diff options
Diffstat (limited to 'src/lib/ipa_hbac/ipa_hbac.h')
-rw-r--r-- | src/lib/ipa_hbac/ipa_hbac.h | 344 |
1 files changed, 344 insertions, 0 deletions
diff --git a/src/lib/ipa_hbac/ipa_hbac.h b/src/lib/ipa_hbac/ipa_hbac.h new file mode 100644 index 000000000..8801c20c4 --- /dev/null +++ b/src/lib/ipa_hbac/ipa_hbac.h @@ -0,0 +1,344 @@ +/* + SSSD + + IPA Backend Module -- Access control + + Authors: + Sumit Bose <sbose@redhat.com> + Stephen Gallagher <sgallagh@redhat.com> + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef IPA_HBAC_H_ +#define IPA_HBAC_H_ + +/** + * @defgroup ipa_hbac Host-Based Access Control Resolver + * Libipa_hbac provides a mechanism to validate FreeIPA + * HBAC rules as well as evaluate whether they apply to + * a particular user login attempt. + * + * Libipa_hbac is case-insensitive and compatible with + * UTF-8. + * @{ + */ + +#include <stdint.h> +#include <stdbool.h> +#include <time.h> + +/** Debug levels for HBAC. */ +enum hbac_debug_level { + HBAC_DBG_FATAL, /** Fatal failure (not used). */ + HBAC_DBG_ERROR, /** Serious failure (out of memory, for example). */ + HBAC_DBG_WARNING, /** Warnings (not used). */ + HBAC_DBG_INFO, /** HBAC allow/disallow info. */ + HBAC_DBG_TRACE /** Verbose description of rules. */ +}; + +#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT +#define HBAC_ATTRIBUTE_PRINTF(a1, a2) __attribute__((format(printf, a1, a2))) +#else +#define HBAC_ATTRIBUTE_PRINTF(a1, a2) +#endif + +/** + * Function pointer to HBAC external debugging function. + */ +typedef void (*hbac_debug_fn_t)(const char *file, int line, + const char *function, + enum hbac_debug_level, const char *format, + ...) HBAC_ATTRIBUTE_PRINTF(5, 6); + +/** + * HBAC uses external_debug_fn for logging messages. + * @param[in|out] external_debug_void Pointer to external logging function. + */ +void hbac_enable_debug(hbac_debug_fn_t external_debug_fn); + +/** Result of HBAC evaluation */ +enum hbac_eval_result { + /** An error occurred + * See the #hbac_info for more details + */ + HBAC_EVAL_ERROR = -1, + + /** Evaluation grants access */ + HBAC_EVAL_ALLOW, + + /** Evaluation denies access */ + HBAC_EVAL_DENY, + + /** Evaluation failed due to lack of memory + * #hbac_info is not available + */ + HBAC_EVAL_OOM +}; + +/** + * No service category specified + */ +#define HBAC_CATEGORY_NULL 0x0000 + +/** + * Rule should apply to all + */ +#define HBAC_CATEGORY_ALL 0x0001 + +/** + * Opaque type contained in hbac_evaluator.c + */ +struct hbac_time_rules; + +/** + * Component of an HBAC rule + * + * Components can be one of users, target hosts, + * source hosts, or services. + */ +struct hbac_rule_element { + /** + * Category for this element + * + * This value is a bitmask. + * See #HBAC_CATEGORY_NULL and + * #HBAC_CATEGORY_ALL + */ + uint32_t category; + + /** + * List of explicit members of this rule component + * + * - Users: usernames + * - Hosts: hostnames + * - Services: PAM service names + */ + const char **names; + + /** + * List of group members of this rule component + * + * - Users: user groups (POSIX or non-POSIX) + * - Hosts: hostgroups + * - Services: PAM service groups. + */ + const char **groups; +}; + +/** + * HBAC rule object for evaluation + */ +struct hbac_rule { + const char *name; + bool enabled; + + /** + * Services and service groups + * for which this rule applies + */ + struct hbac_rule_element *services; + + /** + * Users and groups for which this + * rule applies + */ + struct hbac_rule_element *users; + + /** + * Target hosts for which this rule apples + */ + struct hbac_rule_element *targethosts; + + /** + * Source hosts for which this rule applies + */ + struct hbac_rule_element *srchosts; + + /** + * For future use + */ + struct hbac_time_rules *timerules; +}; + +/** + * Component of an HBAC request + */ +struct hbac_request_element { + /** + * List of explicit members of this request component + * + * - Users: usernames + * - Hosts: hostnames + * - Services: PAM service names + */ + const char *name; + + /** + * List of group members of this request component + * + * - Users: user groups (POSIX or non-POSIX) + * - Hosts: hostgroups + * - Services: PAM service groups. + */ + const char **groups; +}; + +/** + * Request object for an HBAC rule evaluation + * + * + */ +struct hbac_eval_req { + /** This is a list of service DNs to check, + * it must consist of the actual service + * requested, as well as all parent groups + * containing that service. + */ + struct hbac_request_element *service; + + /** This is a list of user DNs to check, + * it must consist of the actual user + * requested, as well as all parent groups + * containing that user. + */ + struct hbac_request_element *user; + + /** This is a list of target hosts to check, + * it must consist of the actual target host + * requested, as well as all parent groups + * containing that target host. + */ + struct hbac_request_element *targethost; + + /** This is a list of source hosts to check, + * it must consist of the actual source host + * requested, as well as all parent groups + * containing that source host. + */ + struct hbac_request_element *srchost; + + /** For future use */ + time_t request_time; +}; + +/** + * Error code returned by the evaluator + */ +enum hbac_error_code { + /** Unexpected error */ + HBAC_ERROR_UNKNOWN = -1, + + /** Successful evaluation */ + HBAC_SUCCESS, + + /** Function is not yet implemented */ + HBAC_ERROR_NOT_IMPLEMENTED, + + /** Ran out of memory during processing */ + HBAC_ERROR_OUT_OF_MEMORY, + + /** Parse error while evaluating rule */ + HBAC_ERROR_UNPARSEABLE_RULE +}; + +/** Extended information */ +struct hbac_info { + /** + * If the hbac_eval_result was HBAC_EVAL_ERROR, + * this will be an error code. + * Otherwise it will be HBAC_SUCCESS + */ + enum hbac_error_code code; + + /** + * Specify the name of the rule that matched or + * threw an error + */ + char *rule_name; +}; + + +/** + * @brief Evaluate an authorization request against a set of HBAC rules + * + * @param[in] rules A NULL-terminated list of rules to evaluate against + * @param[in] hbac_req A user authorization request + * @param[out] info Extended information (including the name of the + * rule that allowed access (or caused a parse error) + * @return + * - #HBAC_EVAL_ERROR: An error occurred + * - #HBAC_EVAL_ALLOW: Access is granted + * - #HBAC_EVAL_DENY: Access is denied + * - #HBAC_EVAL_OOM: Insufficient memory to complete the evaluation + */ +enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, + struct hbac_eval_req *hbac_req, + struct hbac_info **info); + +/** + * @brief Display result of hbac evaluation in human-readable form + * @param[in] result Return value of #hbac_evaluate + * @return English string describing the evaluation result + */ +const char *hbac_result_string(enum hbac_eval_result result); + +/** + * @brief Display error description + * @param code Error code returned in #hbac_info + * @return English string describing the error + */ +const char *hbac_error_string(enum hbac_error_code code); + +/** + * @brief Function to safely free #hbac_info returned by #hbac_evaluate + * @param info #hbac_info returned by #hbac_evaluate + */ +void hbac_free_info(struct hbac_info *info); + +/** User element */ +#define HBAC_RULE_ELEMENT_USERS 0x01 + +/** Service element */ +#define HBAC_RULE_ELEMENT_SERVICES 0x02 + +/** Target host element */ +#define HBAC_RULE_ELEMENT_TARGETHOSTS 0x04 + +/** Source host element */ +#define HBAC_RULE_ELEMENT_SOURCEHOSTS 0x08 + +/** + * @brief Evaluate whether an HBAC rule contains all necessary elements + * + * @param[in] rule An HBAC rule to evaluate + * @param[out] missing_attrs A list of attributes missing from the rule + * This is a bitmask that may contain one or more + * of #HBAC_RULE_ELEMENT_USERS, + * #HBAC_RULE_ELEMENT_SERVICES, + * #HBAC_RULE_ELEMENT_TARGETHOSTS and + * #HBAC_RULE_ELEMENT_SOURCEHOSTS + * + * @return True if the rule contains all mandatory attributes + * + * @note This function does not care if the rule is enabled or disabled + */ +bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs); + +/** + * @} + */ +#endif /* IPA_HBAC_H_ */ |