s4:auth: Split out new function to generate a security token

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2023-05-09 14:30:40 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2023-05-18 01:03:37 +0000
commit: e2e752b5461ab3806d8ac9165ee82a77dff6a063 (patch)
tree: 9dd0cd987c29112d3d04b3ad315414b96902ff01
parent: 024e5f7e92acd81a53e95b0652c08688e54d251a (diff)
download: samba-e2e752b5461ab3806d8ac9165ee82a77dff6a063.tar.gz
2 files changed, 82 insertions, 44 deletions
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 2e28bc15c6d..bac644d443c 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -49,54 +49,26 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
 	return session_info;
 }
 
-_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
-					     struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
-					     struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
-					     const struct auth_user_info_dc *user_info_dc,
-					     uint32_t session_info_flags,
-					     struct auth_session_info **_session_info)
+_PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
+					       struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
+					       struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
+					       const struct auth_user_info_dc *user_info_dc,
+					       uint32_t session_info_flags,
+					       struct security_token **_security_token)
 {
-	struct auth_session_info *session_info;
+	struct security_token *security_token = NULL;
 	NTSTATUS nt_status;
-	uint32_t i, num_sids = 0;
-
-	const char *filter;
-
+	uint32_t i;
+	uint32_t num_sids = 0;
+	const char *filter = NULL;
 	struct auth_SidAttr *sids = NULL;
-	const struct dom_sid *anonymous_sid, *system_sid;
+	const struct dom_sid *anonymous_sid = NULL;
+	const struct dom_sid *system_sid = NULL;
 
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
-
-	session_info = talloc_zero(tmp_ctx, struct auth_session_info);
-	if (session_info == NULL) {
-		TALLOC_FREE(tmp_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	session_info->info = talloc_reference(session_info, user_info_dc->info);
-
-	session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
-	if (session_info->torture == NULL) {
-		TALLOC_FREE(tmp_ctx);
+	if (tmp_ctx == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
-	session_info->torture->num_dc_sids = user_info_dc->num_sids;
-	session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
-	if (session_info->torture->dc_sids == NULL) {
-		TALLOC_FREE(tmp_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	/* unless set otherwise, the session key is the user session
-	 * key from the auth subsystem */ 
-	session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
-	if (!session_info->session_key.data && session_info->session_key.length) {
-		if (session_info->session_key.data == NULL) {
-			TALLOC_FREE(tmp_ctx);
-			return NT_STATUS_NO_MEMORY;
-		}
-	}
 
 	anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
 	if (anonymous_sid == NULL) {
@@ -176,7 +148,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		/* Don't expand nested groups of system, anonymous etc*/
 	} else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX].sid)) {
 		/* Don't expand nested groups of system, anonymous etc*/
-	} else if (sam_ctx) {
+	} else if (sam_ctx != NULL) {
 		filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:"LDB_OID_COMPARATOR_AND":=%u))",
 					 GROUP_TYPE_BUILTIN_LOCAL_GROUP);
 
@@ -211,12 +183,72 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	nt_status = security_token_create(session_info,
+	nt_status = security_token_create(mem_ctx,
 					  lp_ctx,
 					  num_sids,
 					  sids,
 					  session_info_flags,
-					  &session_info->security_token);
+					  &security_token);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		TALLOC_FREE(tmp_ctx);
+		return nt_status;
+	}
+
+	talloc_steal(mem_ctx, security_token);
+	*_security_token = security_token;
+	talloc_free(tmp_ctx);
+	return NT_STATUS_OK;
+}
+
+_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
+					     struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+					     struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
+					     const struct auth_user_info_dc *user_info_dc,
+					     uint32_t session_info_flags,
+					     struct auth_session_info **_session_info)
+{
+	struct auth_session_info *session_info;
+	NTSTATUS nt_status;
+
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+
+	session_info = talloc_zero(tmp_ctx, struct auth_session_info);
+	if (session_info == NULL) {
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	session_info->info = talloc_reference(session_info, user_info_dc->info);
+
+	session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
+	if (session_info->torture == NULL) {
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+	session_info->torture->num_dc_sids = user_info_dc->num_sids;
+	session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
+	if (session_info->torture->dc_sids == NULL) {
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* unless set otherwise, the session key is the user session
+	 * key from the auth subsystem */
+	session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
+	if (!session_info->session_key.data && session_info->session_key.length) {
+		if (session_info->session_key.data == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	nt_status = auth_generate_security_token(session_info,
+						 lp_ctx,
+						 sam_ctx,
+						 user_info_dc,
+						 session_info_flags,
+						 &session_info->security_token);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		TALLOC_FREE(tmp_ctx);
 		return nt_status;
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 2d42396a556..ef736b58e31 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -36,6 +36,12 @@ struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
 NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
 					     const char *netbios_name,
 					     struct auth_user_info_dc **interim_info);
+NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
+				       struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
+				       struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
+				       const struct auth_user_info_dc *user_info_dc,
+				       uint32_t session_info_flags,
+				       struct security_token **_security_token);
 NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 				    struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
 				    struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2023-05-09 14:30:40 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2023-05-18 01:03:37 +0000
commit	e2e752b5461ab3806d8ac9165ee82a77dff6a063 (patch)
tree	9dd0cd987c29112d3d04b3ad315414b96902ff01
parent	024e5f7e92acd81a53e95b0652c08688e54d251a (diff)
download	samba-e2e752b5461ab3806d8ac9165ee82a77dff6a063.tar.gz