s",
r->cname, client_name);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_GSS_PA_SUCCEEDED);
ret = _kdc_gss_mk_composite_name_ad(r, gcp);
@@ -576,7 +576,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
if (ret) {
if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) {
_kdc_set_e_text(r, "Failed to build GSS pre-authentication reply");
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_GSS_PA_FAILED);
}
@@ -640,7 +640,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_CLIENT_LOCKED_OUT);
return ret;
}
@@ -767,13 +767,13 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
/*
* Success
*/
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED);
goto out;
}
if (invalidPassword) {
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_LTK_PREAUTH_FAILED);
ret = KRB5KDC_ERR_PREAUTH_FAILED;
} else {
@@ -813,7 +813,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_CLIENT_LOCKED_OUT);
return ret;
}
@@ -882,9 +882,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
_kdc_r_log(r, 2, "Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
r->cname, str ? str : "unknown enctype", msg);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
pa_key->key.keytype);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_LTK_PREAUTH_FAILED);
if(hdb_next_enctype2key(r->context, &r->client->entry, NULL,
enc_data.etype, &pa_key) == 0)
@@ -920,7 +920,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
(unsigned)labs(kdc_time - p.patimestamp),
r->context->max_skew,
r->cname);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_CLIENT_TIME_SKEW);
/*
@@ -945,9 +945,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
str = NULL;
_kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
r->cname, str ? str : "unknown enctype");
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
pa_key->key.keytype);
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED);
ret = 0;
@@ -1849,7 +1849,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
krb5_const_principal canon_princ = NULL;
r->pac_attributes = get_pac_attributes(r->context, &r->req);
_kdc_audit_addkv_number((kdc_request_t)r, "pac_attributes",
_kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
r->pac_attributes);
if (!_kdc_include_pac_p(r))
@@ -2186,7 +2186,7 @@ _kdc_as_rep(astgs_request_t r)
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
krb5_free_error_message(r->context, msg);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_CLIENT_UNKNOWN);
goto out;
}
@@ -2263,7 +2263,7 @@ _kdc_as_rep(astgs_request_t r)
krb5_boolean default_salt;
if (!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT))
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED);
/*
@@ -2281,7 +2281,7 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
if (!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT))
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED);
kdc_log(r->context, config, 4,
"%s pre-authentication succeeded -- %s",
@@ -2376,7 +2376,7 @@ _kdc_as_rep(astgs_request_t r)
r->et.flags.anonymous = 1;
}
_kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
HDB_AUTH_EVENT_CLIENT_AUTHORIZED);
/*
@@ -2481,7 +2481,7 @@ _kdc_as_rep(astgs_request_t r)
/* check for valid set of addresses */
if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
if (r->config->warn_ticket_addresses) {
_kdc_audit_addkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
} else {
_kdc_set_e_text(r, "Request from wrong address");
ret = KRB5KRB_AP_ERR_BADADDR;

View File

@@ -807,7 +807,7 @@ tgs_make_reply(astgs_request_t r,
* is implementation dependent.
*/
if (r->pac && !et->flags.anonymous) {
_kdc_audit_addkv_number((kdc_request_t)r, "pac_attributes",
_kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
r->pac_attributes);
/*
@@ -1119,7 +1119,7 @@ next_kvno:
_kdc_audit_addaddrs((kdc_request_t)r, (*ticket)->ticket.caddr, "tixaddrs");
if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
*ticket != NULL) {
_kdc_audit_addkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
ret = 0;
}
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
@@ -2343,12 +2343,12 @@ server_lookup:
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
if (config->check_ticket_addresses) {
ret = KRB5KRB_AP_ERR_BADADDR;
_kdc_audit_addkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
kdc_log(context, config, 4, "Request from wrong address");
_kdc_audit_addreason((kdc_request_t)priv, "Request from wrong address");
goto out;
} else if (config->warn_ticket_addresses) {
_kdc_audit_addkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
}
}

View File

@@ -668,7 +668,7 @@ check_authz(krb5_context context,
ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
cprincipal);
if (ret == 0) {
_kdc_audit_addkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s);
if (ret == 0) {
@@ -785,7 +785,7 @@ check_authz(krb5_context context,
if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed)))
goto eacces;
_kdc_audit_addkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
return 0;
eacces:
@@ -1046,9 +1046,9 @@ _kdc_do_kx509(kx509_req_context r)
out:
hx509_certs_free(&certs);
if (ret == 0 && !is_probe)
_kdc_audit_addkv_bool((kdc_request_t)r, "cert_issued", TRUE);
_kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", TRUE);
else
_kdc_audit_addkv_bool((kdc_request_t)r, "cert_issued", FALSE);
_kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", FALSE);
if (r->ac)
krb5_auth_con_free(r->context, r->ac);
if (ticket)

View File

@@ -17,10 +17,11 @@ EXPORTS
krb5_kdc_update_time
krb5_kdc_pk_initialize
_kdc_audit_addkv
_kdc_audit_addkv_bool
_kdc_audit_addkv_number
_kdc_audit_addkv_object
_kdc_audit_addkv_timediff
_kdc_audit_getkv
_kdc_audit_setkv_bool
_kdc_audit_setkv_number
_kdc_audit_setkv_object
_kdc_audit_addreason
_kdc_audit_vaddkv
_kdc_audit_vaddreason

View File

@@ -95,21 +95,21 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
}
void
_kdc_audit_addkv_bool(kdc_request_t r, const char *k, krb5_boolean v)
_kdc_audit_setkv_bool(kdc_request_t r, const char *k, krb5_boolean v)
{
heim_audit_addkv_bool((heim_svc_req_desc)r, k, (int)v);
heim_audit_setkv_bool((heim_svc_req_desc)r, k, (int)v);
}
void
_kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v)
_kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v)
{
heim_audit_addkv_number((heim_svc_req_desc)r, k, v);
heim_audit_setkv_number((heim_svc_req_desc)r, k, v);
}
void
_kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
_kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj)
{
heim_audit_addkv_object((heim_svc_req_desc)r, k, obj);
heim_audit_setkv_object((heim_svc_req_desc)r, k, obj);
}
heim_object_t

View File

@@ -21,9 +21,9 @@ HEIMDAL_KDC_1.0 {
krb5_kdc_update_time;
krb5_kdc_pk_initialize;
_kdc_audit_addkv;
_kdc_audit_addkv_bool;
_kdc_audit_addkv_number;
_kdc_audit_addkv_object;
_kdc_audit_setkv_bool;
_kdc_audit_setkv_number;
_kdc_audit_setkv_object;
_kdc_audit_getkv;
_kdc_audit_addreason;
_kdc_audit_vaddkv;

View File

@@ -849,7 +849,7 @@ heim_audit_addkv_timediff(heim_svc_req_desc r, const char *k,
}
void
heim_audit_addkv_bool(heim_svc_req_desc r, const char *k, int v)
heim_audit_setkv_bool(heim_svc_req_desc r, const char *k, int v)
{
heim_string_t key = heim_string_create(k);
heim_number_t value;
@@ -857,8 +857,8 @@ heim_audit_addkv_bool(heim_svc_req_desc r, const char *k, int v)
if (key == NULL)
return;
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_bool(): "
"adding kv pair %s=%s", k, v ? "true" : "false");
heim_log(r->hcontext, r->logf, 7, "heim_audit_setkv_bool(): "
"setting kv pair %s=%s", k, v ? "true" : "false");
value = heim_bool_create(v);
heim_dict_set_value(r->kv, key, value);
@@ -867,7 +867,7 @@ heim_audit_addkv_bool(heim_svc_req_desc r, const char *k, int v)
}
void
heim_audit_addkv_number(heim_svc_req_desc r, const char *k, intptr_t v)
heim_audit_setkv_number(heim_svc_req_desc r, const char *k, intptr_t v)
{
heim_string_t key = heim_string_create(k);
heim_number_t value;
@@ -875,8 +875,8 @@ heim_audit_addkv_number(heim_svc_req_desc r, const char *k, intptr_t v)
if (key == NULL)
return;
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_number(): "
"adding kv pair %s=%ld", k, v);
heim_log(r->hcontext, r->logf, 7, "heim_audit_setkv_number(): "
"setting kv pair %s=%ld", k, v);
value = heim_number_create(v);
heim_dict_set_value(r->kv, key, value);
@@ -885,7 +885,7 @@ heim_audit_addkv_number(heim_svc_req_desc r, const char *k, intptr_t v)
}
void
heim_audit_addkv_object(heim_svc_req_desc r, const char *k, heim_object_t value)
heim_audit_setkv_object(heim_svc_req_desc r, const char *k, heim_object_t value)
{
heim_string_t key = heim_string_create(k);
heim_string_t descr;
@@ -894,8 +894,8 @@ heim_audit_addkv_object(heim_svc_req_desc r, const char *k, heim_object_t value)
return;
descr = heim_json_copy_serialize(value, 0, NULL);
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_object(): "
"adding kv pair %s=%s",
heim_log(r->hcontext, r->logf, 7, "heim_audit_setkv_object(): "
"setting kv pair %s=%s",
k, descr ? heim_string_get_utf8(descr) : "<unprintable>");
heim_dict_set_value(r->kv, key, value);
heim_release(key);

View File

@@ -29,10 +29,10 @@ HEIMDAL_BASE_1.0 {
heim_array_iterate_reverse_f;
heim_array_set_value;
heim_audit_addkv;
heim_audit_addkv_bool;
heim_audit_addkv_number;
heim_audit_addkv_object;
heim_audit_addkv_timediff;
heim_audit_setkv_bool;
heim_audit_setkv_number;
heim_audit_setkv_object;
heim_audit_addreason;
heim_audit_getkv;
heim_audit_trail;