Current File : //usr/include/krb5/kadm5_auth_plugin.h
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
 * Copyright (C) 2017 by the Massachusetts Institute of Technology.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * * Redistributions of source code must retain the above copyright
 *   notice, this list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in
 *   the documentation and/or other materials provided with the
 *   distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * Declarations for kadm5_auth plugin module implementors.
 *
 * The kadm5_auth pluggable interface currently has only one supported major
 * version, which is 1.  Major version 1 has a current minor version number of
 * 1.
 *
 * kadm5_auth plugin modules should define a function named
 * kadm5_auth_<modulename>_initvt, matching the signature:
 *
 *   krb5_error_code
 *   kadm5_auth_modname_initvt(krb5_context context, int maj_ver, int min_ver,
 *                             krb5_plugin_vtable vtable);
 *
 * The initvt function should:
 *
 * - Check that the supplied maj_ver number is supported by the module, or
 *   return KRB5_PLUGIN_VER_NOTSUPP if it is not.
 *
 * - Cast the vtable pointer as appropriate for maj_ver:
 *     maj_ver == 1: Cast to krb5_kadm5_auth_vtable
 *
 * - Initialize the methods of the vtable, stopping as appropriate for the
 *   supplied min_ver.  Optional methods may be left uninitialized.
 *
 * Memory for the vtable is allocated by the caller, not by the module.
 */

#ifndef KRB5_KADM5_AUTH_PLUGIN_H
#define KRB5_KADM5_AUTH_PLUGIN_H

#include <krb5/krb5.h>
#include <krb5/plugin.h>

/* An abstract type for kadm5_auth module data. */
typedef struct kadm5_auth_moddata_st *kadm5_auth_moddata;

/*
 * A module can optionally include <kadm5/admin.h> to inspect principal or
 * policy records from requests that add or modify principals or policies.
 * Note that fields of principal and policy structures are only valid if the
 * corresponding bit is set in the accompanying mask parameter.
 */
struct _kadm5_principal_ent_t;
struct _kadm5_policy_ent_t;

/*
 * A module can optionally generate restrictions when checking permissions for
 * adding or modifying a principal entry.  Restriction fields will only be
 * honored if the corresponding mask bit is set.  The operable mask bits are
 * defined in <kadmin/admin.h> and are:
 *
 * - KADM5_ATTRIBUTES for require_attrs, forbid_attrs
 * - KADM5_POLICY for policy
 * - KADM5_POLICY_CLR to require that policy be unset
 * - KADM5_PRINC_EXPIRE_TIME for princ_lifetime
 * - KADM5_PW_EXPIRATION for pw_lifetime
 * - KADM5_MAX_LIFE for max_life
 * - KADM5_MAX_RLIFE for max_renewable_life
 */
struct kadm5_auth_restrictions {
    long mask;
    krb5_flags require_attrs;
    krb5_flags forbid_attrs;
    krb5_deltat princ_lifetime;
    krb5_deltat pw_lifetime;
    krb5_deltat max_life;
    krb5_deltat max_renewable_life;
    char *policy;
};

/*** Method type declarations ***/

/*
 * Optional: Initialize module data.  acl_file is the realm's configured ACL
 * file, or NULL if none was configured.  Return 0 on success,
 * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for
 * example), and any other error code to abort kadmind startup.  Optionally set
 * *data_out to a module data object to be passed to future calls.
 */
typedef krb5_error_code
(*kadm5_auth_init_fn)(krb5_context context, const char *acl_file,
                      kadm5_auth_moddata *data_out);

/* Optional: Release resources used by module data. */
typedef void
(*kadm5_auth_fini_fn)(krb5_context context, kadm5_auth_moddata data);

/*
 * Each check method below should return 0 to explicitly authorize the request,
 * KRB5_PLUGIN_NO_HANDLE to neither authorize nor deny the request, and any
 * other error code (such as EPERM) to explicitly deny the request.  If a check
 * method is not defined, the module will neither authorize nor deny the
 * request.  A request succeeds if at least one kadm5_auth module explicitly
 * authorizes the request and none of the modules explicitly deny it.
 */

/* Optional: authorize an add-principal operation, and optionally generate
 * restrictions. */
typedef krb5_error_code
(*kadm5_auth_addprinc_fn)(krb5_context context, kadm5_auth_moddata data,
                          krb5_const_principal client,
                          krb5_const_principal target,
                          const struct _kadm5_principal_ent_t *ent, long mask,
                          struct kadm5_auth_restrictions **rs_out);

/* Optional: authorize a modify-principal operation, and optionally generate
 * restrictions. */
typedef krb5_error_code
(*kadm5_auth_modprinc_fn)(krb5_context context, kadm5_auth_moddata data,
                          krb5_const_principal client,
                          krb5_const_principal target,
                          const struct _kadm5_principal_ent_t *ent, long mask,
                          struct kadm5_auth_restrictions **rs_out);

/* Optional: authorize a set-string operation. */
typedef krb5_error_code
(*kadm5_auth_setstr_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client,
                        krb5_const_principal target,
                        const char *key, const char *value);

/* Optional: authorize a change-password operation. */
typedef krb5_error_code
(*kadm5_auth_cpw_fn)(krb5_context context, kadm5_auth_moddata data,
                     krb5_const_principal client, krb5_const_principal target);

/* Optional: authorize a randomize-keys operation. */
typedef krb5_error_code
(*kadm5_auth_chrand_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client,
                        krb5_const_principal target);

/* Optional: authorize a set-key operation. */
typedef krb5_error_code
(*kadm5_auth_setkey_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client,
                        krb5_const_principal target);

/* Optional: authorize a purgekeys operation. */
typedef krb5_error_code
(*kadm5_auth_purgekeys_fn)(krb5_context context, kadm5_auth_moddata data,
                           krb5_const_principal client,
                           krb5_const_principal target);

/* Optional: authorize a delete-principal operation. */
typedef krb5_error_code
(*kadm5_auth_delprinc_fn)(krb5_context context, kadm5_auth_moddata data,
                          krb5_const_principal client,
                          krb5_const_principal target);

/* Optional: authorize a rename-principal operation. */
typedef krb5_error_code
(*kadm5_auth_renprinc_fn)(krb5_context context, kadm5_auth_moddata data,
                          krb5_const_principal client,
                          krb5_const_principal src,
                          krb5_const_principal dest);

/* Optional: authorize a get-principal operation. */
typedef krb5_error_code
(*kadm5_auth_getprinc_fn)(krb5_context context, kadm5_auth_moddata data,
                          krb5_const_principal client,
                          krb5_const_principal target);

/* Optional: authorize a get-strings operation. */
typedef krb5_error_code
(*kadm5_auth_getstrs_fn)(krb5_context context, kadm5_auth_moddata data,
                         krb5_const_principal client,
                         krb5_const_principal target);

/* Optional: authorize an extract-keys operation. */
typedef krb5_error_code
(*kadm5_auth_extract_fn)(krb5_context context, kadm5_auth_moddata data,
                         krb5_const_principal client,
                         krb5_const_principal target);

/* Optional: authorize a list-principals operation. */
typedef krb5_error_code
(*kadm5_auth_listprincs_fn)(krb5_context context, kadm5_auth_moddata data,
                            krb5_const_principal client);

/* Optional: authorize an add-policy operation. */
typedef krb5_error_code
(*kadm5_auth_addpol_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client, const char *policy,
                        const struct _kadm5_policy_ent_t *ent, long mask);

/* Optional: authorize a modify-policy operation. */
typedef krb5_error_code
(*kadm5_auth_modpol_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client, const char *policy,
                        const struct _kadm5_policy_ent_t *ent, long mask);

/* Optional: authorize a delete-policy operation. */
typedef krb5_error_code
(*kadm5_auth_delpol_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client, const char *policy);

/* Optional: authorize a get-policy operation.  client_policy is the client
 * principal's policy name, or NULL if it does not have one. */
typedef krb5_error_code
(*kadm5_auth_getpol_fn)(krb5_context context, kadm5_auth_moddata data,
                        krb5_const_principal client, const char *policy,
                        const char *client_policy);

/* Optional: authorize a list-policies operation. */
typedef krb5_error_code
(*kadm5_auth_listpols_fn)(krb5_context context, kadm5_auth_moddata data,
                          krb5_const_principal client);

/* Optional: authorize an iprop operation. */
typedef krb5_error_code
(*kadm5_auth_iprop_fn)(krb5_context context, kadm5_auth_moddata data,
                       krb5_const_principal client);

/*
 * Optional: receive a notification that the most recent authorized operation
 * has ended.  If a kadm5_auth module is also a KDB module, it can assume that
 * all KDB methods invoked between a kadm5_auth authorization method invocation
 * and a kadm5_auth end invocation are performed as part of the authorized
 * operation.
 *
 * The end method may be invoked without a preceding authorization method in
 * some cases; the module must be prepared to ignore such calls.
 */
typedef void
(*kadm5_auth_end_fn)(krb5_context context, kadm5_auth_moddata data);

/*
 * Optional: free a restrictions object.  This method does not need to be
 * defined if the module does not generate restrictions objects, or if it
 * returns aliases to restrictions objects contained from within the module
 * data.
 */
typedef void
(*kadm5_auth_free_restrictions_fn)(krb5_context context,
                                   kadm5_auth_moddata data,
                                   struct kadm5_auth_restrictions *rs);

/* kadm5_auth vtable for major version 1. */
typedef struct kadm5_auth_vtable_st {
    const char *name;           /* Mandatory: name of module. */
    kadm5_auth_init_fn init;
    kadm5_auth_fini_fn fini;

    kadm5_auth_addprinc_fn addprinc;
    kadm5_auth_modprinc_fn modprinc;
    kadm5_auth_setstr_fn setstr;
    kadm5_auth_cpw_fn cpw;
    kadm5_auth_chrand_fn chrand;
    kadm5_auth_setkey_fn setkey;
    kadm5_auth_purgekeys_fn purgekeys;
    kadm5_auth_delprinc_fn delprinc;
    kadm5_auth_renprinc_fn renprinc;

    kadm5_auth_getprinc_fn getprinc;
    kadm5_auth_getstrs_fn getstrs;
    kadm5_auth_extract_fn extract;
    kadm5_auth_listprincs_fn listprincs;

    kadm5_auth_addpol_fn addpol;
    kadm5_auth_modpol_fn modpol;
    kadm5_auth_delpol_fn delpol;
    kadm5_auth_getpol_fn getpol;
    kadm5_auth_listpols_fn listpols;

    kadm5_auth_iprop_fn iprop;

    kadm5_auth_end_fn end;

    kadm5_auth_free_restrictions_fn free_restrictions;
    /* Minor version 1 ends here. */
} *kadm5_auth_vtable;

#endif /* KRB5_KADM5_AUTH_PLUGIN_H */