s4-auth Remove duplicate copies of session_info creation code

We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett

4 files changed, 46 insertions, 158 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 0f6386fb7a..33c398df99 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -44,8 +44,9 @@ struct loadparm_context;
 /* version 0 - till samba4 is stable - metze */
 #define AUTH_INTERFACE_VERSION 0
 
-#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
-#define AUTH_SESSION_INFO_AUTHENTICATED  0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS     0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED      0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES  0x04 /* Use a trivial map between users and privilages, rather than a DB */
 
 struct auth_serversupplied_info
 {
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 0cb0d3d476..3c25f3b913 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -1315,18 +1315,22 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
 				      struct auth_session_info **session_info)
 {
 	NTSTATUS nt_status;
+	uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+	if (server_info->authenticated) {
+		flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+	}
 	if (gensec_security->auth_context) {
-		uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-		if (server_info->authenticated) {
-			flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-		}
 		nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
 										 server_info,
 										 flags,
 										 session_info);
 	} else {
-		nt_status = auth_generate_simple_session_info(mem_ctx,
-							      server_info, session_info);
+		flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+		nt_status = auth_generate_session_info(mem_ctx,
+						       NULL,
+						       NULL,
+						       server_info, flags,
+						       session_info);
 	}
 	return nt_status;
 }
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 6e0cd7be5a..1058f19f5e 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -29,120 +29,6 @@
 #include "auth/session.h"
 #include "auth/system_session_proto.h"
 
-/**
- * Create the SID list for this user. 
- *
- * @note Specialised version for system sessions that doesn't use the SAM.
- */
-static NTSTATUS create_token(TALLOC_CTX *mem_ctx, 
-			     struct dom_sid *user_sid,
-			     struct dom_sid *group_sid,
-			     unsigned int n_groupSIDs,
-			     struct dom_sid **groupSIDs,
-			     bool is_authenticated,
-			     struct security_token **token)
-{
-	struct security_token *ptoken;
-	unsigned int i;
-
-	ptoken = security_token_initialise(mem_ctx);
-	NT_STATUS_HAVE_NO_MEMORY(ptoken);
-
-	ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 5);
-	NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
-	ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
-	ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
-	ptoken->privilege_mask = 0;
-
-	/*
-	 * Finally add the "standard" SIDs.
-	 * The only difference between guest and "anonymous"
-	 * is the addition of Authenticated_Users.
-	 */
-
-	if (!dom_sid_parse(SID_WORLD, &ptoken->sids[2])) {
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-	if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[3])) {
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-	ptoken->num_sids = 4;
-
-	if (is_authenticated) {
-		if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[4])) {
-			return NT_STATUS_INTERNAL_ERROR;
-		}
-		ptoken->num_sids++;
-	}
-
-	for (i = 0; i < n_groupSIDs; i++) {
-		size_t check_sid_idx;
-		for (check_sid_idx = 1; 
-		     check_sid_idx < ptoken->num_sids; 
-		     check_sid_idx++) {
-			if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
-				break;
-			}
-		}
-
-		if (check_sid_idx == ptoken->num_sids) {
-			ptoken->sids[ptoken->num_sids++] = *groupSIDs[i];
-		}
-	}
-
-	*token = ptoken;
-
-	/* Shortcuts to prevent recursion and avoid lookups */
-	if (ptoken->sids == NULL) {
-		ptoken->privilege_mask = 0;
-		return NT_STATUS_OK;
-	} 
-	
-	if (security_token_is_system(ptoken)) {
-		ptoken->privilege_mask = ~0;
-	} else if (security_token_is_anonymous(ptoken)) {
-		ptoken->privilege_mask = 0;
-	} else if (security_token_has_builtin_administrators(ptoken)) {
-		ptoken->privilege_mask = ~0;
-	} else {
-		/* All other 'users' get a empty priv set so far */
-		ptoken->privilege_mask = 0;
-	}
-	return NT_STATUS_OK;
-}
-
-NTSTATUS auth_generate_simple_session_info(TALLOC_CTX *mem_ctx,
-					   struct auth_serversupplied_info *server_info,
-					   struct auth_session_info **_session_info)
-{
-	struct auth_session_info *session_info;
-	NTSTATUS nt_status;
-
-	session_info = talloc(mem_ctx, struct auth_session_info);
-	NT_STATUS_HAVE_NO_MEMORY(session_info);
-
-	session_info->server_info = talloc_reference(session_info, server_info);
-
-	/* unless set otherwise, the session key is the user session
-	 * key from the auth subsystem */ 
-	session_info->session_key = server_info->user_session_key;
-
-	nt_status = create_token(session_info,
-					  server_info->account_sid,
-					  server_info->primary_group_sid,
-					  server_info->n_domain_groups,
-					  server_info->domain_groups,
-					  server_info->authenticated,
-					  &session_info->security_token);
-	NT_STATUS_NOT_OK_RETURN(nt_status);
-
-	session_info->credentials = NULL;
-
-	*_session_info = session_info;
-	return NT_STATUS_OK;
-}
-
 
 /*
   prevent the static system session being freed
@@ -194,7 +80,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
 	}
 
 	/* references the server_info into the session_info */
-	nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
+	nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
 	talloc_free(mem_ctx);
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -368,11 +254,10 @@ static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
 					       struct loadparm_context *lp_ctx,
 					       struct dom_sid *domain_sid,
-					       struct auth_session_info **_session_info)
+					       struct auth_session_info **session_info)
 {
 	NTSTATUS nt_status;
 	struct auth_serversupplied_info *server_info = NULL;
-	struct auth_session_info *session_info = NULL;
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 
 	nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
@@ -383,34 +268,15 @@ static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
 		return nt_status;
 	}
 
-	session_info = talloc(mem_ctx, struct auth_session_info);
-	NT_STATUS_HAVE_NO_MEMORY(session_info);
-
-	session_info->server_info = talloc_reference(session_info, server_info);
-
-	/* unless set otherwise, the session key is the user session
-	 * key from the auth subsystem */
-	session_info->session_key = server_info->user_session_key;
-
-	nt_status = create_token(session_info,
-				 server_info->account_sid,
-				 server_info->primary_group_sid,
-				 server_info->n_domain_groups,
-				 server_info->domain_groups,
-				 true,
-				 &session_info->security_token);
-	NT_STATUS_NOT_OK_RETURN(nt_status);
-
-	session_info->credentials = cli_credentials_init(session_info);
-	if (!session_info->credentials) {
-		return NT_STATUS_NO_MEMORY;
+	nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, server_info,
+					       AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
+					       session_info);
+	/* There is already a reference between the sesion_info and server_info */
+	if (NT_STATUS_IS_OK(nt_status)) {
+		talloc_steal(parent_ctx, *session_info);
 	}
-
-	cli_credentials_set_conf(session_info->credentials, lp_ctx);
-
-	*_session_info = session_info;
-
-	return NT_STATUS_OK;
+	talloc_free(mem_ctx);
+	return nt_status;
 }
 
 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
@@ -445,7 +311,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
 	}
 
 	/* references the server_info into the session_info */
-	nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
+	nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
 	talloc_free(mem_ctx);
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 7ba440006a..a8428a9c54 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -222,11 +222,28 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	/* setup the privilege mask for this token */
-	status = samdb_privilege_setup(lp_ctx, ptoken);
-	if (!NT_STATUS_IS_OK(status)) {
-		talloc_free(ptoken);
-		return status;
+	/* The caller may have requested simple privilages, for example if there isn't a local DB */
+	if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
+		/* Shortcuts to prevent recursion and avoid lookups */
+		if (ptoken->sids == NULL) {
+			ptoken->privilege_mask = 0;
+		} else if (security_token_is_system(ptoken)) {
+			ptoken->privilege_mask = ~0;
+		} else if (security_token_is_anonymous(ptoken)) {
+			ptoken->privilege_mask = 0;
+		} else if (security_token_has_builtin_administrators(ptoken)) {
+			ptoken->privilege_mask = ~0;
+		} else {
+			/* All other 'users' get a empty priv set so far */
+			ptoken->privilege_mask = 0;
+		}
+	} else {
+		/* setup the privilege mask for this token */
+		status = samdb_privilege_setup(lp_ctx, ptoken);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_free(ptoken);
+			return status;
+		}
 	}
 
 	security_token_debug(0, 10, ptoken);