2 Unix SMB/CIFS implementation.
3 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "python/py3compat.h"
23 #include "python/modules.h"
24 #include "libcli/util/pyerrors.h"
25 #include "param/param.h"
28 #include "auth/system_session_proto.h"
29 #include "auth/auth.h"
30 #include "auth/auth_util.h"
31 #include "param/pyparam.h"
32 #include "libcli/security/security.h"
33 #include "auth/credentials/pycredentials.h"
35 #include "librpc/rpc/pyrpc_util.h"
36 #include "lib/events/events.h"
38 static PyTypeObject PyAuthContext;
40 static PyObject *PyAuthSession_FromSession(struct auth_session_info *session)
42 return py_return_ndr_struct("samba.dcerpc.auth", "session_info", session, session);
45 static PyObject *py_copy_session_info(PyObject *module,
49 PyObject *py_session = Py_None;
50 PyObject *result = Py_None;
51 struct auth_session_info *session = NULL;
52 struct auth_session_info *session_duplicate = NULL;
56 const char * const kwnames[] = { "session_info", NULL };
58 ret = PyArg_ParseTupleAndKeywords(args,
61 discard_const_p(char *, kwnames),
67 ret = py_check_dcerpc_type(py_session,
73 session = pytalloc_get_type(py_session,
74 struct auth_session_info);
76 PyErr_Format(PyExc_TypeError,
77 "Expected auth_session_info for session_info "
79 pytalloc_get_name(py_session));
83 frame = talloc_stackframe();
85 return PyErr_NoMemory();
88 session_duplicate = copy_session_info(frame, session);
89 if (session_duplicate == NULL) {
91 return PyErr_NoMemory();
94 result = PyAuthSession_FromSession(session_duplicate);
99 static PyObject *py_system_session(PyObject *module, PyObject *args)
101 PyObject *py_lp_ctx = Py_None;
102 struct loadparm_context *lp_ctx = NULL;
103 struct auth_session_info *session;
105 if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
108 mem_ctx = talloc_new(NULL);
109 if (mem_ctx == NULL) {
114 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
115 if (lp_ctx == NULL) {
116 talloc_free(mem_ctx);
120 session = system_session(lp_ctx);
122 talloc_free(mem_ctx);
124 return PyAuthSession_FromSession(session);
128 static PyObject *py_admin_session(PyObject *module, PyObject *args)
132 struct loadparm_context *lp_ctx = NULL;
133 struct auth_session_info *session;
134 struct dom_sid *domain_sid = NULL;
137 if (!PyArg_ParseTuple(args, "Os", &py_lp_ctx, &sid))
140 mem_ctx = talloc_new(NULL);
141 if (mem_ctx == NULL) {
146 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
147 if (lp_ctx == NULL) {
148 talloc_free(mem_ctx);
152 domain_sid = dom_sid_parse_talloc(mem_ctx, sid);
153 if (domain_sid == NULL) {
154 PyErr_Format(PyExc_RuntimeError, "Unable to parse sid %s", sid);
155 talloc_free(mem_ctx);
158 session = admin_session(NULL, lp_ctx, domain_sid);
159 talloc_free(mem_ctx);
161 return PyAuthSession_FromSession(session);
164 static PyObject *py_user_session(PyObject *module, PyObject *args, PyObject *kwargs)
167 struct auth_session_info *session;
169 const char * const kwnames[] = { "ldb", "lp_ctx", "principal", "dn", "session_info_flags", NULL };
170 struct ldb_context *ldb_ctx;
171 PyObject *py_ldb = Py_None;
172 PyObject *py_dn = Py_None;
173 PyObject *py_lp_ctx = Py_None;
174 struct loadparm_context *lp_ctx = NULL;
175 struct ldb_dn *user_dn;
176 char *principal = NULL;
177 int session_info_flags = 0; /* This is an int, because that's
178 * what we need for the python
179 * PyArg_ParseTupleAndKeywords */
181 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O|OzOi",
182 discard_const_p(char *, kwnames),
183 &py_ldb, &py_lp_ctx, &principal, &py_dn, &session_info_flags)) {
187 mem_ctx = talloc_new(NULL);
188 if (mem_ctx == NULL) {
193 ldb_ctx = pyldb_Ldb_AsLdbContext(py_ldb);
194 if (ldb_ctx == NULL) {
195 talloc_free(mem_ctx);
199 if (py_dn == Py_None) {
202 if (!pyldb_Object_AsDn(ldb_ctx, py_dn, ldb_ctx, &user_dn)) {
203 talloc_free(mem_ctx);
208 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
209 if (lp_ctx == NULL) {
210 talloc_free(mem_ctx);
214 nt_status = authsam_get_session_info_principal(mem_ctx, lp_ctx, ldb_ctx, principal, user_dn,
215 session_info_flags, &session);
216 if (!NT_STATUS_IS_OK(nt_status)) {
217 talloc_free(mem_ctx);
218 PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
221 talloc_steal(NULL, session);
222 talloc_free(mem_ctx);
224 return PyAuthSession_FromSession(session);
227 static PyObject *py_session_info_fill_unix(PyObject *module,
232 char *user_name = NULL;
233 struct loadparm_context *lp_ctx = NULL;
234 struct auth_session_info *session_info;
235 PyObject *py_lp_ctx = Py_None;
236 PyObject *py_session = Py_None;
239 const char * const kwnames[] = { "session_info",
243 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Oz|O",
244 discard_const_p(char *, kwnames),
251 if (!py_check_dcerpc_type(py_session,
256 session_info = pytalloc_get_type(py_session,
257 struct auth_session_info);
259 PyErr_Format(PyExc_TypeError,
260 "Expected auth_session_info for session_info argument got %s",
261 pytalloc_get_name(py_session));
265 frame = talloc_stackframe();
267 lp_ctx = lpcfg_from_py_object(frame, py_lp_ctx);
268 if (lp_ctx == NULL) {
273 nt_status = auth_session_info_fill_unix(lp_ctx,
277 if (!NT_STATUS_IS_OK(nt_status)) {
278 PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
285 static PyObject *py_session_info_set_unix(PyObject *module,
290 char *user_name = NULL;
293 struct loadparm_context *lp_ctx = NULL;
294 struct auth_session_info *session_info;
295 PyObject *py_lp_ctx = Py_None;
296 PyObject *py_session = Py_None;
299 const char * const kwnames[] = { "session_info",
306 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Ozii|O",
307 discard_const_p(char *, kwnames),
316 if (!py_check_dcerpc_type(py_session,
321 session_info = pytalloc_get_type(py_session,
322 struct auth_session_info);
324 PyErr_Format(PyExc_TypeError,
325 "Expected auth_session_info for session_info "
327 pytalloc_get_name(py_session));
331 frame = talloc_stackframe();
333 lp_ctx = lpcfg_from_py_object(frame, py_lp_ctx);
334 if (lp_ctx == NULL) {
339 nt_status = auth_session_info_set_unix(lp_ctx,
345 if (!NT_STATUS_IS_OK(nt_status)) {
346 PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
353 static PyObject *PyAuthContext_FromContext(struct auth4_context *auth_context)
355 return pytalloc_reference(&PyAuthContext, auth_context);
358 static PyObject *py_auth_context_new(PyTypeObject *type, PyObject *args, PyObject *kwargs)
360 PyObject *py_lp_ctx = Py_None;
361 PyObject *py_ldb = Py_None;
362 PyObject *py_auth_context = Py_None;
363 PyObject *py_methods = Py_None;
365 struct auth4_context *auth_context;
366 struct loadparm_context *lp_ctx;
367 struct tevent_context *ev;
368 struct ldb_context *ldb = NULL;
370 const char *const *methods;
372 const char *const kwnames[] = {"lp_ctx", "ldb", "methods", NULL};
374 if (!PyArg_ParseTupleAndKeywords(args,
377 discard_const_p(char *, kwnames),
383 mem_ctx = talloc_new(NULL);
384 if (mem_ctx == NULL) {
389 if (py_ldb != Py_None) {
390 ldb = pyldb_Ldb_AsLdbContext(py_ldb);
392 talloc_free(mem_ctx);
397 lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
398 if (lp_ctx == NULL) {
399 talloc_free(mem_ctx);
404 ev = s4_event_context_init(mem_ctx);
406 talloc_free(mem_ctx);
411 if (py_methods == Py_None && py_ldb == Py_None) {
412 nt_status = auth_context_create(
413 mem_ctx, ev, NULL, lp_ctx, &auth_context);
415 if (py_methods != Py_None) {
416 methods = (const char * const *)PyList_AsStringList(mem_ctx, py_methods, "methods");
417 if (methods == NULL) {
418 talloc_free(mem_ctx);
422 methods = auth_methods_from_lp(mem_ctx, lp_ctx);
424 nt_status = auth_context_create_methods(
425 mem_ctx, methods, ev, NULL, lp_ctx, ldb, &auth_context);
428 if (!NT_STATUS_IS_OK(nt_status)) {
429 talloc_free(mem_ctx);
430 PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
433 if (!talloc_reference(auth_context, lp_ctx)) {
434 talloc_free(mem_ctx);
439 if (!talloc_reference(auth_context, ev)) {
440 talloc_free(mem_ctx);
445 py_auth_context = PyAuthContext_FromContext(auth_context);
447 talloc_free(mem_ctx);
449 return py_auth_context;
452 static PyTypeObject PyAuthContext = {
453 .tp_name = "AuthContext",
454 .tp_flags = Py_TPFLAGS_DEFAULT,
455 .tp_new = py_auth_context_new,
458 static PyMethodDef py_auth_methods[] = {
459 { "system_session", (PyCFunction)py_system_session, METH_VARARGS, NULL },
460 { "admin_session", (PyCFunction)py_admin_session, METH_VARARGS, NULL },
461 { "user_session", PY_DISCARD_FUNC_SIG(PyCFunction,py_user_session),
462 METH_VARARGS|METH_KEYWORDS, NULL },
463 { "session_info_fill_unix",
464 PY_DISCARD_FUNC_SIG(PyCFunction,py_session_info_fill_unix),
465 METH_VARARGS|METH_KEYWORDS,
467 { "session_info_set_unix",
468 PY_DISCARD_FUNC_SIG(PyCFunction,py_session_info_set_unix),
469 METH_VARARGS|METH_KEYWORDS,
471 { "copy_session_info",
472 PY_DISCARD_FUNC_SIG(PyCFunction,py_copy_session_info),
473 METH_VARARGS|METH_KEYWORDS,
478 static struct PyModuleDef moduledef = {
479 PyModuleDef_HEAD_INIT,
481 .m_doc = "Authentication and authorization support.",
483 .m_methods = py_auth_methods,
486 MODULE_INIT_FUNC(auth)
490 if (pytalloc_BaseObject_PyType_Ready(&PyAuthContext) < 0)
493 m = PyModule_Create(&moduledef);
497 Py_INCREF(&PyAuthContext);
498 PyModule_AddObject(m, "AuthContext", (PyObject *)&PyAuthContext);
500 #define ADD_FLAG(val) PyModule_AddIntConstant(m, #val, val)
501 ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS);
502 ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED);
503 ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES);
504 ADD_FLAG(AUTH_SESSION_INFO_NTLM);