From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Nov 2018 00:19:51 +0000 (+0100)
Subject: s4:rpc_server/drsuapi: make use dcesrv_call_session_info()
X-Git-Tag: talloc-2.1.15~127
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=e1caa51146935884080726650d0647b8c1f3dba7;ds=sidebyside

s4:rpc_server/drsuapi: make use dcesrv_call_session_info()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index eac96a3aa12..9796da405f7 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -90,7 +90,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
 		auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
 		connected_as_system = true;
 	} else {
-		auth_info = dce_call->conn->auth_state.session_info;
+		auth_info = dcesrv_call_session_info(dce_call);
 	}
 
 	/*
@@ -1011,15 +1011,17 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA
 static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 		       struct drsuapi_DsReplicaGetInfo *r)
 {
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
 	enum security_user_level level;
 
 	if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
 			 "drs", "disable_sec_check", false)) {
-		level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+		level = security_session_user_level(session_info, NULL);
 		if (level < SECURITY_DOMAIN_CONTROLLER) {
 			DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
 			security_token_debug(DBGC_DRS_REPL, 2,
-					     dce_call->conn->auth_state.session_info->security_token);
+					     session_info->security_token);
 			return WERR_DS_DRA_ACCESS_DENIED;
 		}
 	}
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 6fe254ac96c..7897c35d2e9 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -95,6 +95,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
 				enum security_user_level minimum_level,
 				const struct dom_sid *domain_sid)
 {
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
 	enum security_user_level level;
 
 	if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
@@ -102,12 +104,12 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
 		return WERR_OK;
 	}
 
-	level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
+	level = security_session_user_level(session_info, domain_sid);
 	if (level < minimum_level) {
 		if (call) {
 			DEBUG(0,("%s refused for security token (level=%u)\n",
 				 call, (unsigned)level));
-			security_token_debug(DBGC_DRS_REPL, 2, dce_call->conn->auth_state.session_info->security_token);
+			security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
 		}
 		return WERR_DS_DRA_ACCESS_DENIED;
 	}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index b48e9c7234d..f3f819a410e 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2698,6 +2698,8 @@ static struct getncchanges_repl_chunk * getncchanges_chunk_new(TALLOC_CTX *mem_c
 WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 				     struct drsuapi_DsGetNCChanges *r)
 {
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
 	struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
 	int ret;
 	uint32_t i, k;
@@ -2799,12 +2801,12 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 		return WERR_DS_DRA_SOURCE_DISABLED;
 	}
 
-	user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+	user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
 
 	/* all clients must have GUID_DRS_GET_CHANGES */
 	werr = drs_security_access_check_nc_root(sam_ctx,
 						 mem_ctx,
-						 dce_call->conn->auth_state.session_info->security_token,
+						 session_info->security_token,
 						 req10->naming_context,
 						 GUID_DRS_GET_CHANGES);
 	if (!W_ERROR_IS_OK(werr)) {
@@ -2846,7 +2848,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 	if (is_gc_pas_request) {
 		werr = drs_security_access_check_nc_root(sam_ctx,
 							 mem_ctx,
-							 dce_call->conn->auth_state.session_info->security_token,
+							 session_info->security_token,
 							 req10->naming_context,
 							 GUID_DRS_GET_FILTERED_ATTRIBUTES);
 		if (W_ERROR_IS_OK(werr)) {
@@ -2863,7 +2865,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 	if (is_secret_request) {
 		werr = drs_security_access_check_nc_root(sam_ctx,
 							 mem_ctx,
-							 dce_call->conn->auth_state.session_info->security_token,
+							 session_info->security_token,
 							 req10->naming_context,
 							 GUID_DRS_GET_ALL_CHANGES);
 		if (!W_ERROR_IS_OK(werr)) {
@@ -2879,7 +2881,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 allowed:
 	/* for non-administrator replications, check that they have
 	   given the correct source_dsa_invocation_id */
-	security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
+	security_level = security_session_user_level(session_info,
 						     samdb_domain_sid(sam_ctx));
 	if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
 		if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) {
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index c92add744ec..0d3b47a9505 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -336,6 +336,8 @@ failed:
 WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 					  struct drsuapi_DsReplicaUpdateRefs *r)
 {
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
 	struct dcesrv_handle *h;
 	struct drsuapi_bind_state *b_state;
 	struct drsuapi_DsReplicaUpdateRefsRequest1 *req;
@@ -353,7 +355,7 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 	req = &r->in.req.req1;
 	werr = drs_security_access_check(b_state->sam_ctx,
 					 mem_ctx,
-					 dce_call->conn->auth_state.session_info->security_token,
+					 session_info->security_token,
 					 req->naming_context,
 					 GUID_DRS_MANAGE_TOPOLOGY);
 
@@ -361,16 +363,16 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 		return werr;
 	}
 
-	security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+	security_level = security_session_user_level(session_info, NULL);
 	if (security_level < SECURITY_ADMINISTRATOR) {
 		/* check that they are using an DSA objectGUID that they own */
 		ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
 		                             &req->dest_dsa_guid,
-		                             &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
+		                             &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
 		if (ret != LDB_SUCCESS) {
 			DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
 				 dom_sid_string(mem_ctx,
-						&dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
+						&session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
 				 GUID_string(mem_ctx, &req->dest_dsa_guid)));
 			return WERR_DS_DRA_ACCESS_DENIED;
 		}
diff --git a/source4/rpc_server/drsuapi/writespn.c b/source4/rpc_server/drsuapi/writespn.c
index 991efccae38..9a289897f3e 100644
--- a/source4/rpc_server/drsuapi/writespn.c
+++ b/source4/rpc_server/drsuapi/writespn.c
@@ -53,6 +53,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
 	 * 1) they are on the clients own account object
 	 * 2) they are of the form SERVICE/dnshostname
 	 */
+	struct auth_session_info *session_info =
+		dcesrv_call_session_info(dce_call);
 	struct dom_sid *user_sid, *sid;
 	TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
 	struct ldb_result *res;
@@ -82,7 +84,7 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
 		return false;
 	}
 
-	user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+	user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
 	sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
 	if (sid == NULL) {
 		talloc_free(tmp_ctx);