xref: /freebsd/crypto/krb5/src/kadmin/server/auth.h (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kadmin/server/auth.h - kadmin authorization declarations */
3 /*
4  * Copyright (C) 2017 by the Massachusetts Institute of Technology.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * * Redistributions of source code must retain the above copyright
12  *   notice, this list of conditions and the following disclaimer.
13  *
14  * * Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in
16  *   the documentation and/or other materials provided with the
17  *   distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30  * OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #ifndef AUTH_H
34 #define AUTH_H
35 
36 #define OP_ADDPRINC     1
37 #define OP_MODPRINC     2
38 #define OP_SETSTR       3
39 #define OP_CPW          4
40 #define OP_CHRAND       5
41 #define OP_SETKEY       6
42 #define OP_PURGEKEYS    7
43 #define OP_DELPRINC     8
44 #define OP_RENPRINC     9
45 #define OP_GETPRINC    10
46 #define OP_GETSTRS     11
47 #define OP_EXTRACT     12
48 #define OP_LISTPRINCS  13
49 #define OP_ADDPOL      14
50 #define OP_MODPOL      15
51 #define OP_DELPOL      16
52 #define OP_GETPOL      17
53 #define OP_LISTPOLS    18
54 #define OP_IPROP       19
55 
56 /* Initialize all authorization modules. */
57 krb5_error_code auth_init(krb5_context context, const char *acl_file);
58 
59 /* Release authorization module state. */
60 void auth_fini(krb5_context context);
61 
62 /* Authorize the operation given by opcode, using the appropriate subset of p1,
63  * p2, s1, s2, polent, and mask. */
64 krb5_boolean auth(krb5_context context, int opcode,
65                   krb5_const_principal client, krb5_const_principal p1,
66                   krb5_const_principal p2, const char *s1, const char *s2,
67                   const kadm5_policy_ent_rec *polent, long mask);
68 
69 /* Authorize an add-principal or modify-principal operation, and apply
70  * restrictions to ent and mask if any modules supply them. */
71 krb5_boolean auth_restrict(krb5_context context, int opcode,
72                            krb5_const_principal client,
73                            kadm5_principal_ent_t ent, long *mask);
74 
75 /* Notify modules that the most recent authorized operation has ended. */
76 void auth_end(krb5_context context);
77 
78 /* initvt declarations for built-in modules */
79 
80 krb5_error_code kadm5_auth_acl_initvt(krb5_context context, int maj_ver,
81                                       int min_ver, krb5_plugin_vtable vtable);
82 krb5_error_code kadm5_auth_self_initvt(krb5_context context, int maj_ver,
83                                        int min_ver, krb5_plugin_vtable vtable);
84 
85 #endif /* AUTH_H */
86