gensec: Add a way to request a unix token from GENSEC

[amitay/samba.git] / source4 / auth / gensec / gensec.c

diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 3520585c95f49da1acb145210005a15569e9e31e..7dd3eac3b7c25aeb9afda205400bc786a3753dc2 100644 (file)
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -29,6 +29,7 @@
 #include "librpc/rpc/dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_proto.h"
 #include "auth/auth.h"
 #include "auth/system_session_proto.h"
 #include "param/param.h"
@@ -507,13 +508,13 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
   @param mem_ctx The parent TALLOC memory context.
   @param gensec_security Returned GENSEC context pointer.
   @note  The mem_ctx is only a parent and may be NULL.
-  @note, the auth context is moved to be a child of the
+  @note, the auth context is moved to be a referenced pointer of the
   @ gensec_security return 
 */
 static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, 
                             struct tevent_context *ev,
                             struct gensec_settings *settings,
-                            struct auth_context *auth_context,
+                            struct auth4_context *auth_context,
                             struct gensec_security **gensec_security)
 {
        if (ev == NULL) {
@@ -521,23 +522,17 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INTERNAL_ERROR;
        }
 
-       (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+       (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
        NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
 
-       (*gensec_security)->ops = NULL;
-       (*gensec_security)->local_addr = NULL;
-       (*gensec_security)->remote_addr = NULL;
-       (*gensec_security)->private_data = NULL;
-
-       ZERO_STRUCT((*gensec_security)->target);
-
-       (*gensec_security)->subcontext = false;
-       (*gensec_security)->want_features = 0;
-
        (*gensec_security)->event_ctx = ev;
        SMB_ASSERT(settings->lp_ctx != NULL);
        (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
-       (*gensec_security)->auth_context = talloc_steal(*gensec_security, auth_context);
+
+       /* We need to reference this, not steal, as the caller may be
+        * python, which won't like it if we steal it's object away
+        * from it */
+       (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
 
        return NT_STATUS_OK;
 }
@@ -554,7 +549,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
                                 struct gensec_security *parent, 
                                 struct gensec_security **gensec_security)
 {
-       (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+       (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
        NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
 
        (**gensec_security) = *parent;
@@ -609,7 +604,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
 _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, 
                                      struct tevent_context *ev,
                                      struct gensec_settings *settings,
-                                     struct auth_context *auth_context,
+                                     struct auth4_context *auth_context,
                                      struct gensec_security **gensec_security)
 {
        NTSTATUS status;
@@ -644,7 +639,7 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
                if (gensec_security->ops->client_start) {
                        status = gensec_security->ops->client_start(gensec_security);
                        if (!NT_STATUS_IS_OK(status)) {
-                               DEBUG(2, ("Failed to start GENSEC client mech %s: %s\n",
+                               DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
                                          gensec_security->ops->name, nt_errstr(status))); 
                        }
                        return status;
@@ -718,10 +713,9 @@ _PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_secur
        }
        return oid_string;
 }
-       
 
-/** 
- * Start a GENSEC sub-mechanism with a specifed mechansim structure, used in SPNEGO
+/**
+ * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
  *
  */
 
@@ -1322,22 +1316,33 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
 
 NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
                                      struct gensec_security *gensec_security,
-                                     struct auth_serversupplied_info *server_info,
+                                     struct auth_user_info_dc *user_info_dc,
                                      struct auth_session_info **session_info)
 {
        NTSTATUS nt_status;
+       uint32_t session_info_flags = 0;
+
+       if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+               session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+       }
+
+       session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+       if (user_info_dc->info->authenticated) {
+               session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+       }
+
        if (gensec_security->auth_context) {
-               uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-               if (server_info->authenticated) {
-                       flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-               }
                nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
-                                                                                server_info,
-                                                                                flags,
+                                                                                user_info_dc,
+                                                                                session_info_flags,
                                                                                 session_info);
        } else {
-               nt_status = auth_generate_simple_session_info(mem_ctx,
-                                                             server_info, session_info);
+               session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+               nt_status = auth_generate_session_info(mem_ctx,
+                                                      NULL,
+                                                      NULL,
+                                                      user_info_dc, session_info_flags,
+                                                      session_info);
        }
        return nt_status;
 }
@@ -1408,23 +1413,18 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism
 /*
   initialise the GENSEC subsystem
 */
-_PUBLIC_ NTSTATUS gensec_init(struct loadparm_context *lp_ctx)
+_PUBLIC_ NTSTATUS gensec_init(void)
 {
        static bool initialized = false;
-       extern NTSTATUS gensec_sasl_init(void);
-       extern NTSTATUS gensec_krb5_init(void);
-       extern NTSTATUS gensec_schannel_init(void);
-       extern NTSTATUS gensec_spnego_init(void);
-       extern NTSTATUS gensec_gssapi_init(void);
-       extern NTSTATUS gensec_ntlmssp_init(void);
-
+#define _MODULE_PROTO(init) extern NTSTATUS init(void);
+       STATIC_gensec_MODULES_PROTO;
        init_module_fn static_init[] = { STATIC_gensec_MODULES };
        init_module_fn *shared_init;
 
        if (initialized) return NT_STATUS_OK;
        initialized = true;
        
-       shared_init = load_samba_modules(NULL, lp_ctx, "gensec");
+       shared_init = load_samba_modules(NULL, "gensec");
 
        run_init_functions(static_init);
        run_init_functions(shared_init);