xref: /freebsd/crypto/krb5/src/include/krb5/kadm5_hook_plugin.h (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1*7f2fe78bSCy Schubert /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2*7f2fe78bSCy Schubert /*
3*7f2fe78bSCy Schubert  * Copyright (C) 2010 by the Massachusetts Institute of Technology.
4*7f2fe78bSCy Schubert  * All rights reserved.
5*7f2fe78bSCy Schubert  *
6*7f2fe78bSCy Schubert  * Export of this software from the United States of America may
7*7f2fe78bSCy Schubert  *   require a specific license from the United States Government.
8*7f2fe78bSCy Schubert  *   It is the responsibility of any person or organization contemplating
9*7f2fe78bSCy Schubert  *   export to obtain such a license before exporting.
10*7f2fe78bSCy Schubert  *
11*7f2fe78bSCy Schubert  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
12*7f2fe78bSCy Schubert  * distribute this software and its documentation for any purpose and
13*7f2fe78bSCy Schubert  * without fee is hereby granted, provided that the above copyright
14*7f2fe78bSCy Schubert  * notice appear in all copies and that both that copyright notice and
15*7f2fe78bSCy Schubert  * this permission notice appear in supporting documentation, and that
16*7f2fe78bSCy Schubert  * the name of M.I.T. not be used in advertising or publicity pertaining
17*7f2fe78bSCy Schubert  * to distribution of the software without specific, written prior
18*7f2fe78bSCy Schubert  * permission.  Furthermore if you modify this software you must label
19*7f2fe78bSCy Schubert  * your software as modified software and not distribute it in such a
20*7f2fe78bSCy Schubert  * fashion that it might be confused with the original M.I.T. software.
21*7f2fe78bSCy Schubert  * M.I.T. makes no representations about the suitability of
22*7f2fe78bSCy Schubert  * this software for any purpose.  It is provided "as is" without express
23*7f2fe78bSCy Schubert  * or implied warranty.
24*7f2fe78bSCy Schubert  */
25*7f2fe78bSCy Schubert 
26*7f2fe78bSCy Schubert #ifndef H_KRB5_KADM5_HOOK_PLUGIN
27*7f2fe78bSCy Schubert #define H_KRB5_KADM5_HOOK_PLUGIN
28*7f2fe78bSCy Schubert 
29*7f2fe78bSCy Schubert /**
30*7f2fe78bSCy Schubert  * @file krb5/krb5_kadm5_hook_plugin.h
31*7f2fe78bSCy Schubert  * Provide a plugin interface for kadm5 operations. This interface
32*7f2fe78bSCy Schubert  * permits a plugin to intercept principal modification, creation and
33*7f2fe78bSCy Schubert  * change password operations. Operations run at two stages: a
34*7f2fe78bSCy Schubert  * precommit stage that runs before the operation is committed to the
35*7f2fe78bSCy Schubert  * database and a postcommit operation that runs after the database
36*7f2fe78bSCy Schubert  * is updated; see #kadm5_hook_stage for details on semantics.
37*7f2fe78bSCy Schubert  *
38*7f2fe78bSCy Schubert  * This interface is based on a proposed extension to Heimdal by Russ
39*7f2fe78bSCy Schubert  * Allbery; it is likely that Heimdal will adopt an approach based on
40*7f2fe78bSCy Schubert  * stacked kdb modules rather than this interface. For MIT, writing a
41*7f2fe78bSCy Schubert  * plugin to this interface is significantly easier than stacking kdb
42*7f2fe78bSCy Schubert  * modules. Also, the kadm5 interface is significantly more stable
43*7f2fe78bSCy Schubert  * than the kdb interface, so this approach is more desirable than
44*7f2fe78bSCy Schubert  * stacked kdb modules.
45*7f2fe78bSCy Schubert  *
46*7f2fe78bSCy Schubert  * This interface depends on kadm5/admin.h. As such, the interface
47*7f2fe78bSCy Schubert  * does not provide strong guarantees of ABI stability.
48*7f2fe78bSCy Schubert  *
49*7f2fe78bSCy Schubert  * The kadm5_hook interface currently has only one supported major version,
50*7f2fe78bSCy Schubert  * which is 1.  Major version 1 has a current minor version number of 2.
51*7f2fe78bSCy Schubert  *
52*7f2fe78bSCy Schubert  * kadm5_hook plugins should:
53*7f2fe78bSCy Schubert  * kadm5_hook_<modulename>_initvt, matching the signature:
54*7f2fe78bSCy Schubert  *
55*7f2fe78bSCy Schubert  *   krb5_error_code
56*7f2fe78bSCy Schubert  *   kadm5_hook_modname_initvt(krb5_context context, int maj_ver, int min_ver,
57*7f2fe78bSCy Schubert  *                         krb5_plugin_vtable vtable);
58*7f2fe78bSCy Schubert  *
59*7f2fe78bSCy Schubert  * The initvt function should:
60*7f2fe78bSCy Schubert  *
61*7f2fe78bSCy Schubert  * - Check that the supplied maj_ver number is supported by the module, or
62*7f2fe78bSCy Schubert  *   return KRB5_PLUGIN_VER_NOTSUPP if it is not.
63*7f2fe78bSCy Schubert  *
64*7f2fe78bSCy Schubert  * - Cast the vtable pointer as appropriate for maj_ver:
65*7f2fe78bSCy Schubert  *     maj_ver == 1: Cast to kadm5_hook_vftable_1
66*7f2fe78bSCy Schubert  *
67*7f2fe78bSCy Schubert  * - Initialize the methods of the vtable, stopping as appropriate for the
68*7f2fe78bSCy Schubert  *   supplied min_ver.  Optional methods may be left uninitialized.
69*7f2fe78bSCy Schubert  *
70*7f2fe78bSCy Schubert  * Memory for the vtable is allocated by the caller, not by the module.
71*7f2fe78bSCy Schubert  */
72*7f2fe78bSCy Schubert 
73*7f2fe78bSCy Schubert #include <krb5/krb5.h>
74*7f2fe78bSCy Schubert #include <krb5/plugin.h>
75*7f2fe78bSCy Schubert #include <kadm5/admin.h>
76*7f2fe78bSCy Schubert 
77*7f2fe78bSCy Schubert /**
78*7f2fe78bSCy Schubert  * Whether the operation is being run before or after the database
79*7f2fe78bSCy Schubert  * update.
80*7f2fe78bSCy Schubert  */
81*7f2fe78bSCy Schubert enum kadm5_hook_stage {
82*7f2fe78bSCy Schubert     /** In this stage, any plugin failure prevents following plugins from
83*7f2fe78bSCy Schubert      *         running and aborts the operation.*/
84*7f2fe78bSCy Schubert     KADM5_HOOK_STAGE_PRECOMMIT,
85*7f2fe78bSCy Schubert     /** In this stage, plugin failures are logged but otherwise ignored.*/
86*7f2fe78bSCy Schubert     KADM5_HOOK_STAGE_POSTCOMMIT
87*7f2fe78bSCy Schubert };
88*7f2fe78bSCy Schubert 
89*7f2fe78bSCy Schubert /** Opaque module data pointer. */
90*7f2fe78bSCy Schubert typedef struct kadm5_hook_modinfo_st kadm5_hook_modinfo;
91*7f2fe78bSCy Schubert 
92*7f2fe78bSCy Schubert /**
93*7f2fe78bSCy Schubert  * Interface for the v1 virtual table for the kadm5_hook plugin.
94*7f2fe78bSCy Schubert  * All entry points are optional. The name field must be provided.
95*7f2fe78bSCy Schubert  */
96*7f2fe78bSCy Schubert typedef struct kadm5_hook_vtable_1_st {
97*7f2fe78bSCy Schubert 
98*7f2fe78bSCy Schubert     /** A text string identifying the plugin for logging messages. */
99*7f2fe78bSCy Schubert     const char *name;
100*7f2fe78bSCy Schubert 
101*7f2fe78bSCy Schubert     /** Initialize a plugin module.
102*7f2fe78bSCy Schubert      * @param modinfo returns newly allocated module info for future
103*7f2fe78bSCy Schubert      * calls.  Cleaned up by the fini() function.
104*7f2fe78bSCy Schubert      */
105*7f2fe78bSCy Schubert     kadm5_ret_t (*init)(krb5_context, kadm5_hook_modinfo **modinfo);
106*7f2fe78bSCy Schubert 
107*7f2fe78bSCy Schubert     /** Clean up a module and free @a modinfo. */
108*7f2fe78bSCy Schubert     void (*fini)(krb5_context, kadm5_hook_modinfo *modinfo);
109*7f2fe78bSCy Schubert 
110*7f2fe78bSCy Schubert     /** Indicates that the password is being changed.
111*7f2fe78bSCy Schubert      * @param stage is an integer from #kadm5_hook_stage enumeration
112*7f2fe78bSCy Schubert      * @param keepold is true if existing keys are being kept.
113*7f2fe78bSCy Schubert      * @param newpass is NULL if the key sare being randomized.
114*7f2fe78bSCy Schubert      */
115*7f2fe78bSCy Schubert     kadm5_ret_t (*chpass)(krb5_context,
116*7f2fe78bSCy Schubert                           kadm5_hook_modinfo *modinfo,
117*7f2fe78bSCy Schubert                           int stage,
118*7f2fe78bSCy Schubert                           krb5_principal, krb5_boolean keepold,
119*7f2fe78bSCy Schubert                           int n_ks_tuple,
120*7f2fe78bSCy Schubert                           krb5_key_salt_tuple *ks_tuple,
121*7f2fe78bSCy Schubert                           const char *newpass);
122*7f2fe78bSCy Schubert 
123*7f2fe78bSCy Schubert     /** Indicate a principal is created. */
124*7f2fe78bSCy Schubert     kadm5_ret_t (*create)(krb5_context,
125*7f2fe78bSCy Schubert                           kadm5_hook_modinfo *,
126*7f2fe78bSCy Schubert                           int stage,
127*7f2fe78bSCy Schubert                           kadm5_principal_ent_t, long mask,
128*7f2fe78bSCy Schubert                           int n_ks_tuple,
129*7f2fe78bSCy Schubert                           krb5_key_salt_tuple *ks_tuple,
130*7f2fe78bSCy Schubert                           const char *password);
131*7f2fe78bSCy Schubert 
132*7f2fe78bSCy Schubert     /** Modify a principal. */
133*7f2fe78bSCy Schubert     kadm5_ret_t (*modify)(krb5_context,
134*7f2fe78bSCy Schubert                           kadm5_hook_modinfo *,
135*7f2fe78bSCy Schubert                           int stage,
136*7f2fe78bSCy Schubert                           kadm5_principal_ent_t, long mask);
137*7f2fe78bSCy Schubert 
138*7f2fe78bSCy Schubert     /** Indicate a principal is deleted. */
139*7f2fe78bSCy Schubert     kadm5_ret_t (*remove)(krb5_context,
140*7f2fe78bSCy Schubert                           kadm5_hook_modinfo *modinfo,
141*7f2fe78bSCy Schubert                           int stage, krb5_principal);
142*7f2fe78bSCy Schubert 
143*7f2fe78bSCy Schubert     /* End of minor version 1. */
144*7f2fe78bSCy Schubert 
145*7f2fe78bSCy Schubert     /** Indicate a principal is renamed. */
146*7f2fe78bSCy Schubert     kadm5_ret_t (*rename)(krb5_context,
147*7f2fe78bSCy Schubert                           kadm5_hook_modinfo *modinfo,
148*7f2fe78bSCy Schubert                           int stage, krb5_principal, krb5_principal);
149*7f2fe78bSCy Schubert 
150*7f2fe78bSCy Schubert     /* End of minor version 2. */
151*7f2fe78bSCy Schubert 
152*7f2fe78bSCy Schubert } kadm5_hook_vftable_1;
153*7f2fe78bSCy Schubert 
154*7f2fe78bSCy Schubert #endif /*H_KRB5_KADM5_HOOK_PLUGIN*/
155