lib/certmap/sss_certmap.h

db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/*
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SSSD
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    Library for rule based certificate to user mapping
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    Authors:
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        Sumit Bose <sbose@redhat.com>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    Copyright (C) 2017 Red Hat
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    This program is free software; you can redistribute it and/or modify
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    it under the terms of the GNU General Public License as published by
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    the Free Software Foundation; either version 3 of the License, or
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    (at your option) any later version.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    This program is distributed in the hope that it will be useful,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    but WITHOUT ANY WARRANTY; without even the implied warranty of
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    GNU General Public License for more details.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    You should have received a copy of the GNU General Public License
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    along with this program.  If not, see <http://www.gnu.org/licenses/>.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose*/
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#ifndef _SSS_CERTMAP_H_
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define _SSS_CERTMAP_H_
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#include <stdlib.h>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#include <stdint.h>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#include <talloc.h>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @defgroup sss_certmap Allow rule-based mapping of certificates to users
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * Libsss_certmap provides a mechanism to map X509 certificate to users based
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * on rules.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @{
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * Opaque type for the idmap context
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct sss_certmap_ctx;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * Lowest priority of a rule
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_CERTMAP_MIN_PRIO UINT32_MAX
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * Typedef for external debug callback
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosetypedef void (sss_certmap_ext_debug)(void *pvt,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                                     const char *file, long line,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                                     const char *function,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                                     const char *format, ...);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @brief Initialize certmap context
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] mem_ctx    Talloc memory context, may be NULL
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] debug      Callback to handle debug output, may be NULL
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] debug_priv Private data for debugging callback, may be NULL
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[out] ctx       New certmap context
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @return
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - 0:      success
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - ENOMEM: failed to allocate internal Talloc context
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - EINVAL: ctx is NULL
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint sss_certmap_init(TALLOC_CTX *mem_ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                     sss_certmap_ext_debug *debug, void *debug_priv,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                     struct sss_certmap_ctx **ctx);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @brief Free certmap context
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] ctx certmap context previously initialized with
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *            @ref sss_certmap_init, may be NULL
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosevoid sss_certmap_free_ctx(struct sss_certmap_ctx *ctx);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @brief Add a rule to the certmap context
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] ctx        certmap context previously initialized with
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                       @ref sss_certmap_init
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] priority   priority of the rule, 0 is the hightest priority, the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                       lowest is SSS_CERTMAP_MIN_PRIO
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] match_rule String with the matching rule
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] map_rule   String with the mapping rule
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] domains    NULL-terminated string array with a list of domains
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                       the rule should be valid for, i.e. only this domains
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                       should be searched for matching users
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @return
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - 0:      success
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint sss_certmap_add_rule(struct sss_certmap_ctx *ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                         uint32_t priority, const char *match_rule,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                         const char *map_rule, const char **domains);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @brief Check if a certificate matches any of the applied rules
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] ctx      certmap context previously initialized with
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                     @ref sss_certmap_init
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] der_cert binary blog with the DER encoded certificate
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] der_size size of the certificate blob
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @return
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - 0:      certificate matches a rule
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - ENOENT: certificate does not match
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - EINVAL: internal error
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint sss_certmap_match_cert(struct sss_certmap_ctx *ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                           const uint8_t *der_cert, size_t der_size);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @brief Get the LDAP filter string for a certificate
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] ctx      certmap context previously initialized with
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                     @ref sss_certmap_init
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] der_cert binary blog with the DER encoded certificate
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] der_size size of the certificate blob
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[out] filter  LDAP filter string, caller should free the data by
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                     calling sss_certmap_free_filter_and_domains
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[out] domains NULL-terminated array of strings with the domains the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                     rule applies, caller should free the data by calling
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                     sss_certmap_free_filter_and_domains
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @return
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - 0:      certificate matches a rule
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - ENOENT: certificate does not match
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *  - EINVAL: internal error
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                                  const uint8_t *der_cert, size_t der_size,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                                  char **filter, char ***domains);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @brief Free data returned by @ref sss_certmap_get_search_filter
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] filter  LDAP filter strings returned by
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                    sss_certmap_get_search_filter
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @param[in] domains string array of domains returned by
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose *                     sss_certmap_get_search_filter
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosevoid sss_certmap_free_filter_and_domains(char *filter, char **domains);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/**
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose * @}
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#endif /* _SSS_CERTMAP_H_ */