/*
SSSD
KCM Server - the KCM ccache operations
Copyright (C) Red Hat, 2016
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _KCMSRV_CCACHE_H_
#define _KCMSRV_CCACHE_H_
#include "config.h"
#include "util/sss_iobuf.h"
#include "util/util_creds.h"
#include "responder/kcm/kcmsrv_pvt.h"
/*
* Credentials are opaque to the KCM server
*
* Each ccache has a unique UUID.
*/
struct kcm_cred;
/*
* An opaque ccache type and its operations
*
* Contains zero or some KCM credentials. One credential in the cache
* is marked as the default one. The client can set and get the default
* cache (e.g. with kswitch) but one cache is always the default -- we
* fall back to the one created first.
*
* Each cache has a name and a UUID. Heimdal allows the name to be changed,
* we don't (yet, because the MIT client doesn't allow that either)
*
* Each ccache also stores a client principal.
*/
struct kcm_ccache;
/*
* Create a new KCM ccache owned by mem_ctx on the
* memory level.
*
* When created, the ccache contains no credendials
*/
const char *name,
struct kcm_ccache **_cc);
/*
* Returns true if a client can access a ccache.
*
* Note that root can access any ccache */
/*
* Since the kcm_ccache structure is opaque, the kcmsrv_ccache
* layer contains a number of getsetters to read and write
* properties of the kcm_ccache structure
*/
/* Mainly useful for creating a cred structure from a persistent
* storage
*/
/* Add a cred to ccache */
/*
* At the moment, the credentials are stored without unmarshalling
* them, just as the clients sends the credentials.
*/
/*
* The KCM server can call kcm_cred_get_creds to fetch the first
* credential, then iterate over the credentials with
* kcm_cc_next_cred until it returns NULL
*/
/* An opaque database that contains all the ccaches */
struct kcm_ccdb;
/*
* Initialize a ccache database of type cc_be
*/
struct tevent_context *ev,
enum kcm_ccdb_be cc_be);
/*
* In KCM, each ccache name is usually in the form of "UID:<num>
*
* The <num> is generated by the KCM ccache database. Use this function
* to retrieve the next number
*/
struct tevent_context *ev,
char **_nextid);
/*
* List all ccaches that belong to a given client
*
* The cc_list the recv function returns is NULL-terminated.
*
* NOTE: Contrary to how Heimdal behaves, root CAN NOT list all ccaches
* of all users. This is a deliberate decision to treat root as any other
* user, except it can access a ccache of another user by name, just not
* list them.
*
* If a client has no ccaches, the function returns OK, but an empty list
* containing just the NULL sentinel.
*/
struct tevent_context *ev,
uuid_t **_uuid_list);
/*
* Retrieve a ccache by name.
*
* If there is no such ccache, return EOK, but a NULL _cc pointer
*/
struct tevent_context *ev,
const char *name);
struct kcm_ccache **_cc);
/*
* Retrieve a ccache by UUID
*
* If there is no such ccache, return EOK, but a NULL _cc pointer
*/
struct tevent_context *ev,
struct kcm_ccache **_cc);
/*
* Retrieve the default ccache. If there is no default cache,
* return EOK, but a NULL UUID.
*/
struct tevent_context *ev,
/*
* Translating name to UUID is often considerably faster than doing a full
* CC retrieval, hence this function and the converse. If the UUID cannot
* be found in the database, return ERR_KCM_CC_END
*/
struct tevent_context *ev,
const char **_name);
/*
* Translating UUID to name is often considerably faster than doing a full
* CC retrieval, hence this function and the converse. If the UUID cannot
* be found in the database, return ERR_KCM_CC_END
*/
struct tevent_context *ev,
const char *name);
/*
* Set the default ccache. Passing a NULL UUID is a legal operation
* that 'unsets' the default ccache.
*/
struct tevent_context *ev,
/*
* Add a ccache to the database.
*/
struct tevent_context *ev,
struct kcm_ccache *cc);
/*
* Modify cache properties in a db
*/
struct kcm_mod_ctx {
/* More settable properties (like name, when we support renames
* will be added later
*/
};
struct tevent_context *ev,
struct kcm_mod_ctx *mod_cc);
/*
* Store a credential in a cache
*/
struct tevent_context *ev,
/*
* Delete a ccache from the database
*/
struct tevent_context *ev,
/*
* The KCM clients are not allowed (except root) to create ccaches
* with arbitrary names. Instead, we assert that the ccache name
* begins with UID where UID is the stringified representation of
* the client's UID number
*/
/*
* ccahe marshalling to and from JSON. This is used when the ccaches
* are stored in the secrets store
*/
/*
* The secrets store is a key-value store at heart. We store the UUID
* and the name in the key to allow easy lookups be either key
*/
bool sec_key_match_name(const char *sec_key,
const char *name);
bool sec_key_match_uuid(const char *sec_key,
const char *sec_key_get_name(const char *sec_key);
/* Create a URL for the default client's ccache */
/* Create a URL for the client's ccache container */
const char *sec_key);
/*
* sec_key is a concatenation of the ccache's UUID and name
* sec_value is the JSON dump of the ccache contents
*/
const char *sec_key,
const char *sec_value,
struct kcm_ccache **_cc);
/* Convert a kcm_ccache to a key-value pair to be stored in secrets */
struct kcm_ccache *cc,
const char **_url,
#endif /* _KCMSRV_CCACHE_H_ */