Mini Shell
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2017 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Declarations for kadm5_auth plugin module implementors.
*
* The kadm5_auth pluggable interface currently has only one supported major
* version, which is 1. Major version 1 has a current minor version number of
* 1.
*
* kadm5_auth plugin modules should define a function named
* kadm5_auth_<modulename>_initvt, matching the signature:
*
* krb5_error_code
* kadm5_auth_modname_initvt(krb5_context context, int maj_ver, int min_ver,
* krb5_plugin_vtable vtable);
*
* The initvt function should:
*
* - Check that the supplied maj_ver number is supported by the module, or
* return KRB5_PLUGIN_VER_NOTSUPP if it is not.
*
* - Cast the vtable pointer as appropriate for maj_ver:
* maj_ver == 1: Cast to krb5_kadm5_auth_vtable
*
* - Initialize the methods of the vtable, stopping as appropriate for the
* supplied min_ver. Optional methods may be left uninitialized.
*
* Memory for the vtable is allocated by the caller, not by the module.
*/
#ifndef KRB5_KADM5_AUTH_PLUGIN_H
#define KRB5_KADM5_AUTH_PLUGIN_H
#include <krb5/krb5.h>
#include <krb5/plugin.h>
/* An abstract type for kadm5_auth module data. */
typedef struct kadm5_auth_moddata_st *kadm5_auth_moddata;
/*
* A module can optionally include <kadm5/admin.h> to inspect principal or
* policy records from requests that add or modify principals or policies.
* Note that fields of principal and policy structures are only valid if the
* corresponding bit is set in the accompanying mask parameter.
*/
struct _kadm5_principal_ent_t;
struct _kadm5_policy_ent_t;
/*
* A module can optionally generate restrictions when checking permissions for
* adding or modifying a principal entry. Restriction fields will only be
* honored if the corresponding mask bit is set. The operable mask bits are
* defined in <kadmin/admin.h> and are:
*
* - KADM5_ATTRIBUTES for require_attrs, forbid_attrs
* - KADM5_POLICY for policy
* - KADM5_POLICY_CLR to require that policy be unset
* - KADM5_PRINC_EXPIRE_TIME for princ_lifetime
* - KADM5_PW_EXPIRATION for pw_lifetime
* - KADM5_MAX_LIFE for max_life
* - KADM5_MAX_RLIFE for max_renewable_life
*/
struct kadm5_auth_restrictions {
long mask;
krb5_flags require_attrs;
krb5_flags forbid_attrs;
krb5_deltat princ_lifetime;
krb5_deltat pw_lifetime;
krb5_deltat max_life;
krb5_deltat max_renewable_life;
char *policy;
};
/*** Method type declarations ***/
/*
* Optional: Initialize module data. acl_file is the realm's configured ACL
* file, or NULL if none was configured. Return 0 on success,
* KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for
* example), and any other error code to abort kadmind startup. Optionally set
* *data_out to a module data object to be passed to future calls.
*/
typedef krb5_error_code
(*kadm5_auth_init_fn)(krb5_context context, const char *acl_file,
kadm5_auth_moddata *data_out);
/* Optional: Release resources used by module data. */
typedef void
(*kadm5_auth_fini_fn)(krb5_context context, kadm5_auth_moddata data);
/*
* Each check method below should return 0 to explicitly authorize the request,
* KRB5_PLUGIN_NO_HANDLE to neither authorize nor deny the request, and any
* other error code (such as EPERM) to explicitly deny the request. If a check
* method is not defined, the module will neither authorize nor deny the
* request. A request succeeds if at least one kadm5_auth module explicitly
* authorizes the request and none of the modules explicitly deny it.
*/
/* Optional: authorize an add-principal operation, and optionally generate
* restrictions. */
typedef krb5_error_code
(*kadm5_auth_addprinc_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target,
const struct _kadm5_principal_ent_t *ent, long mask,
struct kadm5_auth_restrictions **rs_out);
/* Optional: authorize a modify-principal operation, and optionally generate
* restrictions. */
typedef krb5_error_code
(*kadm5_auth_modprinc_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target,
const struct _kadm5_principal_ent_t *ent, long mask,
struct kadm5_auth_restrictions **rs_out);
/* Optional: authorize a set-string operation. */
typedef krb5_error_code
(*kadm5_auth_setstr_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target,
const char *key, const char *value);
/* Optional: authorize a change-password operation. */
typedef krb5_error_code
(*kadm5_auth_cpw_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client, krb5_const_principal target);
/* Optional: authorize a randomize-keys operation. */
typedef krb5_error_code
(*kadm5_auth_chrand_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize a set-key operation. */
typedef krb5_error_code
(*kadm5_auth_setkey_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize a purgekeys operation. */
typedef krb5_error_code
(*kadm5_auth_purgekeys_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize a delete-principal operation. */
typedef krb5_error_code
(*kadm5_auth_delprinc_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize a rename-principal operation. */
typedef krb5_error_code
(*kadm5_auth_renprinc_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal src,
krb5_const_principal dest);
/* Optional: authorize a get-principal operation. */
typedef krb5_error_code
(*kadm5_auth_getprinc_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize a get-strings operation. */
typedef krb5_error_code
(*kadm5_auth_getstrs_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize an extract-keys operation. */
typedef krb5_error_code
(*kadm5_auth_extract_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client,
krb5_const_principal target);
/* Optional: authorize a list-principals operation. */
typedef krb5_error_code
(*kadm5_auth_listprincs_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client);
/* Optional: authorize an add-policy operation. */
typedef krb5_error_code
(*kadm5_auth_addpol_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client, const char *policy,
const struct _kadm5_policy_ent_t *ent, long mask);
/* Optional: authorize a modify-policy operation. */
typedef krb5_error_code
(*kadm5_auth_modpol_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client, const char *policy,
const struct _kadm5_policy_ent_t *ent, long mask);
/* Optional: authorize a delete-policy operation. */
typedef krb5_error_code
(*kadm5_auth_delpol_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client, const char *policy);
/* Optional: authorize a get-policy operation. client_policy is the client
* principal's policy name, or NULL if it does not have one. */
typedef krb5_error_code
(*kadm5_auth_getpol_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client, const char *policy,
const char *client_policy);
/* Optional: authorize a list-policies operation. */
typedef krb5_error_code
(*kadm5_auth_listpols_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client);
/* Optional: authorize an iprop operation. */
typedef krb5_error_code
(*kadm5_auth_iprop_fn)(krb5_context context, kadm5_auth_moddata data,
krb5_const_principal client);
/*
* Optional: receive a notification that the most recent authorized operation
* has ended. If a kadm5_auth module is also a KDB module, it can assume that
* all KDB methods invoked between a kadm5_auth authorization method invocation
* and a kadm5_auth end invocation are performed as part of the authorized
* operation.
*
* The end method may be invoked without a preceding authorization method in
* some cases; the module must be prepared to ignore such calls.
*/
typedef void
(*kadm5_auth_end_fn)(krb5_context context, kadm5_auth_moddata data);
/*
* Optional: free a restrictions object. This method does not need to be
* defined if the module does not generate restrictions objects, or if it
* returns aliases to restrictions objects contained from within the module
* data.
*/
typedef void
(*kadm5_auth_free_restrictions_fn)(krb5_context context,
kadm5_auth_moddata data,
struct kadm5_auth_restrictions *rs);
/* kadm5_auth vtable for major version 1. */
typedef struct kadm5_auth_vtable_st {
const char *name; /* Mandatory: name of module. */
kadm5_auth_init_fn init;
kadm5_auth_fini_fn fini;
kadm5_auth_addprinc_fn addprinc;
kadm5_auth_modprinc_fn modprinc;
kadm5_auth_setstr_fn setstr;
kadm5_auth_cpw_fn cpw;
kadm5_auth_chrand_fn chrand;
kadm5_auth_setkey_fn setkey;
kadm5_auth_purgekeys_fn purgekeys;
kadm5_auth_delprinc_fn delprinc;
kadm5_auth_renprinc_fn renprinc;
kadm5_auth_getprinc_fn getprinc;
kadm5_auth_getstrs_fn getstrs;
kadm5_auth_extract_fn extract;
kadm5_auth_listprincs_fn listprincs;
kadm5_auth_addpol_fn addpol;
kadm5_auth_modpol_fn modpol;
kadm5_auth_delpol_fn delpol;
kadm5_auth_getpol_fn getpol;
kadm5_auth_listpols_fn listpols;
kadm5_auth_iprop_fn iprop;
kadm5_auth_end_fn end;
kadm5_auth_free_restrictions_fn free_restrictions;
/* Minor version 1 ends here. */
} *kadm5_auth_vtable;
#endif /* KRB5_KADM5_AUTH_PLUGIN_H */
Zerion Mini Shell 1.0