oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: preserve value types in auditing

Browse Source 
Preserve integer/boolean audit values as their native types; convert to strings
when logging only. This commit goes some way towards unifying the two auditing
APIs.
This commit is contained in:
Luke Howard
2022-01-01 16:50:58 +11:00
parent b1dcc1a474
commit cc0874d410
12 changed files with 98 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
kdc/bx509d.c
View File

@@ -485,8 +485,8 @@ bad_reqv(struct bx509_request_desc *r,
char *formatted = NULL; char *formatted = NULL;
char *msg = NULL; char *msg = NULL;
heim_audit_addkv((heim_svc_req_desc)r, 0, "http-status-code", "%d", heim_audit_addkv_number((heim_svc_req_desc)r, "http-status-code",
http_status_code); http_status_code);
(void) gettimeofday(&r->tv_end, NULL); (void) gettimeofday(&r->tv_end, NULL);
if (code == ENOMEM) { if (code == ENOMEM) {
if (r->context) if (r->context)
@@ -669,13 +669,13 @@ bx509_param_cb(void *d,
&oid); &oid);
der_free_oid(&oid); der_free_oid(&oid);
} else if (strcmp(key, "csr") == 0 && val) { } else if (strcmp(key, "csr") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_csr", "true"); heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_csr", TRUE);
r->ret = 0; /* Handled upstairs */ r->ret = 0; /* Handled upstairs */
} else if (strcmp(key, "lifetime") == 0 && val) { } else if (strcmp(key, "lifetime") == 0 && val) {
r->req_life = parse_time(val, "day"); r->req_life = parse_time(val, "day");
} else { } else {
/* Produce error for unknown params */ /* Produce error for unknown params */
heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_unknown", "true"); heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, r->ret = ENOTSUP, krb5_set_error_message(r->context, r->ret = ENOTSUP,
"Query parameter %s not supported", key); "Query parameter %s not supported", key);
} }
@@ -1738,7 +1738,7 @@ get_tgt_param_cb(void *d,
r->req_life = parse_time(val, "day"); r->req_life = parse_time(val, "day");
} else { } else {
/* Produce error for unknown params */ /* Produce error for unknown params */
heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_unknown", "true"); heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, r->ret = ENOTSUP, krb5_set_error_message(r->context, r->ret = ENOTSUP,
"Query parameter %s not supported", key); "Query parameter %s not supported", key);
} }

6
kdc/httpkadmind.c
View File

@@ -700,8 +700,8 @@ bad_reqv(kadmin_request_desc r,
if (r && r->context) if (r && r->context)
context = r->context; context = r->context;
if (r && r->hcontext && r->kv) if (r && r->hcontext && r->kv)
heim_audit_addkv((heim_svc_req_desc)r, 0, "http-status-code", "%d", heim_audit_addkv_number((heim_svc_req_desc)r, "http-status-code",
http_status_code); http_status_code);
(void) gettimeofday(&r->tv_end, NULL); (void) gettimeofday(&r->tv_end, NULL);
if (code == ENOMEM) { if (code == ENOMEM) {
if (context) if (context)
@@ -1046,7 +1046,7 @@ param_cb(void *d,
#endif #endif
} else { } else {
/* Produce error for unknown params */ /* Produce error for unknown params */
heim_audit_addkv((heim_svc_req_desc)r, 0, "requested_unknown", "true"); heim_audit_addkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, ret = ENOTSUP, krb5_set_error_message(r->context, ret = ENOTSUP,
"Query parameter %s not supported", key); "Query parameter %s not supported", key);
} }

17
kdc/kerberos5.c
View File

@@ -498,15 +498,13 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
endtime_str[100], renewtime_str[100]; endtime_str[100], renewtime_str[100];
if (authtime) if (authtime)
_kdc_audit_addkv((kdc_request_t)r, 0, "auth", "%ld", (long)authtime); _kdc_audit_addkv_number((kdc_request_t)r, "auth", authtime);
if (starttime && *starttime) if (starttime && *starttime)
_kdc_audit_addkv((kdc_request_t)r, 0, "start", "%ld", _kdc_audit_addkv_number((kdc_request_t)r, "start", *starttime);
(long)*starttime);
if (endtime) if (endtime)
_kdc_audit_addkv((kdc_request_t)r, 0, "end", "%ld", (long)endtime); _kdc_audit_addkv_number((kdc_request_t)r, "end", endtime);
if (renew_till && *renew_till) if (renew_till && *renew_till)
_kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld", _kdc_audit_addkv_number((kdc_request_t)r, "renew", *renew_till);
(long)*renew_till);
krb5_format_time(r->context, authtime, krb5_format_time(r->context, authtime,
authtime_str, sizeof(authtime_str), TRUE); authtime_str, sizeof(authtime_str), TRUE);
@@ -984,8 +982,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
str = NULL; str = NULL;
_kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s", _kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
r->cname, str ? str : "unknown enctype"); r->cname, str ? str : "unknown enctype");
_kdc_audit_addkv((kdc_request_t)r, 0, "pa-etype", "%d", _kdc_audit_addkv_number((kdc_request_t)r, "pa-etype", (int64_t)pa_key->key.keytype);
(int)pa_key->key.keytype);
audit_auth_event(r, HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED, audit_auth_event(r, HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED,
str ? str : "unknown enctype"); str ? str : "unknown enctype");
@@ -1888,8 +1885,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
krb5_const_principal canon_princ = NULL; krb5_const_principal canon_princ = NULL;
r->pac_attributes = get_pac_attributes(r->context, &r->req); r->pac_attributes = get_pac_attributes(r->context, &r->req);
_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx", _kdc_audit_addkv_number((kdc_request_t)r, "pac_attributes",
(long)r->pac_attributes); r->pac_attributes);
if (!_kdc_include_pac_p(r)) if (!_kdc_include_pac_p(r))
return 0; return 0;

4
kdc/krb5tgs.c
View File

@@ -807,8 +807,8 @@ tgs_make_reply(astgs_request_t r,
* is implementation dependent. * is implementation dependent.
*/ */
if (r->pac && !et->flags.anonymous) { if (r->pac && !et->flags.anonymous) {
_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx", _kdc_audit_addkv_number((kdc_request_t)r, "pac_attributes",
(long)r->pac_attributes); r->pac_attributes);
/* /*
* PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES * PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES

8
kdc/kx509.c
View File

@@ -668,7 +668,7 @@ check_authz(krb5_context context,
ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr, ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
cprincipal); cprincipal);
if (ret == 0) { if (ret == 0) {
_kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true"); _kdc_audit_addkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s); ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s);
if (ret == 0) { if (ret == 0) {
@@ -785,7 +785,7 @@ check_authz(krb5_context context,
if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed))) if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed)))
goto eacces; goto eacces;
_kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true"); _kdc_audit_addkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
return 0; return 0;
eacces: eacces:
@@ -1046,9 +1046,9 @@ _kdc_do_kx509(kx509_req_context r)
out: out:
hx509_certs_free(&certs); hx509_certs_free(&certs);
if (ret == 0 && !is_probe) if (ret == 0 && !is_probe)
_kdc_audit_addkv((kdc_request_t)r, 0, "cert_issued", "true"); _kdc_audit_addkv_bool((kdc_request_t)r, "cert_issued", TRUE);
else else
_kdc_audit_addkv((kdc_request_t)r, 0, "cert_issued", "false"); _kdc_audit_addkv_bool((kdc_request_t)r, "cert_issued", FALSE);
if (r->ac) if (r->ac)
krb5_auth_con_free(r->context, r->ac); krb5_auth_con_free(r->context, r->ac);
if (ticket) if (ticket)

2
kdc/libkdc-exports.def
View File

@@ -17,6 +17,8 @@ EXPORTS
krb5_kdc_update_time krb5_kdc_update_time
krb5_kdc_pk_initialize krb5_kdc_pk_initialize
_kdc_audit_addkv _kdc_audit_addkv
_kdc_audit_addkv_bool
_kdc_audit_addkv_number
_kdc_audit_addkv_object _kdc_audit_addkv_object
_kdc_audit_delkv _kdc_audit_delkv
_kdc_audit_getkv _kdc_audit_getkv

12
kdc/process.c
View File

@@ -94,6 +94,18 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end); heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end);
} }
void
_kdc_audit_addkv_bool(kdc_request_t r, const char *k, krb5_boolean v)
{
heim_audit_addkv_number((heim_svc_req_desc)r, k, (int)v);
}
void
_kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v)
{
heim_audit_addkv_number((heim_svc_req_desc)r, k, v);
}
void void
_kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj) _kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
{ {

2
kdc/version-script.map
View File

@@ -21,6 +21,8 @@ HEIMDAL_KDC_1.0 {
krb5_kdc_update_time; krb5_kdc_update_time;
krb5_kdc_pk_initialize; krb5_kdc_pk_initialize;
_kdc_audit_addkv; _kdc_audit_addkv;
_kdc_audit_addkv_bool;
_kdc_audit_addkv_number;
_kdc_audit_addkv_object; _kdc_audit_addkv_object;
_kdc_audit_delkv; _kdc_audit_delkv;
_kdc_audit_getkv; _kdc_audit_getkv;

3
lib/base/heimbase.h
View File

@@ -436,9 +436,10 @@ void heim_db_iterate(heim_db_t, heim_string_t,
typedef struct heim_number_data *heim_number_t; typedef struct heim_number_data *heim_number_t;
heim_number_t heim_number_create(int); heim_number_t heim_number_create(int64_t);
heim_tid_t heim_number_get_type_id(void); heim_tid_t heim_number_get_type_id(void);
int heim_number_get_int(heim_number_t); int heim_number_get_int(heim_number_t);
int64_t heim_number_get_long(heim_number_t);
/* /*
* *

52
lib/base/log.c
View File

@@ -817,23 +817,59 @@ heim_audit_addkv_timediff(heim_svc_req_desc r, const char *k,
} }
void void
heim_audit_addkv_object(heim_svc_req_desc r, const char *k, heim_object_t obj) heim_audit_addkv_bool(heim_svc_req_desc r, const char *k, int v)
{ {
heim_string_t key = heim_string_create(k); heim_string_t key = heim_string_create(k);
heim_string_t value; heim_number_t value;
if (key == NULL) if (key == NULL)
return; return;
value = heim_json_copy_serialize(obj, 0, NULL); heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_bool(): "
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_object(): " "adding kv pair %s=%s", k, v ? "true" : "false");
"adding kv pair %s=%s",
k, value ? heim_string_get_utf8(value) : "<unprintable>"); value = heim_bool_create(v);
heim_dict_set_value(r->kv, key, obj); heim_dict_set_value(r->kv, key, value);
heim_release(key); heim_release(key);
heim_release(value); heim_release(value);
} }
void
heim_audit_addkv_number(heim_svc_req_desc r, const char *k, intptr_t v)
{
heim_string_t key = heim_string_create(k);
heim_number_t value;
if (key == NULL)
return;
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_number(): "
"adding kv pair %s=%ld", k, v);
value = heim_number_create(v);
heim_dict_set_value(r->kv, key, value);
heim_release(key);
heim_release(value);
}
void
heim_audit_addkv_object(heim_svc_req_desc r, const char *k, heim_object_t value)
{
heim_string_t key = heim_string_create(k);
heim_string_t descr;
if (key == NULL)
return;
descr = heim_json_copy_serialize(value, 0, NULL);
heim_log(r->hcontext, r->logf, 7, "heim_audit_addkv_object(): "
"adding kv pair %s=%s",
k, descr ? heim_string_get_utf8(descr) : "<unprintable>");
heim_dict_set_value(r->kv, key, value);
heim_release(key);
heim_release(descr);
}
void void
heim_audit_delkv(heim_svc_req_desc r, const char *k) heim_audit_delkv(heim_svc_req_desc r, const char *k)
{ {
@@ -883,7 +919,7 @@ audit_trail_iterator(heim_object_t key, heim_object_t value, void *arg)
v = heim_string_get_utf8(value); v = heim_string_get_utf8(value);
break; break;
case HEIM_TID_NUMBER: case HEIM_TID_NUMBER:
snprintf(num, sizeof(num), "%d", heim_number_get_int(value)); snprintf(num, sizeof(num), "%lld", (long long)heim_number_get_long(value));
v = num; v = num;
break; break;
case HEIM_TID_NULL: case HEIM_TID_NULL:

16
lib/base/number.c
View File

@@ -86,16 +86,16 @@ struct heim_type_data _heim_number_object = {
*/ */
heim_number_t heim_number_t
heim_number_create(int number) heim_number_create(int64_t number)
{ {
heim_number_t n; heim_number_t n;
if (number < 0xffffff && number >= 0) if (number < 0xffffff && number >= 0)
return heim_base_make_tagged_object(number, HEIM_TID_NUMBER); return heim_base_make_tagged_object(number, HEIM_TID_NUMBER);
n = _heim_alloc_object(&_heim_number_object, sizeof(int)); n = _heim_alloc_object(&_heim_number_object, sizeof(int64_t));
if (n) if (n)
*((int *)n) = number; *((int64_t *)n) = number;
return n; return n;
} }
@@ -124,5 +124,13 @@ heim_number_get_int(heim_number_t number)
{ {
if (heim_base_is_tagged_object(number)) if (heim_base_is_tagged_object(number))
return heim_base_tagged_object_value(number); return heim_base_tagged_object_value(number);
return *(int *)number; return (int)(*(int64_t *)number);
}
int64_t
heim_number_get_long(heim_number_t number)
{
if (heim_base_is_tagged_object(number))
return heim_base_tagged_object_value(number);
return *(int64_t *)number;
} }

3
lib/base/version-script.map
View File

@@ -29,6 +29,8 @@ HEIMDAL_BASE_1.0 {
heim_array_iterate_reverse_f; heim_array_iterate_reverse_f;
heim_array_set_value; heim_array_set_value;
heim_audit_addkv; heim_audit_addkv;
heim_audit_addkv_bool;
heim_audit_addkv_number;
heim_audit_addkv_object; heim_audit_addkv_object;
heim_audit_addkv_timediff; heim_audit_addkv_timediff;
heim_audit_addreason; heim_audit_addreason;
@@ -150,6 +152,7 @@ HEIMDAL_BASE_1.0 {
heim_null_create; heim_null_create;
heim_number_create; heim_number_create;
heim_number_get_int; heim_number_get_int;
heim_number_get_long;
heim_number_get_type_id; heim_number_get_type_id;
heim_openlog; heim_openlog;
heim_path_copy; heim_path_copy;