auth: Add hooks for notification of authentication events over the message bus

This will allow tests to be written to confirm the correct events are triggered. We pass in a messaging context from the callers Signed-off-by: Andrew Bartlett <abartlet@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2017-03-24 15:18:46 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2017-03-29 02:37:28 +0200
commit: d0041960363c981224552d4ce7ac3092679ee2c6 (patch)
tree: 8c76050e625360ea4955f537e73022944ac01725 /auth
parent: 631f1bcce68062e1c8e653024999b79589a80eaf (diff)
download: samba-d0041960363c981224552d4ce7ac3092679ee2c6.tar.gz
4 files changed, 80 insertions, 14 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c
index afe51d2122f..63b531ca1a0 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -200,7 +200,8 @@ static void auth_message_send(struct imessaging_context *msg_ctx,
  * Write the json object to the debug logs.
  *
  */
-static void log_json( struct json_context *context,
+static void log_json(struct imessaging_context *msg_ctx,
+		     struct json_context *context,
 		     const char *type, int debug_class, int debug_level)
 {
 	char* json = NULL;
@@ -217,6 +218,7 @@ static void log_json( struct json_context *context,
 	}
 
 	DEBUGC( debug_class, debug_level, ( "JSON %s: %s\n", type, json));
+	auth_message_send(msg_ctx, json);
 
 	if (json) {
 		free(json);
@@ -446,6 +448,8 @@ static void add_sid(struct json_context *context,
  *           \t\(.Authentication.localAddress)"'
  */
 static void log_authentication_event_json(
+	                struct imessaging_context *msg_ctx,
+			struct loadparm_context *lp_ctx,
 			const struct auth_usersupplied_info *ui,
 			NTSTATUS status,
 			const char *domain_name,
@@ -498,7 +502,7 @@ static void log_authentication_event_json(
 	add_string(&authentication, "passwordType", get_password_type( ui));
 	add_object(&context,AUTH_JSON_TYPE, &authentication);
 
-	log_json(&context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
+	log_json(msg_ctx, &context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
 	free_json_context(&context);
 }
 
@@ -523,6 +527,8 @@ static void log_authentication_event_json(
  *
  */
 static void log_successful_authz_event_json(
+				struct imessaging_context *msg_ctx,
+				struct loadparm_context *lp_ctx,
 				const struct tsocket_address *remote,
 				const struct tsocket_address *local,
 				const char *service_description,
@@ -559,7 +565,8 @@ static void log_successful_authz_event_json(
 	add_string(&authorization, "accountFlags", account_flags);
 	add_object(&context,AUTHZ_JSON_TYPE, &authorization);
 
-	log_json(&context,
+	log_json(msg_ctx,
+		 &context,
 		 AUTHZ_JSON_TYPE,
 		 DBGC_AUTH_AUDIT,
 		 debug_level);
@@ -568,7 +575,29 @@ static void log_successful_authz_event_json(
 
 #else
 
+static void log_no_json(struct imessaging_context *msg_ctx,
+                        struct loadparm_context *lp_ctx)
+{
+	if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
+		static bool auth_event_logged = false;
+		if (auth_event_logged == false) {
+			auth_event_logged = true;
+			DBG_ERR("auth event notification = true but Samba was not compiled with jansson\n");
+		}
+	} else {
+		static bool json_logged = false;
+		if (json_logged == false) {
+			json_logged = true;
+			DBG_NOTICE("JSON auth logs not available unless compiled with jansson\n");
+		}
+	}
+
+	return;
+}
+
 static void log_authentication_event_json(
+	                struct imessaging_context *msg_ctx,
+			struct loadparm_context *lp_ctx,
 			const struct auth_usersupplied_info *ui,
 			NTSTATUS status,
 			const char *domain_name,
@@ -577,10 +606,13 @@ static void log_authentication_event_json(
 			struct dom_sid *sid,
 			int debug_level)
 {
+	log_no_json(msg_ctx, lp_ctx);
 	return;
 }
 
 static void log_successful_authz_event_json(
+				struct imessaging_context *msg_ctx,
+				struct loadparm_context *lp_ctx,
 				const struct tsocket_address *remote,
 				const struct tsocket_address *local,
 				const char *service_description,
@@ -589,6 +621,7 @@ static void log_successful_authz_event_json(
 				struct auth_session_info *session_info,
 				int debug_level)
 {
+	log_no_json(msg_ctx, lp_ctx);
 	return;
 }
 
@@ -722,7 +755,9 @@ static void log_authentication_event_human_readable(
  * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
  * authentication events over the message bus.
  */
-void log_authentication_event( const struct auth_usersupplied_info *ui,
+void log_authentication_event(struct imessaging_context *msg_ctx,
+			      struct loadparm_context *lp_ctx,
+			      const struct auth_usersupplied_info *ui,
 			      NTSTATUS status,
 			      const char *domain_name,
 			      const char *account_name,
@@ -748,8 +783,10 @@ void log_authentication_event( const struct auth_usersupplied_info *ui,
 							sid,
 							debug_level);
 	}
-	if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level)) {
-		log_authentication_event_json(ui,
+	if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level) ||
+	    (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
+		log_authentication_event_json(msg_ctx, lp_ctx,
+					      ui,
 					      status,
 					      domain_name,
 					      account_name,
@@ -823,7 +860,9 @@ static void log_successful_authz_event_human_readable(
  * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
  * authentication events over the message bus.
  */
-void log_successful_authz_event(const struct tsocket_address *remote,
+void log_successful_authz_event(struct imessaging_context *msg_ctx,
+				struct loadparm_context *lp_ctx,
+				const struct tsocket_address *remote,
 				const struct tsocket_address *local,
 				const char *service_description,
 				const char *auth_type,
@@ -846,8 +885,10 @@ void log_successful_authz_event(const struct tsocket_address *remote,
 							  session_info,
 							  debug_level);
 	}
-	if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level)) {
-		log_successful_authz_event_json(remote,
+	if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level) ||
+	    (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
+		log_successful_authz_event_json(msg_ctx, lp_ctx,
+						remote,
 						local,
 						service_description,
 						auth_type,
diff --git a/auth/common_auth.h b/auth/common_auth.h
index f94c5f15a79..db59cbb99f3 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -152,14 +152,38 @@ struct auth4_context {
 #define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
 #define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
 
-void log_authentication_event(const struct auth_usersupplied_info *ui,
+/*
+ * Log details of an authentication attempt.
+ * Successful and unsuccessful attempts are logged.
+ *
+ * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
+ * authentication events over the message bus.
+ */
+void log_authentication_event(struct imessaging_context *msg_ctx,
+			      struct loadparm_context *lp_ctx,
+			      const struct auth_usersupplied_info *ui,
 			      NTSTATUS status,
 			      const char *account_name,
 			      const char *domain_name,
 			      const char *unix_username,
 			      struct dom_sid *sid);
 
-void log_successful_authz_event(const struct tsocket_address *remote,
+/*
+ * Log details of a successful authorization to a service.
+ *
+ * Only successful authorizations are logged.  For clarity:
+ * - NTLM bad passwords will be recorded by log_authentication_event
+ * - Kerberos decrypt failures need to be logged in gensec_gssapi et al
+ *
+ * The service may later refuse authorization due to an ACL.
+ *
+ *
+ * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
+ * authorization events over the message bus.
+ */
+void log_successful_authz_event(struct imessaging_context *msg_ctx,
+				struct loadparm_context *lp_ctx,
+				const struct tsocket_address *remote,
 				const struct tsocket_address *local,
 				const char *service_description,
 				const char *auth_type,
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 2cd5a22a9a9..6cc82e61176 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -233,7 +233,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
 	} else {
 		transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
 	}
-	log_successful_authz_event(remote, local,
+	log_successful_authz_event(gensec_security->auth_context->msg_ctx,
+				   gensec_security->auth_context->lp_ctx,
+				   remote, local,
 				   service_description,
 				   final_auth_type,
 				   transport_protection,
diff --git a/auth/wscript_build b/auth/wscript_build
index 9e55e1000c7..88e9a039314 100644
--- a/auth/wscript_build
+++ b/auth/wscript_build
@@ -3,8 +3,7 @@
 bld.SAMBA_LIBRARY('common_auth',
                   source='auth_sam_reply.c wbc_auth_util.c auth_log.c',
                   deps='talloc samba-security samba-util util_str_escape LIBTSOCKET jansson MESSAGING_SEND server_id_db ',
-                  private_library=True,
-                  allow_warnings=True)
+                  private_library=True)
 
 bld.RECURSE('gensec')
 bld.RECURSE('ntlmssp')
author	Andrew Bartlett <abartlet@samba.org>	2017-03-24 15:18:46 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2017-03-29 02:37:28 +0200
commit	d0041960363c981224552d4ce7ac3092679ee2c6 (patch)
tree	8c76050e625360ea4955f537e73022944ac01725 /auth
parent	631f1bcce68062e1c8e653024999b79589a80eaf (diff)
download	samba-d0041960363c981224552d4ce7ac3092679ee2c6.tar.gz