responder/kcm/kcmsrv_ccache.h

bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   SSSD
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   KCM Server - the KCM ccache operations
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   Copyright (C) Red Hat, 2016
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   This program is free software; you can redistribute it and/or modify
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   it under the terms of the GNU General Public License as published by
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   the Free Software Foundation; either version 3 of the License, or
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   (at your option) any later version.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   This program is distributed in the hope that it will be useful,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   but WITHOUT ANY WARRANTY; without even the implied warranty of
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   GNU General Public License for more details.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   You should have received a copy of the GNU General Public License
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek   along with this program.  If not, see <http://www.gnu.org/licenses/>.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek*/
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#ifndef _KCMSRV_CCACHE_H_
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#define _KCMSRV_CCACHE_H_
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#include "config.h"
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#include <krb5/krb5.h>
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#include <uuid/uuid.h>
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#include "util/util.h"
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#include "util/sss_iobuf.h"
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#include "util/util_creds.h"
35c9dfe9ba78d3a635cd1af0fb6349ba44344623Jakub Hrozek#include "responder/kcm/kcmsrv_pvt.h"
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#define UUID_BYTES    16
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#define UUID_STR_SIZE 37
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Credentials are opaque to the KCM server
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Each ccache has a unique UUID.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_cred;
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * An opaque ccache type and its operations
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Contains zero or some KCM credentials. One credential in the cache
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * is marked as the default one. The client can set and get the default
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * cache (e.g. with kswitch) but one cache is always the default -- we
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * fall back to the one created first.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Each cache has a name and a UUID. Heimdal allows the name to be changed,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * we don't (yet, because the MIT client doesn't allow that either)
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Each ccache also stores a client principal.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_ccache;
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Create a new KCM ccache owned by mem_ctx on the
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * memory level.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * When created, the ccache contains no credendials
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                   krb5_context k5c,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                   struct cli_creds *owner,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                   const char *name,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                   krb5_principal princ,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                   struct kcm_ccache **_cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Returns true if a client can access a ccache.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Note that root can access any ccache */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekbool kcm_cc_access(struct kcm_ccache *cc,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                   struct cli_creds *client);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Since the kcm_ccache structure is opaque, the kcmsrv_ccache
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * layer contains a number of getsetters to read and write
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * properties of the kcm_ccache structure
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekconst char *kcm_cc_get_name(struct kcm_ccache *cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_cc_get_uuid(struct kcm_ccache *cc, uuid_t _uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekkrb5_principal kcm_cc_get_client_principal(struct kcm_ccache *cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekint32_t kcm_cc_get_offset(struct kcm_ccache *cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/* Mainly useful for creating a cred structure from a persistent
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * storage
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                              uuid_t uuid,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                              struct sss_iobuf *cred_blob);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/* Add a cred to ccache */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_cc_store_creds(struct kcm_ccache *cc,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                           struct kcm_cred *crd);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * At the moment, the credentials are stored without unmarshalling
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * them, just as the clients sends the credentials.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct sss_iobuf *kcm_cred_get_creds(struct kcm_cred *crd);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                               struct sss_iobuf *cred_blob);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek /*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * The KCM server can call kcm_cred_get_creds to fetch the first
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * credential, then iterate over the credentials with
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * kcm_cc_next_cred until it returns NULL
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/* An opaque database that contains all the ccaches */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_ccdb;
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Initialize a ccache database of type cc_be
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                               struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                               enum kcm_ccdb_be cc_be);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * In KCM, each ccache name is usually in the form of "UID:<num>
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * The <num> is generated by the KCM ccache database. Use this function
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * to retrieve the next number
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_nextid_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct cli_creds *client);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_nextid_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                             TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                             char **_nextid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * List all ccaches that belong to a given client
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * The cc_list the recv function returns is NULL-terminated.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * NOTE: Contrary to how Heimdal behaves, root CAN NOT list all ccaches
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * of all users. This is a deliberate decision to treat root as any other
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * user, except it can access a ccache of another user by name, just not
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * list them.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * If a client has no ccaches, the function returns OK, but an empty list
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * containing just the NULL sentinel.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_list_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                      struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                      struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                      struct cli_creds *client);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_list_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                           TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                           uuid_t **_uuid_list);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Retrieve a ccache by name.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * If there is no such ccache, return EOK, but a NULL _cc pointer
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_getbyname_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           const char *name);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_getbyname_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                struct kcm_ccache **_cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Retrieve a ccache by UUID
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek *
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * If there is no such ccache, return EOK, but a NULL _cc pointer
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_getbyuuid_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           uuid_t uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_getbyuuid_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                struct kcm_ccache **_cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Retrieve the default ccache. If there is no default cache,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * return EOK, but a NULL UUID.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_get_default_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             struct cli_creds *client);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_get_default_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                  uuid_t *uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Translating name to UUID is often considerably faster than doing a full
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * CC retrieval, hence this function and the converse. If the UUID cannot
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * be found in the database, return ERR_KCM_CC_END
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_name_by_uuid_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              uuid_t uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_name_by_uuid_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                   TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                   const char **_name);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Translating UUID to name is often considerably faster than doing a full
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * CC retrieval, hence this function and the converse. If the UUID cannot
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * be found in the database, return ERR_KCM_CC_END
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_uuid_by_name_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                              const char *name);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_uuid_by_name_recv(struct tevent_req *req,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                   TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                   uuid_t _uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Set the default ccache. Passing a NULL UUID is a legal operation
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * that 'unsets' the default ccache.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_set_default_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                             uuid_t uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_set_default_recv(struct tevent_req *req);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Add a ccache to the database.
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_create_cc_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct kcm_ccache *cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_create_cc_recv(struct tevent_req *req);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Modify cache properties in a db
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct kcm_mod_ctx {
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek    int32_t kdc_offset;
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek    /* More settable properties (like name, when we support renames
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek     * will be added later
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek     */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek};
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekvoid kcm_mod_ctx_clear(struct kcm_mod_ctx *mod_ctx);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekvoid kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_mod_cc_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        uuid_t uuid,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                        struct kcm_mod_ctx *mod_cc);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_mod_cc_recv(struct tevent_req *req);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Store a credential in a cache
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_store_cred_blob_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                                 struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                                 struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                                 struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                                 uuid_t uuid,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                                 struct sss_iobuf *cred_blob);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_store_cred_blob_recv(struct tevent_req *req);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * Delete a ccache from the database
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekstruct tevent_req *kcm_ccdb_delete_cc_send(TALLOC_CTX *mem_ctx,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct tevent_context *ev,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct kcm_ccdb *db,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           struct cli_creds *client,
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek                                           uuid_t uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_ccdb_delete_cc_recv(struct tevent_req *req);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekvoid kcm_debug_uuid(uuid_t uuid);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek/*
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * The KCM clients are not allowed (except root) to create ccaches
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * with arbitrary names. Instead, we assert that the ccache name
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * begins with UID where UID is the stringified representation of
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek * the client's UID number
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek */
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozekerrno_t kcm_check_name(const char *name, struct cli_creds *client);
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek/*
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek * ccahe marshalling to and from JSON. This is used when the ccaches
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek * are stored in the secrets store
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek */
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek/*
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek * The secrets store is a key-value store at heart. We store the UUID
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek * and the name in the key to allow easy lookups be either key
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek */
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekbool sec_key_match_name(const char *sec_key,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                        const char *name);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekbool sec_key_match_uuid(const char *sec_key,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                        uuid_t uuid);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekconst char *sec_key_get_name(const char *sec_key);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekerrno_t sec_key_get_uuid(const char *sec_key,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                         uuid_t uuid);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek/* Create a URL for the default client's ccache */
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekconst char *sec_dfl_url_create(TALLOC_CTX *mem_ctx,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                               struct cli_creds *client);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek/* Create a URL for the client's ccache container */
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekconst char *sec_container_url_create(TALLOC_CTX *mem_ctx,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                                     struct cli_creds *client);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekconst char *sec_cc_url_create(TALLOC_CTX *mem_ctx,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                              struct cli_creds *client,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                              const char *sec_key);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek/*
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek * sec_key is a concatenation of the ccache's UUID and name
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek * sec_value is the JSON dump of the ccache contents
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek */
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekerrno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                         const char *sec_key,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                         const char *sec_value,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                         struct cli_creds *client,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                         struct kcm_ccache **_cc);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek/* Convert a kcm_ccache to a key-value pair to be stored in secrets */
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozekerrno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                                struct kcm_ccache *cc,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                                struct cli_creds *client,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                                const char **_url,
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek                                struct sss_iobuf **_payload);
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
bea0dc79faf609de8603cb42f190adae544bc8fbJakub Hrozek#endif /* _KCMSRV_CCACHE_H_ */