s4-auth Rework auth subsystem to remove struct auth_serversupplied_info

This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett

1 files changed, 26 insertions, 17 deletions

diff --git a/source4/auth/session.c b/source4/auth/session.c
index 060f6d2eb6f..a6b8b2688ce 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -44,7 +44,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
 _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 					     struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
 					     struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
-					     struct auth_serversupplied_info *server_info,
+					     struct auth_user_info_dc *user_info_dc,
 					     uint32_t session_info_flags,
 					     struct auth_session_info **_session_info)
 {
@@ -63,11 +63,20 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 	session_info = talloc(tmp_ctx, struct auth_session_info);
 	NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
 
-	session_info->server_info = talloc_reference(session_info, server_info);
+	session_info->info = talloc_reference(session_info, user_info_dc->info);
+
+	session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
+	NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx);
+	session_info->torture->num_dc_sids = user_info_dc->num_sids;
+	session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
+	NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx);
 
 	/* unless set otherwise, the session key is the user session
 	 * key from the auth subsystem */ 
-	session_info->session_key = server_info->user_session_key;
+	session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
+	if (!session_info->session_key.data && session_info->session_key.length) {
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx);
+	}
 
 	anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
 	NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
@@ -75,40 +84,40 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 	system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
 	NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
 
-	sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids);
+	sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
 	NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
 	if (!sids) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	num_sids = server_info->num_sids;
+	num_sids = user_info_dc->num_sids;
 
-	for (i=0; i < server_info->num_sids; i++) {
-		sids[i] = server_info->sids[i];
+	for (i=0; i < user_info_dc->num_sids; i++) {
+		sids[i] = user_info_dc->sids[i];
 	}
 
-	if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
+	if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
 		/* Don't expand nested groups of system, anonymous etc*/
-	} else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
+	} else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
 		/* Don't expand nested groups of system, anonymous etc*/
 	} else if (sam_ctx) {
 		filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
 					 GROUP_TYPE_BUILTIN_LOCAL_GROUP);
 
 		/* Search for each group in the token */
-		for (i = 0; i < server_info->num_sids; i++) {
+		for (i = 0; i < user_info_dc->num_sids; i++) {
 			char *sid_string;
 			const char *sid_dn;
 			DATA_BLOB sid_blob;
 			
 			sid_string = dom_sid_string(tmp_ctx,
-						      &server_info->sids[i]);
-			NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info);
+						      &user_info_dc->sids[i]);
+			NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
 			
 			sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
 			talloc_free(sid_string);
-			NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info);
+			NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc);
 			sid_blob = data_blob_string_const(sid_dn);
 			
 			/* This function takes in memberOf values and expands
@@ -156,21 +165,21 @@ NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx,
 					    struct auth_session_info **session_info)
 {
 	NTSTATUS nt_status;
-	struct auth_serversupplied_info *server_info;
+	struct auth_user_info_dc *user_info_dc;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
-	nt_status = authsam_get_server_info_principal(tmp_ctx, lp_ctx, sam_ctx,
+	nt_status = authsam_get_user_info_dc_principal(tmp_ctx, lp_ctx, sam_ctx,
 						      principal, user_dn,
-						      &server_info);
+						      &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return nt_status;
 	}
 
 	nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx,
-					       server_info, session_info_flags,
+					       user_info_dc, session_info_flags,
 					       session_info);
 
 	if (NT_STATUS_IS_OK(nt_status)) {