summaryrefslogtreecommitdiffstats
path: root/src/include/kim/kim_ccache.h
blob: 709c698142b569bfac496295e41b1053b5516257 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
/*
 * Copyright 2005-2006 Massachusetts Institute of Technology.
 * All Rights Reserved.
 *
 * Export of this software from the United States of America may
 * require a specific license from the United States Government.
 * It is the responsibility of any person or organization contemplating
 * export to obtain such a license before exporting.
 * 
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 */

#ifndef KIM_CCACHE_H
#define KIM_CCACHE_H

#ifdef __cplusplus
extern "C" {
#endif

#include <kim/kim_types.h>
    
/*!
 * \page kim_ccache_overview KIM CCache Overview
 *
 * \section kim_ccache_introduction Introduction
 *
 * Kerberos credentials are stored in "ccaches" (short for "credentials caches").
 * The set of all ccaches which the KIM can use is called the "cache collection".   
 * Each ccache has a name and type which uniquely identify it in the cache 
 * collection and a client identity.  The ccache's client identity is the 
 * identity whose credentials are stored in the ccache.  This allows for easy  
 * lookup of all the credentials for a given identity. 
 *
 * KIM attempts to preserve a one-to-one relationship between client identities
 * and ccaches.  If the KIM is used to manipulate the cache collection, there
 * will be one ccache per identity.  However, because low-level APIs allow callers
 * to create multiple ccaches for the same client identity or a single ccache 
 * containing credentials for different client identities, KIM handles those
 * situations.  In general when searching KIM will find the first ccache matching 
 * the requested client identity.  It will not find credentials for the requested  
 * client identity if they are in a ccache with a different client identity.
 *
 * The kim_ccache_t object is a reference to a ccache in the cache collection.  
 * If other applications make changes to the the ccache pointed to by a KIM ccache 
 * object, the object will immediately show those changes.  KIM performs locking 
 * on the cache collection to prevent deadlocks and maintain a consistent behavior 
 * when multiple applications attempt to modify the cache collection.
 *
 * \note KIM ccache APIs are intended for applications and system 
 * tools which manage credentials for the user.  They are not a substitute for
 * krb5 and GSSAPI functions which obtain service credentials for the purpose
 * of authenticating a client to an application server.
 * 
 * \section kim_credential_cache_collection Acquiring a CCache from the Cache Collection
 *
 * KIM provides a simple iterator API for iterating over the ccaches
 * in the cache collection.  First, call #kim_ccache_iterator_create() to obtain 
 * an iterator for the cache collection.  Then loop calling 
 * #kim_ccache_iterator_next() until either you find the ccache you are looking 
 * for or the API returns a NULL ccache, indicating that there are no more
 * ccaches in the cache collection.  When you are done with the iterator, call
 * #kim_ccache_iterator_free().
 *
 * \note #kim_ccache_iterator_next() returns ccache objects which
 * must be freed with #kim_ccache_free() to avoid leaking memory.
 *
 * KIM also provides a convenient API #kim_ccache_create_from_client_identity()
 * which returns the ccache for a specific client identity, if any exists.
 * Typically callers of this API obtain the client identity using
 * #kim_selection_hints_get_identity().
 * 
 *
 * \section kim_ccache_acquire_default Acquiring Credentials from the Default CCache
 *
 * #kim_ccache_create_from_default() returns the default ccache.
 * The default ccache is a legacy concept which was replaced by selection 
 * hints.  Prior to the existence of selection hints, applications always 
 * looked at the default ccache for credentials.  By setting the system default 
 * ccache, users could manually control which credentials each application used.  
 * As the number of ccaches and applications has grown, this mechanism has become
 * unusable.  You should avoid using this API whenever possible.
 *
 *
 * \section kim_ccache_acquire_new Acquiring New Credentials in a CCache
 *
 * KIM provides the #kim_ccache_create_new() API for acquiring new
 * credentials and storing them in a ccache.  Credentials can either be 
 * obtained for a specific client identity or by specifying 
 * #KIM_IDENTITY_ANY to allow the user to choose.  Typically 
 * callers of this API obtain the client identity using 
 * #kim_selection_hints_get_identity().  Depending on the kim_options
 * specified, #kim_ccache_create_new() may present a GUI or command line 
 * prompt to obtain information from the user.
 * 
 * #kim_ccache_create_new_if_needed() 
 * searches the cache collection for a ccache for the client identity
 * and if no appropriate ccache is available, attempts to acquire
 * new credentials and store them in a new ccache.  Depending on the 
 * kim_options specified, #kim_ccache_create_new_if_needed() may 
 * present a GUI or command line prompt to obtain information from the 
 * user. This function exists for convenience and to avoid code duplication.  
 * It can be trivially implemented using 
 * #kim_ccache_create_from_client_identity() and #kim_ccache_create_new().  
 *
 * KIM provides the #kim_ccache_create_from_keytab() to create credentials 
 * using a keytab and store them in the cache collection. A keytab is an 
 * on-disk copy of a client identity's secret key.  Typically sites use 
 * keytabs for client identities that identify a machine or service and 
 * protect the keytab with disk permissions.  Because a keytab is 
 * sufficient to obtain credentials, keytabs will normally only be readable 
 * by root, Administrator or some other privileged account.  
 * Typically applications use credentials obtained from keytabs to obtain
 * credentials for batch processes.  These keytabs and credentials are usually 
 * for a special identity used for the batch process rather than a user
 * identity.
 *
 *
 * \section kim_ccache_validate Validating Credentials in a CCache
 *
 * A credential with a start time in the future (ie: after the issue date)
 * is called a post-dated credential.  Because the KDC administrator may 
 * wish to disable a identity, once the start time is reached, all post-dated
 * credentials must be validated before they can be used.  Otherwise an
 * attacker using a compromised account could acquire lots of post-dated 
 * credentials to circumvent the acccount being disabled.
 *
 * KIM provides the #kim_ccache_validate() API to validate the TGT  
 * credential in a ccache. Note that this API replaces any existing 
 * credentials with the validated credential.
 * 
 *
 * \section kim_ccache_renew Renewing Credentials in a CCache
 *
 * A renewable credential can be used to obtain a new identical credential
 * without resending secret information (such as a password) to the KDC.
 * A credential may only be renewed during its renewal lifetime and while
 * valid.
 *
 * KIM provides the #kim_ccache_renew() API to renew the TGT credential
 * in a ccache. Note that this API replaces any existing credentials with the 
 * renewed credential.
 *
 *
 * \section kim_ccache_verify Verifying Credentials in a CCache
 *
 * When a program acquires TGT credentials for the purpose of authenticating
 * itself to the machine it is running on, it is insufficient for the machine 
 * to assume that the caller is authorized just because it got credentials.  
 * Instead, the credentials must be verified using a key the local machine.  
 * The reason this is necessary is because an attacker can trick the  
 * machine into obtaining credentials from any KDC, including malicious ones
 * with the same realm name as the local machine's realm.  This exploit is 
 * called the Zanarotti attack.  
 *
 * In order to avoid the Zanarotti attack, the local machine must authenticate
 * the process in the same way an application server would authenticate a client.
 * Like an application server, the local machine must have its own identity in 
 * its realm and a keytab for that identity on its local disk.    However,
 * rather than forcing system daemons to use the network-oriented calls in the 
 * krb5 and GSS APIs, KIM provides the #kim_ccache_verify() API to 
 * verify credentials directly.  
 * 
 * The most common reason for using #kim_ccache_verify() is user login.  
 * If the local machine wants to use Kerberos to verify the username and password
 * provided by the user, it must call #kim_ccache_verify() on the credentials
 * it obtains to make sure they are really from a KDC it trusts.  Another common
 * case is a server which is only using Kerberos internally.  For example an
 * LDAP or web server might use a username and password obtained over the network
 * to get Kerberos credentials.  In order to make sure they aren't being tricked 
 * into talking to the wrong KDC, these servers must also call 
 * #kim_ccache_verify().
 * 
 * The Zanarotti attack is only a concern if the act of accessing the machine 
 * gives the process special access.  Thus a managed cluster machine with 
 * Kerberos-authenticated networked home directories does not need to call 
 * #kim_ccache_verify().  Even though an attacker can log in as any user on   
 * the cluster machine, the attacker can't actually access any of the user's data 
 * or use any of their privileges because those are all authenticated via  
 * Kerberized application servers (and thus require actually having credentials 
 * for the real local realm).
 *
 * #kim_ccache_verify() provides an option to 
 * return success even if the machine's host key is not present.  This option 
 * exists for sites which have a mix of different machines, some of which are  
 * vulnerable to the Zanarotti attack and some are not.  If this option is used, 
 * it is the responsiblity of the machine's maintainer to obtain a keytab
 * for their machine if it needs one.
 *
 *
 * \section kim_ccache_properties Examining CCache Properties
 *
 * \li #kim_ccache_get_type() returns the type of the ccache.  Types include
 * "API" for CCAPI ccaches, "FILE" for file-based ccaches and "MEMORY" for
 * single-process in-memory ccaches.
 *
 * \li #kim_ccache_get_name() returns the name of the ccache.  A ccache's name
 * identifies the ccache uniquely among ccaches of the same type.  Note that
 * two ccaches with different types may have the same name.
 *
 * \li #kim_ccache_get_display_name() returns a display string which uniquely
 * identifies a ccache.  A ccache display name is of the form "<type>:<name>"
 * and can be displayed to the user or used as an argument to certain krb5
 * APIs, such as krb5_cc_resolve().
 * 
 * \li #kim_ccache_get_client_identity()
 * returns the ccache's client identity.
 *
 * \li #kim_ccache_get_valid_credential() 
 * returns the first valid TGT in the ccache for its client identity.  
 * If there are no TGTs in the ccache, it returns the first
 * valid non-TGT credential for the ccache's client identity. 
 * TGT credentials (ie: "ticket-granting tickets") are credentials for  
 * the krbtgt service: a service identity of the form "krbtgt/<REALM>@<REALM>".   
 * These credentials allow the entity named by the client identity to obtain  
 * additional credentials without resending shared secrets (such as a password)
 * to the KDC. Kerberos uses TGTs to provide single sign-on authentication.
 *
 * \li #kim_ccache_get_start_time() 
 * returns when the credential's in a ccache will become valid.  
 * Credentials may be "post-dated" which means that their lifetime starts sometime 
 * in the future.  Note that when a post-dated credential's start time is reached, 
 * the credential must be validated.  See \ref kim_credential_validate for more information.
 *
 * \li #kim_ccache_get_expiration_time() 
 * returns when the credential's in a ccache will expire. 
 * Credentials are time limited by the lifetime of the credential.  While you can 
 * request a credential of any lifetime, the KDC limits the credential lifetime 
 * to a administrator-defined maximum.  Typically credential lifetime range from 10
 * to 21 hours.
 *
 * \li #kim_ccache_get_renewal_expiration_time() 
 * returns when the credential's in a ccache will no longer be renewable. 
 * Valid credentials may be renewed up until their renewal expiration time.  
 * Renewing credentials acquires a fresh set of credentials with a full lifetime 
 * without resending secrets to the KDC (such as a password).  If credentials are 
 * not renewable, this function will return an error.
 *
 * \li #kim_ccache_get_options() 
 * returns a kim_options object with the credential options of the credentials
 * in the ccache.  This function is intended to be used when adding 
 * an identity with existing credentials to the favorite identities list.
 * By passing in the options returned by this call, future requests for the
 * favorite identity will use the same credential options.
 *
 * See \ref kim_ccache_reference and \ref kim_ccache_iterator_reference for 
 * information on specific APIs.
 */


/*!
 * \defgroup kim_ccache_iterator_reference KIM CCache Iterator Reference Documentation
 * @{
 */

/*!
 * \param out_ccache_iterator on exit, a ccache iterator object for the cache collection.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get a ccache iterator to enumerate ccaches in the cache collection.
 */
kim_error kim_ccache_iterator_create (kim_ccache_iterator *out_ccache_iterator);

/*!
 * \param in_ccache_iterator a ccache iterator object.
 * \param out_ccache         on exit, the next ccache in the cache collection. If there are 
 *                           no more ccaches in the cache collection this argument will be 
 *                           set to NULL.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the next ccache in the cache collection.
 */
kim_error kim_ccache_iterator_next (kim_ccache_iterator  in_ccache_iterator,
                                      kim_ccache          *out_ccache);

/*!
 * \param io_ccache_iterator a ccache iterator object to be freed.  Set to NULL on exit.
 * \brief Free memory associated with a ccache iterator.
 */
void kim_ccache_iterator_free (kim_ccache_iterator *io_ccache_iterator);

/*!@}*/

/*!
 * \defgroup kim_ccache_reference KIM CCache Reference Documentation
 * @{
 */

/*!
 * \param out_ccache          on exit, a new cache object for a ccache containing a newly acquired 
 *      		      initial credential.  Must be freed with kim_ccache_free().
 * \param in_client_identity  a client identity to obtain a credential for.   Specify KIM_IDENTITY_ANY to 
 *                            allow the user to choose.
 * \param in_options          options to control credential acquisition. 
 * \note Depending on the kim_options specified, #kim_ccache_create_new() may 
 * present a GUI or command line prompt to obtain information from the user. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Acquire a new initial credential and store it in a ccache.
 */
kim_error kim_ccache_create_new (kim_ccache          *out_ccache,
                                 kim_identity         in_client_identity,
                                 kim_options          in_options);

/*!
 * \param out_ccache          on exit, a ccache object for a ccache containing a newly acquired   
 *                            initial credential. Must be freed with kim_ccache_free().
 * \param in_client_identity  a client identity to obtain a credential for.
 * \param in_options          options to control credential acquisition (if a credential is acquired). 
 * \note Depending on the kim_options specified, #kim_ccache_create_new_if_needed() may 
 * present a GUI or command line prompt to obtain information from the user. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Find a ccache containing a valid initial credential in the cache collection, or if
 *        unavailable, acquire and store a new initial credential.
 */
kim_error kim_ccache_create_new_if_needed (kim_ccache   *out_ccache,
                                           kim_identity  in_client_identity,
                                           kim_options   in_options);

/*!
 * \param out_ccache          on exit, a ccache object for a ccache containing a TGT  
 *                            credential. Must be freed with kim_ccache_free().
 * \param in_client_identity  a client identity to find a ccache for.  If 
 *                            \a in_client_identity is #KIM_IDENTITY_ANY, this  
 *                            function returns the default ccache
 *                            (ie: is equivalent to #kim_ccache_create_from_default()).
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Find a ccache for a client identity in the cache collection.
 */
kim_error kim_ccache_create_from_client_identity (kim_ccache   *out_ccache,
                                                  kim_identity  in_client_identity);

/*!
 * \param out_ccache      on exit, a new ccache object containing an initial credential 
 *      		  for the client identity \a in_identity obtained using in_keytab.  
 *      		  Must be freed with kim_ccache_free().
 * \param in_identity     a client identity to obtain a credential for.  Specify NULL for
 *      		  the first client identity in the keytab.
 * \param in_options      options to control credential acquisition. 
 * \param in_keytab       a path to a keytab.  Specify NULL for the default keytab location. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Acquire a new initial credential from a keytab and store it in a ccache.
 */
kim_error kim_ccache_create_from_keytab (kim_ccache    *out_ccache,
                                         kim_identity   in_identity,
                                         kim_options    in_options,
                                         kim_string     in_keytab);

/*!
 * \param out_ccache on exit, a ccache object for the default ccache.  
 *                   Must be freed with kim_ccache_free().
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the default ccache.
 */
kim_error kim_ccache_create_from_default (kim_ccache *out_ccache);

/*!
 * \param out_ccache      on exit, a ccache object for the ccache identified by 
 *                        \a in_display_name.  Must be freed with kim_ccache_free().
 * \param in_display_name a ccache display name string (ie: "TYPE:NAME").
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \note This API is used to obtain a kim_ccache for a ccache name entered by the user.
 * \brief Get a ccache for a ccache display name.
 */
kim_error kim_ccache_create_from_display_name (kim_ccache  *out_ccache,
                                               kim_string   in_display_name);

/*!
 * \param out_ccache  on exit, a ccache object for the ccache identified by 
 *                    \a in_type and \a in_name.  Must be freed with kim_ccache_free().
 * \param in_type     a ccache type string. 
 * \param in_name     a ccache name string. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \note This API is provided for backwards compatibilty with applications which are not
 *       KIM-aware and should be avoided whenever possible.
 * \brief Get a ccache for a ccache type and name.
 */
kim_error kim_ccache_create_from_type_and_name (kim_ccache  *out_ccache,
                                                kim_string   in_type,
                                                kim_string   in_name);

/*!
 * \param out_ccache      on exit, a new ccache object which is a copy of in_krb5_ccache.  
 *      		  Must be freed with kim_ccache_free().
 * \param in_krb5_context the krb5 context used to create \a in_krb5_ccache. 
 * \param in_krb5_ccache  a krb5 ccache object. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get a ccache for a krb5 ccache.
 */
kim_error kim_ccache_create_from_krb5_ccache (kim_ccache  *out_ccache,
                                              krb5_context in_krb5_context,
                                              krb5_ccache  in_krb5_ccache);

/*!
 * \param out_ccache on exit, the new ccache object which is a copy of in_ccache.  
 *      	     Must be freed with kim_ccache_free().
 * \param in_ccache  a ccache object. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Copy a ccache.
 */
kim_error kim_ccache_copy (kim_ccache  *out_ccache,
                           kim_ccache   in_ccache);

/*!
 * \param in_ccache             a ccache object.
 * \param in_compare_to_ccache  a ccache object.
 * \param out_comparison        on exit, a comparison of \a in_ccache and 
 *                              \a in_compare_to_ccache which determines whether
 *                              or not the two ccache objects refer to the same ccache.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Compare ccache objects.
 */
kim_error kim_ccache_compare (kim_ccache      in_ccache,
                              kim_ccache      in_compare_to_ccache,
                              kim_comparison *out_comparison);
    
/*!
 * \param in_ccache        a ccache object. 
 * \param in_krb5_context  a krb5 context which will be used to create out_krb5_ccache. 
 * \param out_krb5_ccache  on exit, a new krb5 ccache object which is a copy of in_ccache.  
 *      		   Must be freed with krb5_cc_close() or krb5_cc_destroy().
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get a krb5 ccache for a ccache.
 */
kim_error kim_ccache_get_krb5_ccache (kim_ccache  in_ccache,
                                      krb5_context  in_krb5_context,
                                      krb5_ccache  *out_krb5_ccache);

/*!
 * \param in_ccache  a ccache object. 
 * \param out_name   on exit, the name string of \a in_ccache.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the name of a ccache.
 */
kim_error kim_ccache_get_name (kim_ccache  in_ccache,
                               kim_string *out_name);

/*!
 * \param in_ccache  a ccache object. 
 * \param out_type   on exit, the type string of \a in_ccache.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the type of a ccache.
 */
kim_error kim_ccache_get_type (kim_ccache  in_ccache,
                               kim_string *out_type);

/*!
 * \param in_ccache        a ccache object. 
 * \param out_display_name on exit, the type and name of \a in_ccache in a format appropriate for  
 *                         display to the user in command line programs.  (ie: "<type>:<name>")
 *      		   Must be freed with kim_string_free().
 *                         Note: this string can also be passed to krb5_cc_resolve().
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the type and name for a ccache in display format.
 */
kim_error kim_ccache_get_display_name (kim_ccache  in_ccache,
                                       kim_string *out_display_name);

/*!
 * \param in_ccache            a ccache object. 
 * \param out_client_identity  on exit, an identity object containing the client identity of   
 *      		       \a in_ccache. Must be freed with kim_identity_free().
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the client identity for a ccache.
 */
kim_error kim_ccache_get_client_identity (kim_ccache    in_ccache,
                                          kim_identity *out_client_identity);

/*!
 * \param in_ccache       a ccache object. 
 * \param out_credential  on exit, the first valid credential in \a in_ccache. 
 *      		  Must be freed with kim_credential_free().  Set to NULL
 *                        if you only want return value, not the actual credential.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the first valid credential in a ccache.
 * \note This function prefers valid TGT credentials.  If there are only non-valid TGTs
 *       in the ccache, it will always return an error.  However, if there are no 
 *       TGTs at all, it will return the first valid non-TGT credential. If you only want 
 *       TGTs, use kim_credential_is_tgt() to verify that \a out_credential is a tgt.
 */
kim_error kim_ccache_get_valid_credential (kim_ccache      in_ccache,
                                           kim_credential *out_credential);

/*!
 * \param in_ccache     a ccache object.
 * \param out_state     on exit, the state of the credentials in \a in_ccache.  
 *                      See #kim_credential_state_enum for the possible values
 *                      of \a out_state.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Check the state of the credentials in a ccache (valid, expired, postdated, etc).
 * \note This function prefers TGT credentials.  If there are any TGTs in the 
 *       ccache, it will always return their state.  However, if there are no 
 *       TGTs at all, it will return the state of the first non-TGT credential.
 */
kim_error kim_ccache_get_state (kim_ccache            in_ccache,
                                kim_credential_state *out_state);
    
/*!
 * \param in_ccache      a ccache object. 
 * \param out_start_time on exit, the time when the credentials in \a in_ccache
 *                       become valid.  May be in the past or future.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the time when the credentials in the ccache become valid.
 */
kim_error kim_ccache_get_start_time (kim_ccache  in_ccache,
                                     kim_time   *out_start_time);

/*!
 * \param in_ccache           a ccache object. 
 * \param out_expiration_time on exit, the time when the credentials in 
 *                            \a in_ccache will expire.  May be in the past or future.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the time when the credentials in the ccache will expire.
 */
kim_error kim_ccache_get_expiration_time (kim_ccache  in_ccache,
                                          kim_time   *out_expiration_time);

/*!
 * \param in_ccache                   a ccache object. 
 * \param out_renewal_expiration_time on exit, the time when the credentials in \a in_ccache 
 *                                    will no longer be renewable. May be in the past or future.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get the time when the credentials in the ccache will no longer be renewable.
 */
kim_error kim_ccache_get_renewal_expiration_time (kim_ccache  in_ccache,
                                                  kim_time   *out_renewal_expiration_time);

/*!
 * \param in_ccache      a ccache object. 
 * \param out_options    on exit, an options object reflecting the ticket
 *                       options of the credentials in \a in_ccache.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Get a kim_options object based on a ccache's credential attributes.
 */
kim_error kim_ccache_get_options (kim_ccache   in_ccache,
                                  kim_options *out_options);

/*!
 * \param io_ccache a ccache object which will be set to the default ccache. 
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \note This API is provided for backwards compatibilty with applications which are not
 *       KIM-aware and should be avoided whenever possible.
 * \brief Set a ccache to the default ccache.
 */
kim_error kim_ccache_set_default (kim_ccache io_ccache);

/*!
 * \param in_ccache              a ccache object containing the TGT credential to be verified. 
 * \param in_service_identity    a service identity to look for in the keytab.  Specify 
 *                               KIM_IDENTITY_ANY to use the default service identity
 *                               (usually host/<host's FQDN>@<host's local realm>).
 * \param in_keytab              a path to a keytab.  Specify NULL for the default keytab location. 
 * \param in_fail_if_no_service_key whether or not the absence of a key for \a in_service_identity
 *                                  in the host's keytab will cause a failure. 
 * \note specifying FALSE for \a in_fail_if_no_service_key may expose the calling program to 
 * the Zanarotti attack if the host has no keytab installed.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Verify the TGT in a ccache.
 */
kim_error kim_ccache_verify (kim_ccache   in_ccache,
                             kim_identity in_service_identity,
                             kim_string   in_keytab,
                             kim_boolean  in_fail_if_no_service_key);

/*!
 * \param in_ccache  a ccache object containing a TGT to be renewed. 
 * \param in_options initial credential options to be used if a new credential is obtained.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Renew the TGT in a ccache.
 */
kim_error kim_ccache_renew (kim_ccache  in_ccache,
                            kim_options in_options);

/*!
 * \param in_ccache  a ccache object containing a TGT to be validated. 
 * \param in_options initial credential options.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Validate the TGT in a ccache.
 */
kim_error kim_ccache_validate (kim_ccache  in_ccache,
                               kim_options in_options);

/*!
 * \param io_ccache  a ccache object to be destroyed.  Set to NULL on exit.
 * \return On success, #KIM_NO_ERROR.  On failure, an error code representing the failure.
 * \brief Remove a ccache from the cache collection.
 * \note Frees memory associated with the ccache.  Do not call kim_ccache_free()
 *       after calling this function.
 */
kim_error kim_ccache_destroy (kim_ccache *io_ccache);

/*!
 * \param io_ccache a ccache object to be freed.  Set to NULL on exit.
 * \brief Free memory associated with a ccache.
 */
void kim_ccache_free (kim_ccache *io_ccache);

/*!@}*/

#ifdef __cplusplus
}
#endif

#endif /* KIM_CCACHE_H */