xref: /titanic_52/usr/src/lib/krb5/kadm5/srv/server_acl.h (revision 2c5b6df145c068c61f714a0ccd0f4a3e64037fb5)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef _SERVER_ACL_H
7 #define	_SERVER_ACL_H
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #ifdef	__cplusplus
12 extern "C" {
13 #endif
14 
15 
16 /*
17  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
18  *
19  *	Openvision retains the copyright to derivative works of
20  *	this source code.  Do *NOT* create a derivative of this
21  *	source code before consulting with your legal department.
22  *	Do *NOT* integrate *ANY* of this source code into another
23  *	product before consulting with your legal department.
24  *
25  *	For further information, read the top-level Openvision
26  *	copyright which is contained in the top-level MIT Kerberos
27  *	copyright.
28  *
29  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
30  *
31  */
32 
33 
34 /*
35  * kadmin/v5server/kadm5_defs.h
36  *
37  * Copyright 1995 by the Massachusetts Institute of Technology.
38  * All Rights Reserved.
39  *
40  * Export of this software from the United States of America may
41  *   require a specific license from the United States Government.
42  *   It is the responsibility of any person or organization contemplating
43  *   export to obtain such a license before exporting.
44  *
45  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
46  * distribute this software and its documentation for any purpose and
47  * without fee is hereby granted, provided that the above copyright
48  * notice appear in all copies and that both that copyright notice and
49  * this permission notice appear in supporting documentation, and that
50  * the name of M.I.T. not be used in advertising or publicity pertaining
51  * to distribution of the software without specific, written prior
52  * permission.  Furthermore if you modify this software you must label
53  * your software as modified software and not distribute it in such a
54  * fashion that it might be confused with the original M.I.T. software.
55  * M.I.T. makes no representations about the suitability of
56  * this software for any purpose.  It is provided "as is" without express
57  * or implied warranty.
58  *
59  */
60 
61 #include <admin.h> /* SUNWresync121 XXX */
62 
63 /*
64  * Debug definitions.
65  */
66 #define	DEBUG_SPROC	1
67 #define	DEBUG_OPERATION	2
68 #define	DEBUG_HOST	4
69 #define	DEBUG_REALM	8
70 #define	DEBUG_REQUESTS	16
71 #define	DEBUG_ACL	32
72 #define	DEBUG_PROTO	64
73 #define	DEBUG_CALLS	128
74 #define	DEBUG_NOSLAVES	256
75 #ifdef	DEBUG
76 #define	DPRINT(l1, cl, al)	if ((cl & l1) != 0) printf al
77 #else	/* DEBUG */
78 #define	DPRINT(l1, cl, al)
79 #endif	/* DEBUG */
80 #define	DLOG(l1, cl, msg)	if ((cl & l1) != 0)	\
81 					com_err(programname, 0, msg)
82 
83 /*
84  * Access control bits.
85  */
86 #define	ACL_INQUIRE		1	/* GET */
87 #define	ACL_ADD			2
88 #define	ACL_MODIFY		4
89 #define	ACL_DELETE		8
90 #define	ACL_LIST		16
91 #define	ACL_CHANGEPW		32
92 /* #define ACL_CHANGE_OWN_PW	16 */
93 /* #define ACL_EXTRACT		64 */
94 #define ACL_SETKEY		256
95 #define	ACL_MIGRATE		512	/* pam_krb5_migrate */
96 #define ACL_IPROP		65536	/* SUNW IProp */
97 #define	ACL_RENAME		(ACL_ADD+ACL_DELETE)
98 
99 #define	ACL_ALL_MASK		(ACL_ADD	| \
100 				 ACL_DELETE	| \
101 				 ACL_MODIFY	| \
102 				 ACL_CHANGEPW	| \
103 				 ACL_INQUIRE	| \
104 				 ACL_LIST	| \
105 				 ACL_IPROP	| \
106 				 ACL_MIGRATE	| \
107 				 ACL_SETKEY)
108 
109 typedef struct _restriction {
110     long		mask;
111     krb5_flags		require_attrs;
112     krb5_flags		forbid_attrs;
113     krb5_deltat		princ_lifetime;
114     krb5_deltat		pw_lifetime;
115     krb5_deltat		max_life;
116     krb5_deltat		max_renewable_life;
117     long		aux_attributes;
118     char		*policy;
119 } restriction_t;
120 
121 krb5_error_code kadm5int_acl_init
122 	(krb5_context,
123 		   int,
124 		   char *);
125 void kadm5int_acl_finish
126 	(krb5_context,
127 		   int);
128 krb5_boolean kadm5int_acl_check
129 	(krb5_context,
130 		   gss_name_t,
131 		   krb5_int32,
132 		   krb5_principal,
133 		   restriction_t **);
134 krb5_error_code kadm5int_acl_impose_restrictions
135 	(krb5_context,
136 		   kadm5_principal_ent_rec *,
137 		   long *,
138 		   restriction_t *);
139 #ifdef	__cplusplus
140 }
141 #endif
142 
143 #endif	/* !_SERVER_ACL_H */
144