diff options
| author | cvsadm <cvsadm> | 2005-01-21 00:44:34 +0000 |
|---|---|---|
| committer | cvsadm <cvsadm> | 2005-01-21 00:44:34 +0000 |
| commit | b2093e3016027d6b5cf06b3f91f30769bfc099e2 (patch) | |
| tree | cf58939393a9032182c4fbc4441164a9456e82f8 /include/libaccess | |
| download | ds-ldapserver7x.tar.gz ds-ldapserver7x.tar.xz ds-ldapserver7x.zip | |
Moving NSCP Directory Server from DirectoryBranch to TRUNK, initial drop. (foxworth)ldapserver7x
Diffstat (limited to 'include/libaccess')
39 files changed, 3813 insertions, 0 deletions
diff --git a/include/libaccess/acl.h b/include/libaccess/acl.h new file mode 100644 index 00000000..88ac07f4 --- /dev/null +++ b/include/libaccess/acl.h @@ -0,0 +1,41 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef ACL_HEADER +#define ACL_HEADER + +#ifndef NOINTNSACL +#define INTNSACL +#endif /* NOINTNSACL */ + +#include <netsite.h> +#include <base/pool.h> +#include <base/pblock.h> +#include <base/plist.h> +#include <libaccess/nserror.h> + +#ifndef FALSE +#define FALSE 0 +#endif +#ifndef TRUE +#define TRUE 1 +#endif + +#ifndef PUBLIC_NSACL_ACLAPI_H +#include "public/nsacl/aclapi.h" +#endif /* !PUBLIC_NSACL_ACLAPI_H */ + +#ifdef INTNSACL + +NSPR_BEGIN_EXTERN_C + +extern char *generic_rights[]; +extern char *http_generic[]; + +NSPR_END_EXTERN_C + +#endif /* INTNSACL */ + +#endif diff --git a/include/libaccess/acladmin.h b/include/libaccess/acladmin.h new file mode 100644 index 00000000..9bd75623 --- /dev/null +++ b/include/libaccess/acladmin.h @@ -0,0 +1,79 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __acladmin_h +#define __acladmin_h + + +/* + * Description (acladmin.h) + * + * This file describes the interface to access control list (ACL) + * administration functions. This interface provides mechanisms + * for inspecting, modifying, and writing out in text form ACL + * structures. + */ + +#include "aclstruct.h" + +NSPR_BEGIN_EXTERN_C + +/* Flags used for various functions */ +#define ACLF_NPREFIX 0x1 /* ACL name string is a name prefix */ +#define ACLF_REXACT 0x2 /* rights must match exactly */ +#define ACLF_RALL 0x4 /* must have all specified rights */ + +/* Functions in acladmin.c */ +extern NSAPI_PUBLIC int aclDNSAddHost(char * newhost, + char ***alist, int * asize); +extern NSAPI_PUBLIC int aclDNSAddAliases(char * host, + char ***alist, int * asize); +extern NSAPI_PUBLIC int aclDNSPutHost(char * hname, int fqdn, int aliases, + char ***alist, int * asize); +extern NSAPI_PUBLIC int aclFindByName(ACContext_t * acc, char * aclname, + char **rights, int flags, ACL_t **pacl); +extern NSAPI_PUBLIC char * aclGetAuthMethod(ACL_t * acl, int dirno); +extern NSAPI_PUBLIC char * aclGetDatabase(ACL_t * acl, int dirno); +extern NSAPI_PUBLIC char **aclGetHosts(ACL_t * acl, int dirno, int clsno); +extern NSAPI_PUBLIC char * aclGetPrompt(ACL_t * acl, int dirno); +extern NSAPI_PUBLIC char **aclGetRights(ACL_t * acl); +extern NSAPI_PUBLIC unsigned long aclGetRightsMask(ACContext_t * acc, char **rlist); +extern NSAPI_PUBLIC char * aclGetSignature(ACL_t * acl); +extern NSAPI_PUBLIC char **aclGetUsers(ACL_t * acl, int dirno, int clsno); +extern NSAPI_PUBLIC int aclDNSFilterStrings(char **list, DNSFilter_t * dnf); +extern NSAPI_PUBLIC int aclIPFilterStrings(char **list, IPFilter_t * ipf); +extern NSAPI_PUBLIC int aclIdsToNames(char **list, + USIList_t * uilptr, int uflag, Realm_t * rlm); +extern NSAPI_PUBLIC int aclMakeNew(ACContext_t * acc, char * aclsig, char * aclname, + char **rights, int flags, ACL_t **pacl); +extern NSAPI_PUBLIC int aclPutAllowDeny(NSErr_t * errp, ACL_t * acl, + int always, int allow, char **users, char **hosts); +extern NSAPI_PUBLIC int aclPutAuth(NSErr_t * errp, ACL_t * acl, + int always, int amethod, char * dbname, char * prompt); +extern NSAPI_PUBLIC char * aclSafeIdent(char * str); +extern NSAPI_PUBLIC int aclSetRights(ACL_t * acl, char **rights, int replace); +extern NSAPI_PUBLIC int accWriteFile(ACContext_t * acc, char * filename, int flags); +extern NSAPI_PUBLIC int aclStringGet(LEXStream_t * lst); +extern NSAPI_PUBLIC int aclStringOpen(NSErr_t * errp, + int slen, char * sptr, int flags, ACLFile_t **pacf); +extern NSAPI_PUBLIC int aclCheckUsers(NSErr_t * errp, char * dbpath, char * usernames, + char * groupnames, char ***uglist, char ***badulist, + char ***badglist); +extern NSAPI_PUBLIC int aclCheckHosts(NSErr_t * errp, + int hexpand, char * dnsspecs, char * ipspecs, + char ***hlist, char ***baddns, char ***badip); + +#ifdef NOTDEF +extern int aclSetAuthMethod(ACL_t * acl, int dirno, char * amethod); +extern int aclSetDatabase(ACL_t * acl, int dirno, char * dbname); +extern int aclSetExecOptions(ACL_t * acl, char **options); +extern int aclSetHosts(ACL_t * acl, int dirno, char **hostlist); +extern int aclSetPrompt(ACL_t * acl, int dirno, char * prompt); +extern int aclSetUsers(ACL_t * acl, int dirno, char **userlist); +#endif /* NOTDEF */ + +NSPR_END_EXTERN_C + +#endif /* __acladmin_h */ diff --git a/include/libaccess/aclbuild.h b/include/libaccess/aclbuild.h new file mode 100644 index 00000000..319f5342 --- /dev/null +++ b/include/libaccess/aclbuild.h @@ -0,0 +1,56 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __aclbuild_h +#define __aclbuild_h + +/* + * Description (aclbuild.h) + * + * This file describes the interface to a module which provides + * functions for building Access Control List (ACL) structures + * in memory. + */ + +#include "usi.h" +#include "nserror.h" +#include "aclstruct.h" + +/* Define flags for aclAuthNameAdd() return value */ +#define ANA_GROUP 0x1 /* name matches group name */ +#define ANA_USER 0x2 /* name matches user name */ +#define ANA_DUP 0x4 /* name already in AuthNode_t */ + +NSPR_BEGIN_EXTERN_C + +/* Functions in aclbuild.c */ +extern int accCreate(NSErr_t * errp, void * stp, ACContext_t **pacc); +extern void accDestroy(ACContext_t * acc, int flags); +extern int accDestroySym(Symbol_t * sym, void * argp); +extern int accReadFile(NSErr_t * errp, char * aclfile, ACContext_t **pacc); +extern int aclAuthDNSAdd(HostSpec_t **hspp, char * dnsspec, int fqdn); +extern int aclAuthIPAdd(HostSpec_t **hspp, IPAddr_t ipaddr, IPAddr_t netmask); +extern int aclAuthNameAdd(NSErr_t * errp, UserSpec_t * usp, + Realm_t * rlm, char * name); +extern ACClients_t * aclClientsDirCreate(); +extern int aclCreate(NSErr_t * errp, + ACContext_t * acc, char * aclname, ACL_t **pacl); +extern void aclDestroy(ACL_t * acl); +extern void aclDelete(ACL_t * acl); +extern int aclDirectiveAdd(ACL_t * acl, ACDirective_t * acd); +extern ACDirective_t * aclDirectiveCreate(); +extern void aclDirectiveDestroy(ACDirective_t * acd); +extern int aclDNSSpecDestroy(Symbol_t * sym, void * parg); +extern void aclHostSpecDestroy(HostSpec_t * hsp); +extern void aclRealmSpecDestroy(RealmSpec_t * rsp); +extern int aclRightDef(NSErr_t * errp, + ACContext_t * acc, char * rname, RightDef_t **prd); +extern void aclRightSpecDestroy(RightSpec_t * rsp); +extern UserSpec_t * aclUserSpecCreate(); +extern void aclUserSpecDestroy(UserSpec_t * usp); + +NSPR_END_EXTERN_C + +#endif /* __aclbuild_h */ diff --git a/include/libaccess/aclerror.h b/include/libaccess/aclerror.h new file mode 100644 index 00000000..ffd5510b --- /dev/null +++ b/include/libaccess/aclerror.h @@ -0,0 +1,307 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __aclerror_h +#define __aclerror_h + +/* ACL facility name string (in aclbuild.c) */ +NSPR_BEGIN_EXTERN_C +extern char * ACL_Program; +NSPR_END_EXTERN_C + +/* Define error identifiers */ + +/* Errors generated in aclparse.c */ + +/* aclAuthListParse() */ +#define ACLERR1000 1000 /* dynamic memory shortage */ + +/* aclAuthHostsParse() */ +#define ACLERR1100 1100 /* unsupported list of host lists */ +#define ACLERR1120 1120 /* host list name not found where expected */ +#define ACLERR1140 1140 /* undefined host list name */ +#define ACLERR1160 1160 /* *unused* */ +#define ACLERR1180 1180 /* error adding IP filter entry */ +#define ACLERR1200 1200 /* error adding DNS filter entry */ +#define ACLERR1220 1220 /* ")" missing */ + +/* aclAuthUsersParse() */ +#define ACLERR1300 1300 /* *unused* */ +#define ACLERR1320 1320 /* *unused* */ +#define ACLERR1340 1340 /* *unused* */ +#define ACLERR1360 1360 /* undefined user or group name */ +#define ACLERR1380 1380 /* duplicate user or group name */ +#define ACLERR1400 1400 /* ")" missing */ +#define ACLERR1420 1420 /* empty auth-user-elem */ +#define ACLERR1440 1440 /* duplicate or conflicting use of "all" */ +#define ACLERR1460 1460 /* duplicate or conflicting use of "any" */ +#define ACLERR1480 1480 /* conflicting use of "all" or "any" */ +#define ACLERR1500 1500 /* insufficient dynamic memory */ +#define ACLERR1520 1520 /* insufficient dynamic memory */ + +/* aclDirectivesParse() */ +#define ACLERR1600 1600 /* dir-access missing */ +#define ACLERR1620 1620 /* invalid dir-access specification */ +#define ACLERR1640 1640 /* error adding ACD_AUTH directive to ACL */ +#define ACLERR1650 1650 /* error adding directive to ACL */ +#define ACLERR1660 1660 /* insufficient dynamic memory */ +#define ACLERR1680 1680 /* insufficient dynamic memory */ +#define ACLERR1685 1685 /* insufficient dynamic memory */ +#define ACLERR1690 1690 /* error adding directive to ACL */ +#define ACLERR1695 1695 /* error in "execute" directive */ + +/* aclACLParse() */ +#define ACLERR1700 1700 /* ACL statement missing */ +#define ACLERR1720 1720 /* ACL name missing */ +#define ACLERR1740 1740 /* opening "{" missing */ +#define ACLERR1760 1760 /* closing "}" missing */ +#define ACLERR1780 1780 /* unrecognized ACL statement */ + +/* aclFileOpen() */ +#define ACLERR1900 1900 /* file open error */ +#define ACLERR1920 1920 /* memory shortage for ACLFile_t */ +#define ACLERR1940 1940 /* memory shortage for token */ +#define ACLERR1960 1960 /* memory shortage for LEX stream */ + +/* aclGetDNSString() */ +#define ACLERR2100 2100 /* */ +#define ACLERR2120 2120 /* */ +#define ACLERR2140 2140 /* */ + +/* aclGetIPAddr() */ +#define ACLERR2200 2200 /* */ +#define ACLERR2220 2220 /* */ +#define ACLERR2240 2240 /* */ +#define ACLERR2260 2260 /* */ +#define ACLERR2280 2280 /* */ +#define ACLERR2300 2300 /* */ +#define ACLERR2320 2320 /* */ + +/* aclGetToken() */ +#define ACLERR2400 2400 /* aclGetToken() parse error */ + +/* aclParseInit() */ + +/* aclRealmSpecParse() */ +#define ACLERR2500 2500 /* missing realm name */ +#define ACLERR2520 2520 /* undefined realm name */ +#define ACLERR2540 2540 /* insufficient dynamic memory */ +#define ACLERR2560 2560 /* missing realm directive */ +#define ACLERR2570 2570 /* missing database filespec */ +#define ACLERR2580 2580 /* missing authentication method name */ +#define ACLERR2600 2600 /* unknown authentication method name */ +#define ACLERR2605 2605 /* realm prompt string missing */ +#define ACLERR2610 2610 /* unknown realm directive */ +#define ACLERR2620 2620 /* missing "}" */ + +/* aclRightsParse() */ +#define ACLERR2700 2700 /* missing rights list element */ +#define ACLERR2720 2720 /* missing rights list name */ +#define ACLERR2740 2740 /* undefined rights list name */ +#define ACLERR2760 2760 /* insufficient dynamic memory */ +#define ACLERR2780 2780 /* insufficient dynamic memory */ +#define ACLERR2800 2800 /* error creating access right definition */ +#define ACLERR2820 2820 /* insufficient dynamic memory */ +#define ACLERR2840 2840 /* missing ")" */ + +/* aclGetFileSpec() */ +#define ACLERR2900 2900 /* skip over whitespace failed */ +#define ACLERR2920 2920 /* scan over filename failed */ +#define ACLERR2940 2940 /* missing filename */ + +/* aclStringOpen() */ +#define ACLERR5000 5000 /* memory shortage for ACLFile_t */ +#define ACLERR5020 5020 /* memory shortage for token */ +#define ACLERR5040 5040 /* memory shortage for LEX stream */ + +/* Errors generated in aclbuild.c */ + +/* accCreate() */ +#define ACLERR3000 3000 /* insufficient dynamic memory */ +#define ACLERR3020 3020 /* insufficient dynamic memory */ + +/* accFileRead() */ +#define ACLERR3100 3100 /* error initializing ACL parser */ +#define ACLERR3120 3120 /* error creating ACL symbol table */ + +/* aclCreate() */ +#define ACLERR3200 3200 /* insufficient dynamic memory */ +#define ACLERR3220 3220 /* duplicate ACL name */ + +/* aclAuthNameAdd() */ +#define ACLERR3400 3400 /* realm missing for user/group name */ +#define ACLERR3420 3420 /* error opening authentication DB */ +#define ACLERR3440 3440 /* error finding name in DB */ +#define ACLERR3460 3460 /* insufficient dynamic memory */ + +/* aclRightDef() */ +#define ACLERR3600 3600 /* insufficient dynamic memory */ +#define ACLERR3620 3620 /* add right to symbol table failed */ + +/* ACL_ListPostParseForAuth() */ +#define ACLERR3800 3800 /* Undefined method/database */ +#define ACLERR3810 3810 /* insufficient dynamic memory */ + +/* Register.cpp */ +#define ACLERR3900 3900 /* Duplicate LAS registered */ + +/* ACL_EvalBuildContext */ +#define ACLERR4000 4000 /* Unable to create context hash */ +#define ACLERR4010 4010 /* Unable to alloc cache structure */ +#define ACLERR4020 4020 /* Unable to alloc ACE entry */ +#define ACLERR4030 4030 /* Unable to alloc ACE entry */ +#define ACLERR4040 4040 /* Unable to alloc Auth Ptr Array */ +#define ACLERR4050 4050 /* Unable to alloc Auth Ptr Array */ + +/* ACL_EvalTestRights */ +#define ACLERR4100 4100 /* Interim absolute, non-allow value */ +#define ACLERR4110 4110 /* BuildContext call failed */ + +/* ACL_ModuleRegister */ +#define ACLERR4200 4200 /* module name missing */ +#define ACLERR4210 4210 /* module registration call failed */ + +/* ACL_GetAttribute */ +#define ACLERR4300 4300 /* Couldn't determine method */ +#define ACLERR4310 4310 /* Couldn't locate Getter */ +#define ACLERR4320 4320 /* Couldn't Set Attr */ +#define ACLERR4330 4330 /* Couldn't Get Attr */ +#define ACLERR4340 4340 /* All getters declined */ +#define ACLERR4350 4350 /* All getters declined */ +#define ACLERR4360 4360 /* All getters declined */ +#define ACLERR4370 4370 /* All getters declined */ +#define ACLERR4380 4380 /* Couldn't determine dbtype */ + +/* reg_dbname_internal */ +#define ACLERR4400 4400 /* dbtype not defined yet */ +#define ACLERR4410 4410 /* dbtype not defined yet */ +#define ACLERR4420 4420 /* out of memory */ + +/* ACL_DatabaseRegister */ +#define ACLERR4500 4500 /* database name is missing */ + +/* ACL_ReadDbMapFile */ +#define ACLERR4600 4600 /* Error reading the Map file */ +#define ACLERR4610 4610 /* Couldn't determine dbtype */ +#define ACLERR4620 4620 /* Missing URL for database */ +#define ACLERR4630 4630 /* Invalid proprty pair */ +#define ACLERR4640 4640 /* Register database failed */ +#define ACLERR4650 4650 /* Default database not LDAP */ +#define ACLERR4660 4660 /* Multiple default databases */ +#define ACLERR4670 4670 /* No default database */ + +/* LASDnsBuild */ +#define ACLERR4700 4700 /* Cannot allocatae hash */ +#define ACLERR4710 4710 /* Cannot add token to hash */ +#define ACLERR4720 4720 /* Cannot add token to hash */ +#define ACLERR4730 4730 /* Cannot add token to hash */ +#define ACLERR4740 4740 /* Cannot add token to hash */ +#define ACLERR4750 4750 /* Cannot add token to hash */ +#define ACLERR4760 4760 /* Cannot add token to hash */ + +/* LASDnsEval */ +#define ACLERR4800 4800 /* Wrong attribute name */ +#define ACLERR4810 4810 /* Illegal comparator */ +#define ACLERR4820 4820 /* Cannot allocate context struct */ +#define ACLERR4830 4830 /* Cannot get DNS attribute */ + +/* LASGroupEval */ +#define ACLERR4900 4900 /* wrong attribute */ +#define ACLERR4910 4910 /* bad comparator */ +#define ACLERR4920 4920 /* unable to get database name */ + +/* LASIpTreeAllocNode */ +#define ACLERR5000 5000 /* Cannot allocate IP tree */ + +/* LASIpAddPattern */ +#define ACLERR5100 5100 /* Cannot allocate IP tree node */ +#define ACLERR5110 5110 /* Cannot allocate IP tree node */ + +/* LASIpEval */ +#define ACLERR5200 5200 /* Wrong attribute */ +#define ACLERR5210 5210 /* Bad comparator */ +#define ACLERR5220 5220 /* Cannot get session pointer */ +#define ACLERR5230 5230 /* Cannot allocate context */ +#define ACLERR5240 5240 /* Tested 32 bits without conclusion */ + +/* LASProgramEval */ +#define ACLERR5300 5300 /* Wrong attribute */ +#define ACLERR5310 5310 /* Bad comparator */ +#define ACLERR5320 5320 /* Can't get request pointer */ +#define ACLERR5330 5330 /* Invalid program expression */ +#define ACLERR5340 5340 /* Rejecting Request */ + +/* LASDayOfWeekEval */ +#define ACLERR5400 5400 /* wrong attribute */ +#define ACLERR5410 5410 /* bad comparator */ + +/* LASTimeOfDayEval */ +#define ACLERR5600 5600 /* wrong attribute */ +#define ACLERR5610 5610 /* bad comparator */ + +/* LASUserEval */ +#define ACLERR5700 5700 /* wrong attribute */ +#define ACLERR5710 5710 /* bad comparator */ +#define ACLERR5720 5720 /* Out of memory */ + +/* ldapacl.cpp */ +#define ACLERR5800 5800 /* missing the database url */ +#define ACLERR5810 5810 /* missing the database name */ +#define ACLERR5820 5820 /* error parsing the db url */ +#define ACLERR5830 5830 /* unable to get db name */ +#define ACLERR5840 5840 /* can't get parsed db name */ +#define ACLERR5850 5850 /* can't init ldap connection */ +#define ACLERR5860 5860 /* passwd check ldap error */ +#define ACLERR5870 5870 /* Out of memory */ +#define ACLERR5880 5880 /* User doesn't exist anymore */ +#define ACLERR5890 5890 /* PList error */ + +/* get_user_ismember_ldap */ +#define ACLERR5900 5900 /* Can't get db name */ +#define ACLERR5910 5910 /* Can't get parsed db name */ +#define ACLERR5920 5920 /* Out of memory */ +#define ACLERR5930 5930 /* Can't init ldap connection */ +#define ACLERR5940 5940 /* Group doesn't exist */ +#define ACLERR5950 5950 /* LDAP error */ + +/* ACL_LDAPDatabaseHandle */ +#define ACLERR6000 6000 /* Not a registered db */ +#define ACLERR6010 6010 /* Not an LDAP db */ +#define ACLERR6020 6020 /* Out of memory */ +#define ACLERR6030 6030 /* Can't init ldap connection */ +#define ACLERR6040 6040 /* Can't bind to ldap server */ + + + +/* Define error return codes */ +#define ACLERRNOMEM -1 /* insufficient dynamic memory */ +#define ACLERROPEN -2 /* file open error */ +#define ACLERRDUPSYM -3 /* duplicate symbol */ +#define ACLERRSYNTAX -4 /* syntax error */ +#define ACLERRUNDEF -5 /* undefined symbol */ +#define ACLERRADB -6 /* authentication DB access error */ +#define ACLERRPARSE -7 /* ACL parsing error */ +#define ACLERRNORLM -8 /* missing authentication realm */ +#define ACLERRIO -9 /* IO error */ +#define ACLERRINTERNAL -10 /* internal processing error */ +/* #define ACLERRFAIL -11 */ /* defined in include/public/nsacl/acldef.h */ +#define ACLERRINVAL -12 /* invalid argument */ +#define ACLERRCONFIG -13 /* auth realms don't math acl */ + +#include "nserror.h" + +#ifndef PUBLIC_NSACL_ACLDEF_H +#include "public/nsacl/acldef.h" +#endif /* !PUBLIC_NSACL_ACLDEF_H */ + +NSPR_BEGIN_EXTERN_C + +/* Functions in aclerror.c */ +extern void aclErrorFmt(NSErr_t * errp, + char * msgbuf, int maxlen, int maxdepth); + +NSPR_END_EXTERN_C + +#endif /* __aclerror_h */ diff --git a/include/libaccess/acleval.h b/include/libaccess/acleval.h new file mode 100644 index 00000000..7fbd077a --- /dev/null +++ b/include/libaccess/acleval.h @@ -0,0 +1,37 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __acleval_h +#define __acleval_h + +/* + * Description (acleval.h) + * + * This file defines the interface to the ACL evaluation module. + */ + +#include "nserror.h" +#include "nsauth.h" +#include "aclstruct.h" + +/* Define values returned by lookup routines */ +#define ACL_NOMATCH 0 /* no match */ +#define ACL_IPMATCH 0x1 /* IP address match */ +#define ACL_DNMATCH 0x2 /* DNS name match */ +#define ACL_USMATCH 0x4 /* user name match */ +#define ACL_GRMATCH 0x8 /* user is member of group */ + +NSPR_BEGIN_EXTERN_C + +/* Functions in acleval.c */ +extern int aclDNSLookup(DNSFilter_t * dnf, + char * dnsspec, int fqdn, char **match); +extern int aclIPLookup(IPFilter_t * ipf, IPAddr_t ipaddr, void **match); +extern int aclUserLookup(UidUser_t * uup, UserObj_t * uoptr); +extern int aclEvaluate(ACL_t * acl, USI_t arid, ClAuth_t * clauth, int * padn); + +NSPR_END_EXTERN_C + +#endif /* __acleval_h */ diff --git a/include/libaccess/aclglobal.h b/include/libaccess/aclglobal.h new file mode 100644 index 00000000..165a69ef --- /dev/null +++ b/include/libaccess/aclglobal.h @@ -0,0 +1,52 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +/* +** Header file containing global data elements. These are duplicated +** when a cache flush is done. +*/ + +#include <libaccess/acl.h> + +struct ACLGlobal_s { + ACLListHandle_t *masterlist; + pool_handle_t *pool; /* Deallocate at the start of cache flush */ + pool_handle_t *databasepool; + pool_handle_t *methodpool; + PRHashTable *urihash; + PRHashTable *urigethash; + PRHashTable *listhash; + PRHashTable *evalhash; + PRHashTable *flushhash; + PRHashTable *methodhash; + PRHashTable *dbtypehash; + PRHashTable *dbnamehash; + PRHashTable *attrgetterhash; + PRHashTable *userLdbHash; /* user's LDAP handle hash */ +}; + +typedef struct ACLGlobal_s ACLGlobal_t; +typedef struct ACLGlobal_s *ACLGlobal_p; + +#define acl_uri_hash_pool ACLGlobal->pool +#define acl_uri_hash ACLGlobal->urihash +#define acl_uri_get_hash ACLGlobal->urigethash +#define ACLListHash ACLGlobal->listhash +#define ACLLasEvalHash ACLGlobal->evalhash +#define ACLLasFlushHash ACLGlobal->flushhash +#define ACLMethodHash ACLGlobal->methodhash +#define ACLDbTypeHash ACLGlobal->dbtypehash +#define ACLDbNameHash ACLGlobal->dbnamehash +#define ACLAttrGetterHash ACLGlobal->attrgetterhash +#define ACLUserLdbHash ACLGlobal->userLdbHash +#define ACL_DATABASE_POOL ACLGlobal->databasepool +#define ACL_METHOD_POOL ACLGlobal->methodpool + +NSPR_BEGIN_EXTERN_C + +extern ACLGlobal_p ACLGlobal; +extern ACLGlobal_p oldACLGlobal; + +NSPR_END_EXTERN_C diff --git a/include/libaccess/aclparse.h b/include/libaccess/aclparse.h new file mode 100644 index 00000000..503657e1 --- /dev/null +++ b/include/libaccess/aclparse.h @@ -0,0 +1,112 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __aclparse_h +#define __aclparse_h + +/* + * Description (aclparse.h) + * + * This file describes the interface to a parser for files + * containing Access Control List (ACL) definitions. The parser + * uses the services of the aclbuild module to construct an + * in-memory representation of the ACLs it parses. + */ + +#include "nserror.h" +#include "aclbuild.h" + +/* Define keywords */ +#define KEYWORD_ACL "acl" +#define KEYWORD_ALL "all" +#define KEYWORD_ALLOW "allow" +#define KEYWORD_ANY "anyone" +#define KEYWORD_AT "at" +#define KEYWORD_AUTH "authenticate" +#define KEYWORD_BASIC "basic" +#define KEYWORD_DATABASE "database" +#define KEYWORD_DEFAULT "default" +#define KEYWORD_DENY "deny" +#define KEYWORD_EXECUTE "execute" +#define KEYWORD_HOSTS "hosts" +#define KEYWORD_IF "if" +#define KEYWORD_IN "in" +#define KEYWORD_INCLUDE "include" +#define KEYWORD_METHOD "method" +#define KEYWORD_PROMPT "prompt" +#define KEYWORD_REALM "realm" +#define KEYWORD_RIGHTS "rights" +#define KEYWORD_SSL "ssl" + +/* Define character classes */ +#define CCM_WS 0x1 /* whitespace */ +#define CCM_NL 0x2 /* newline */ +#define CCM_SPECIAL 0x4 /* special characters */ +#define CCM_DIGIT 0x8 /* digits */ +#define CCM_LETTER 0x10 /* letters */ +#define CCM_HYPHEN 0x20 /* hyphen */ +#define CCM_USCORE 0x40 /* underscore */ +#define CCM_FILESPEC 0x80 /* filename special characters */ + +#define CCM_HYPUND (CCM_HYPHEN|CCM_USCORE) +#define CCM_IDENT (CCM_LETTER|CCM_DIGIT|CCM_HYPUND) +#define CCM_FILENAME (CCM_LETTER|CCM_DIGIT|CCM_FILESPEC) + +/* Define token numbers */ +#define TOKEN_ERROR -1 /* error in reading data stream */ +#define TOKEN_EOF 0 /* end-of-file */ +#define TOKEN_EOS 1 /* end-of-statement */ +#define TOKEN_IDENT 2 /* identifier */ +#define TOKEN_NUMBER 3 /* number */ +#define TOKEN_COMMA 4 /* comma */ +#define TOKEN_SEMI 5 /* semicolon */ +#define TOKEN_PERIOD 6 /* period */ +#define TOKEN_LPAREN 7 /* left parenthesis */ +#define TOKEN_RPAREN 8 /* right parenthesis */ +#define TOKEN_LBRACE 9 /* left brace */ +#define TOKEN_RBRACE 10 /* right brace */ +#define TOKEN_AT 11 /* at sign */ +#define TOKEN_PLUS 12 /* plus sign */ +#define TOKEN_STAR 13 /* asterisk */ +#define TOKEN_STRING 14 /* quoted string */ +#define TOKEN_HUH 15 /* unrecognized input */ + +/* Define flags bits for aclGetToken() */ +#define AGT_NOSKIP 0x1 /* don't skip leading whitespace */ +#define AGT_APPEND 0x2 /* append next to token buffer */ + +NSPR_BEGIN_EXTERN_C + +extern void * aclChTab; /* character table for ACL parsing */ + +/* Functions in aclparse.c */ +extern int aclAuthListParse(NSErr_t * errp, ACLFile_t * acf, + ACContext_t * acc, Realm_t * rlm, + ACClients_t **clsp); +extern int aclAuthHostsParse(NSErr_t * errp, ACLFile_t * acf, + ACContext_t * acc, HostSpec_t **hspp); +extern int aclAuthUsersParse(NSErr_t * errp, ACLFile_t * acf, + Realm_t * rlm, UserSpec_t **uspp, char ***elist); +extern int aclDirectivesParse(NSErr_t * errp, ACLFile_t * acf, ACL_t * acl); +extern int aclACLParse(NSErr_t * errp, + ACLFile_t * acf, ACContext_t * acc, int flags); +extern void aclFileClose(ACLFile_t * acf, int flags); +extern int aclFileOpen(NSErr_t * errp, + char * filename, int flags, ACLFile_t **pacf); +extern int aclGetDNSString(NSErr_t * errp, ACLFile_t * acf); +extern int aclGetFileSpec(NSErr_t * errp, ACLFile_t * acf, int flags); +extern int aclGetIPAddr(NSErr_t * errp, + ACLFile_t * acf, IPAddr_t * pip, IPAddr_t * pmask); +extern int aclGetToken(NSErr_t * errp, ACLFile_t * acf, int flags); +extern int aclParseInit(); +extern int aclRealmSpecParse(NSErr_t * errp, ACLFile_t * acf, + ACContext_t * acc, RealmSpec_t **rspp); +extern int aclRightsParse(NSErr_t * errp, ACLFile_t * acf, ACContext_t * acc, + RightSpec_t **rights); +extern int aclStreamGet(LEXStream_t * lst); + +NSPR_END_EXTERN_C + +#endif /* __aclparse_h */ diff --git a/include/libaccess/aclproto.h b/include/libaccess/aclproto.h new file mode 100644 index 00000000..6dbc07d5 --- /dev/null +++ b/include/libaccess/aclproto.h @@ -0,0 +1,156 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef ACL_PROTO_HEADER +#define ACL_PROTO_HEADER + +#ifndef NOINTNSACL +#define INTNSACL +#endif /* !NOINTNSACL */ + +#ifndef PUBLIC_NSACL_ACLDEF_H +#include "public/nsacl/acldef.h" +#endif /* !PUBLIC_NSACL_ACLDEF_H */ + +#ifdef INTNSACL + +NSPR_BEGIN_EXTERN_C + +/********************************************************************* + * ACL language and file interfaces + *********************************************************************/ + +NSAPI_PUBLIC ACLListHandle_t * ACL_ParseFile(NSErr_t *errp, char *filename); +NSAPI_PUBLIC ACLListHandle_t * ACL_ParseString(NSErr_t *errp, char *buffer); +NSAPI_PUBLIC int ACL_Decompose(NSErr_t *errp, char **acl, ACLListHandle_t *acl_list); +NSAPI_PUBLIC int ACL_WriteString(NSErr_t *errp, char **acl, ACLListHandle_t *acllist); +NSAPI_PUBLIC int ACL_WriteFile(NSErr_t *errp, char *filename, ACLListHandle_t *acllist); +NSAPI_PUBLIC int ACL_FileRenameAcl(NSErr_t *errp, char *filename, char *acl_name, char *new_acl_name, int flags); +NSAPI_PUBLIC int ACL_FileDeleteAcl(NSErr_t *errp, char *filename, char *acl_name, int flags); +NSAPI_PUBLIC int ACL_FileGetAcl(NSErr_t *errp, char *filename, char *acl_name, char **acl_text, int flags); +NSAPI_PUBLIC int ACL_FileSetAcl(NSErr_t *errp, char *filename, char *acl_text, int flags); +NSAPI_PUBLIC int ACL_FileMergeAcl(NSErr_t *errp, char *filename, char **acl_name_list, char *new_acl_name, int flags); +NSAPI_PUBLIC int ACL_FileMergeFile(NSErr_t *errp, char *filename, char **file_list, int flags); + + +/********************************************************************* + * ACL Expression construction interfaces + *********************************************************************/ +NSAPI_PUBLIC ACLExprHandle_t *ACL_ExprNew(const ACLExprType_t expr_type); +NSAPI_PUBLIC void ACL_ExprDestroy(ACLExprHandle_t *expr); +NSAPI_PUBLIC int ACL_ExprSetPFlags(NSErr_t *errp, ACLExprHandle_t *expr, PFlags_t flags); +NSAPI_PUBLIC int ACL_ExprClearPFlags(NSErr_t *errp, ACLExprHandle_t *expr); +NSAPI_PUBLIC int ACL_ExprTerm(NSErr_t *errp, ACLExprHandle_t *acl_expr, char *attr_name, CmpOp_t cmp, char *attr_pattern); +NSAPI_PUBLIC int ACL_ExprNot(NSErr_t *errp, ACLExprHandle_t *acl_expr); +NSAPI_PUBLIC int ACL_ExprAnd(NSErr_t *errp, ACLExprHandle_t *acl_expr); +NSAPI_PUBLIC int ACL_ExprOr(NSErr_t *errp, ACLExprHandle_t *acl_expr); +NSAPI_PUBLIC int ACL_ExprAddAuthInfo(ACLExprHandle_t *expr, PList_t auth_info); +NSAPI_PUBLIC int ACL_ExprAddArg(NSErr_t *errp, ACLExprHandle_t *expr, char *arg); +NSAPI_PUBLIC int ACL_ExprSetDenyWith(NSErr_t *errp, ACLExprHandle_t *expr, char *deny_type, char *deny_response); +NSAPI_PUBLIC int ACL_ExprGetDenyWith(NSErr_t *errp, ACLExprHandle_t *expr, char **deny_type, char **deny_response); + +/********************************************************************* + * ACL manipulation + *********************************************************************/ + +NSAPI_PUBLIC ACLHandle_t * ACL_AclNew(NSErr_t *errp, char *tag); +NSAPI_PUBLIC void ACL_AclDestroy(NSErr_t *errp, ACLHandle_t *acl); +NSAPI_PUBLIC int ACL_ExprAppend(NSErr_t *errp, ACLHandle_t *acl, ACLExprHandle_t *expr); +NSAPI_PUBLIC const char *ACL_AclGetTag(ACLHandle_t *acl); + +/********************************************************************* + * ACL list manipulation + *********************************************************************/ + +NSAPI_PUBLIC ACLListHandle_t * ACL_ListNew(NSErr_t *errp); +NSAPI_PUBLIC int ACL_ListConcat(NSErr_t *errp, ACLListHandle_t *acl_list1, ACLListHandle_t *acl_list2, int flags); +NSAPI_PUBLIC int ACL_ListAppend(NSErr_t *errp, ACLListHandle_t *acllist, ACLHandle_t *acl, int flags); +NSAPI_PUBLIC void ACL_ListDestroy(NSErr_t *errp, ACLListHandle_t *acllist); +NSAPI_PUBLIC ACLHandle_t * ACL_ListFind(NSErr_t *errp, ACLListHandle_t *acllist, char *aclname, int flags); +NSAPI_PUBLIC int ACL_ListAclDelete(NSErr_t *errp, ACLListHandle_t *acl_list, char *acl_name, int flags); +NSAPI_PUBLIC int ACL_ListGetNameList(NSErr_t *errp, ACLListHandle_t *acl_list, char ***name_list); +NSAPI_PUBLIC int ACL_FileGetNameList(NSErr_t *errp, char * filename, char ***name_list); +NSAPI_PUBLIC int ACL_NameListDestroy(NSErr_t *errp, char **name_list); +NSAPI_PUBLIC ACLHandle_t *ACL_ListGetFirst(ACLListHandle_t *acl_list, + ACLListEnum_t *acl_enum); +NSAPI_PUBLIC ACLHandle_t *ACL_ListGetNext(ACLListHandle_t *acl_list, + ACLListEnum_t *acl_enum); + +/* Only used for asserts. Probably shouldn't be publicly advertized */ +extern int ACL_AssertAcllist( ACLListHandle_t *acllist ); + +/* Need to be ACL_LIB_INTERNAL */ +NSAPI_PUBLIC int ACL_ListPostParseForAuth(NSErr_t *errp, ACLListHandle_t *acl_list); + +/********************************************************************* + * ACL evaluation + *********************************************************************/ + +NSAPI_PUBLIC int ACL_EvalTestRights(NSErr_t *errp, ACLEvalHandle_t *acleval, char **rights, char **map_generic, char **deny_type, char **deny_response, char **acl_tag, int *expr_num); +NSAPI_PUBLIC int ACL_CachableAclList(ACLListHandle_t *acllist); +NSAPI_PUBLIC ACLEvalHandle_t * ACL_EvalNew(NSErr_t *errp, pool_handle_t *pool); +NSAPI_PUBLIC void ACL_EvalDestroy(NSErr_t *errp, pool_handle_t *pool, ACLEvalHandle_t *acleval); +NSAPI_PUBLIC void ACL_EvalDestroyNoDecrement(NSErr_t *errp, pool_handle_t *pool, ACLEvalHandle_t *acleval); +NSAPI_PUBLIC int ACL_ListDecrement(NSErr_t *errp, ACLListHandle_t *acllist); +NSAPI_PUBLIC int ACL_EvalSetACL(NSErr_t *errp, ACLEvalHandle_t *acleval, ACLListHandle_t *acllist); +NSAPI_PUBLIC PList_t ACL_EvalGetSubject(NSErr_t *errp, ACLEvalHandle_t *acleval); +NSAPI_PUBLIC int ACL_EvalSetSubject(NSErr_t *errp, ACLEvalHandle_t *acleval, PList_t subject); +NSAPI_PUBLIC PList_t ACL_EvalGetResource(NSErr_t *errp, ACLEvalHandle_t *acleval); +NSAPI_PUBLIC int ACL_EvalSetResource(NSErr_t *errp, ACLEvalHandle_t *acleval, PList_t resource); + +/* + * The following entities are only meant to be called by whole server + * products that include libaccess. E.g. the HTTP server, the Directory + * server etc. They should not be called by ACL callers, LASs etc. + */ + +/********************************************************************* + * ACL misc routines + *********************************************************************/ + +NSAPI_PUBLIC int ACL_Init(void); +NSAPI_PUBLIC int ACL_InitPostMagnus(void); +NSAPI_PUBLIC int ACL_LateInitPostMagnus(void); +NSAPI_PUBLIC void ACL_ListHashUpdate(ACLListHandle_t **acllistp); +NSAPI_PUBLIC void ACL_GetPathAcls(char *path, ACLListHandle_t **acllist_p, char *prefix, ACLListHandle_t *masterlist); +NSAPI_PUBLIC int ACL_ReadDbMapFile(NSErr_t *errp, const char *map_file, int default_only); + +NSAPI_PUBLIC int ACL_MethodNamesGet(NSErr_t *errp, char ***names, int *count); +NSAPI_PUBLIC int ACL_MethodNamesFree(NSErr_t *errp, char **names, int count); + +NSAPI_PUBLIC int ACL_DatabaseNamesGet(NSErr_t *errp, char ***names, int *count); +NSAPI_PUBLIC int ACL_DatabaseNamesFree(NSErr_t *errp, char **names, int count); + +NSAPI_PUBLIC int ACL_InitAttr2Index(void); +NSAPI_PUBLIC int ACL_Attr2Index(const char *attrname); + +/********************************************************************* + * ACL cache and flush utility + *********************************************************************/ + +NSAPI_PUBLIC int ACL_CacheCheck(char *uri, ACLListHandle_t **acllist_p); +NSAPI_PUBLIC int ACL_CacheCheckGet(char *uri, ACLListHandle_t **acllist_p); +NSAPI_PUBLIC void ACL_CacheEnter(char *uri, ACLListHandle_t **acllist_p); +NSAPI_PUBLIC void ACL_CacheEnterGet(char *uri, ACLListHandle_t **acllist_p); +NSAPI_PUBLIC int ACL_ListHashCheck(ACLListHandle_t **acllist_p); +NSAPI_PUBLIC void ACL_ListHashEnter(ACLListHandle_t **acllist_p); +NSAPI_PUBLIC int ACL_CacheFlush(void); +NSAPI_PUBLIC void ACL_Restart(void *clntData); +NSAPI_PUBLIC void ACL_CritEnter(void); +NSAPI_PUBLIC void ACL_CritExit(void); + +/********************************************************************* + * ACL CGI routines + *********************************************************************/ + +NSAPI_PUBLIC void ACL_OutputSelector(char *name, char **item); + + +NSPR_END_EXTERN_C + +#endif /* INTNSACL */ + +#endif + diff --git a/include/libaccess/aclstruct.h b/include/libaccess/aclstruct.h new file mode 100644 index 00000000..71320b0f --- /dev/null +++ b/include/libaccess/aclstruct.h @@ -0,0 +1,264 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __aclstruct_h +#define __aclstruct_h + +/* + * Description (aclstruct.h) + * + * This file defines types and data structures used to construct + * representations of Access Control Lists (ACLs) in memory. + */ + +#include "base/systems.h" +#include "base/file.h" +#include "base/lexer.h" +#include "nsauth.h" /* authentication types */ +#include "symbols.h" /* typed symbol support */ +#include "ipfstruct.h" /* IP address filter structures */ +#include "dnfstruct.h" /* DNS name filter structures */ + + +NSPR_BEGIN_EXTERN_C + +/* Forward type definitions */ +typedef struct ACL_s ACL_t; + +/* + * Description (InetHost_t) + * + * This type defines a structure which represents a list of Internet + * hosts by IP address and netmask, or by fully or partially + * qualified DNS name. + */ + +typedef struct InetHost_s InetHost_t; +struct InetHost_s { + IPFilter_t inh_ipf; /* reference to IP filter */ + DNSFilter_t inh_dnf; /* reference to DNS filter */ +}; + +/* + * Description (HostSpec_t) + * + * This type describes a named list of hosts. + */ + +typedef struct HostSpec_s HostSpec_t; +struct HostSpec_s { + Symbol_t hs_sym; /* symbol name, type ACLSYMHOST */ + InetHost_t hs_host; /* host information */ +}; + +/* + * Description (UidUser_t) + * + * This type represents a list of users and groups using unique + * integer identifiers. + */ + +typedef struct UidUser_s UidUser_t; +struct UidUser_s { + USIList_t uu_user; /* list of user ids */ + USIList_t uu_group; /* list of group ids */ +}; + +/* + * Description (UserSpec_t) + * + * This type describes a named list of users and groups. + */ + +typedef struct UserSpec_s UserSpec_t; +struct UserSpec_s { + Symbol_t us_sym; /* list name, type ACLSYMUSER */ + int us_flags; /* bit flags */ +#define ACL_USALL 0x1 /* any authenticated user */ + + UidUser_t us_user; /* user list structure */ +}; + +/* + * Description (ACClients_t) + * + * This type defines the structure of action-specific information + * for access control directives with action codes ACD_ALLOW and + * ACD_DENY. These directives specify access control constraints + * on users/groups and hosts. + */ + +typedef struct ACClients_s ACClients_t; +struct ACClients_s { + ACClients_t * cl_next; /* list link */ + HostSpec_t * cl_host; /* host specification pointer */ + UserSpec_t * cl_user; /* user list pointer */ +}; + +/* + * Description (RealmSpec_t) + * + * This type describes a named realm. + */ + +typedef struct RealmSpec_s RealmSpec_t; +struct RealmSpec_s { + Symbol_t rs_sym; /* realm name, type ACLSYMREALM */ + Realm_t rs_realm; /* realm information */ +}; + +/* + * Description (ACAuth_t) + * + * This type defines the structure of action-specific information + * for an access control directive with action code ACD_AUTH, + * which specifies information about authentication requirements. + */ + +typedef struct ACAuth_s ACAuth_t; +struct ACAuth_s { + RealmSpec_t * au_realm; /* pointer to realm information */ +}; + +/* + * Description (ACDirective_t) + * + * This type defines a structure which represents an access control + * directive. Each directive specifies an access control action + * to be taken during ACL evaluation. The ACDirective_t structure + * begins an action-specific structure which contains the + * parameters for an action. + */ + +typedef struct ACDirective_s ACDirective_t; +struct ACDirective_s { + ACDirective_t * acd_next; /* next directive in ACL */ + short acd_action; /* directive action code */ + short acd_flags; /* action modifier flags */ + + /* Begin action-specific information */ + union { + ACClients_t * acu_cl; /* ACD_ALLOW, ACD_DENY */ + ACAuth_t acu_auth; /* ACD_AUTH */ + } acd_u; +}; + +#define acd_cl acd_u.acu_cl +#define acd_auth acd_u.acu_auth + +/* Define acd_action codes */ +#define ACD_ALLOW 1 /* allow access */ +#define ACD_DENY 2 /* deny access */ +#define ACD_AUTH 3 /* specify authentication realm */ +#define ACD_EXEC 4 /* execute (conditionally) */ + +/* Define acd_flags values */ +#define ACD_ACTION 0xf /* bits reserved for acd_action */ +#define ACD_FORCE 0x10 /* force of action */ +#define ACD_DEFAULT 0 /* default action */ +#define ACD_ALWAYS ACD_FORCE /* immediate action */ +#define ACD_EXALLOW 0x20 /* execute if allow */ +#define ACD_EXDENY 0x40 /* execute if deny */ +#define ACD_EXAUTH 0x80 /* execute if authenticate */ + +/* + * Description (RightDef_t) + * + * This type describes a named access right. Each access right has + * an associated unique integer id. A list of all access rights + * known in an ACL context is maintained, with its head in the + * ACContext_t structure. + */ + +typedef struct RightDef_s RightDef_t; +struct RightDef_s { + Symbol_t rd_sym; /* right name, type ACLSYMRIGHT */ + RightDef_t * rd_next; /* next on ACContext_t list */ + USI_t rd_id; /* unique id */ +}; + +/* + * Description (RightSpec_t) + * + * This type describes a named list of access rights. + */ + +typedef struct RightSpec_s RightSpec_t; +struct RightSpec_s { + Symbol_t rs_sym; /* list name, type ACLSYMRDEF */ + USIList_t rs_list; /* list of right ids */ +}; + +/* + * Description (ACContext_t) + * + * This type defines a structure that defines a context for a set + * of Access Control Lists. This includes references to an + * authentication database, if any, and a symbol table containing + * access right definitions. It also serves as a list head for the + * ACLs which are defined in the specified context. + */ + +typedef struct ACContext_s ACContext_t; +struct ACContext_s { + void * acc_stp; /* symbol table handle */ + ACL_t * acc_acls; /* list of ACLs */ + RightDef_t * acc_rights; /* list of access right definitions */ + int acc_refcnt; /* reference count */ +}; + +/* + * Description (ACL_t) + * + * This type defines the structure that represents an Access Control + * List (ACL). An ACL has a user-assigned name and an internally + * assigned identifier (which is an index in an object directory). + * It references a list of access rights which are to be allowed or + * denied, according to the ACL specifications. It references an + * ordered list of ACL directives, which specify who has and who does + * not have the associated access rights. + */ + +struct ACL_s { + Symbol_t acl_sym; /* ACL name, type ACLSYMACL */ + ACL_t * acl_next; /* next ACL on a list */ + ACContext_t * acl_acc; /* context for this ACL */ + USI_t acl_id; /* id of this ACL */ + int acl_refcnt; /* reference count */ + RightSpec_t * acl_rights; /* access rights list */ + ACDirective_t * acl_dirf; /* first directive pointer */ + ACDirective_t * acl_dirl; /* last directive pointer */ +}; + +/* Define symbol type codes */ +#define ACLSYMACL 0 /* ACL */ +#define ACLSYMRIGHT 1 /* access right */ +#define ACLSYMRDEF 2 /* access rights list */ +#define ACLSYMREALM 3 /* realm name */ +#define ACLSYMHOST 4 /* host specifications */ +#define ACLSYMUSER 5 /* user/group list */ + +/* + * Description (ACLFile_t) + * + * This type describes a structure containing information about + * an open ACL description file. + */ + +typedef struct ACLFile_s ACLFile_t; +struct ACLFile_s { + ACLFile_t * acf_next; /* list link */ + char * acf_filename; /* pointer to filename string */ + LEXStream_t * acf_lst; /* LEX stream handle */ + SYS_FILE acf_fd; /* file descriptor */ + int acf_flags; /* bit flags (unused) */ + int acf_lineno; /* current line number */ + void * acf_token; /* LEX token handle */ + int acf_ttype; /* current token type */ +}; + +NSPR_END_EXTERN_C + +#endif /* __aclstruct_h */ diff --git a/include/libaccess/attrec.h b/include/libaccess/attrec.h new file mode 100644 index 00000000..267c32ff --- /dev/null +++ b/include/libaccess/attrec.h @@ -0,0 +1,157 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __attrec_h +#define __attrec_h + +/* + * Description (attrec.h) + * + * This file describes the encoding and decoding of attribute + * records. Attribute records consist of a sequence of items + * of the form: + * + * <tag><length><contents> + * + * The <tag> is an integer code which identifies a particular + * attribute. The <length> is the integer length in bytes of + * the <contents>. The encoding of the contents is determined + * by the <tag>, and is application-specific. + * + * Primitive data types currently supported are unsigned + * integers (USI) and null-terminated strings (NTS). The + * encoding of USI values less than 128 is simply an octet + * containing the value. For values 128 or greater, the first + * octet is 0x80 plus the length of the value, in octets. + * This octet is followed by the indicated number of octets, + * containing the USI value, with the most significant bits in + * the first octet, and the least significant bits in the last + * octet. + * + * Examples of USI encoding: + * + * Value Encoding (each value is an octet) + * 4 0x04 + * 127 0x7f + * -1 (this is not a USI) + * 128 0x81 0x80 + * 1023 0x82 0x03 0xff + * + * The encoding of a null-terminated string (NTS) is simply the + * sequence of octets which comprise the string, including the + * terminating null (0x00) octet. The terminating null octet is + * the only null value in the string. The character set used to + * encode the other string octets is ASCII. + */ + +#include "usi.h" + +NSPR_BEGIN_EXTERN_C + +/* Define a type to reference an attribute record */ +typedef unsigned char * ATR_t; + +/* + * Description (USILENGTH) + * + * This macro returns the length of the USI encoding for a specified + * unsigned integer value. The length is the number of octets + * required. It will be greater than zero, and less than or equal + * to USIALLOC(). This is a partial inline optimization of + * USI_Length(). + */ + +#define USILENGTH(val) (((USI_t)(val) <= 0x7f) ? 1 : USI_Length((USI_t)(val))) + +/* + * Description (USIALLOC) + * + * This macro returns the maximum length of an unsigned integer + * encoding. + */ + +#define USIALLOC() (5) + +/* + * Description (USIENCODE) + * + * This macro encodes a USI value into a specified buffer. It + * returns a pointer to the first octet after the encoding. + * This is a partial inline optimization for USI_Encode(). + */ + +#define USIENCODE(cp, val) (((USI_t)(val) <= 0x7f) ? (*(cp) = (val), (cp)+1) \ + : USI_Encode((cp), (val))) + +/* + * Description (USIINSERT) + * + * This macro performs a variation of USIENCODE which always + * generates the maximum-sized USI encoding, i.e. the number of + * octets indicated by USIALLOC(). + */ + +#define USIINSERT(cp, val) USI_Insert((ATR_t)(cp), (USI_t)(val)) + +/* + * Description (USIDECODE) + * + * This macro decodes a USI value from a specified buffer. It + * returns a pointer to the first octet after the encoding. + * This is a partial inline optimization for USI_Decode(). + */ + +#define USIDECODE(cp, pval) \ + ((*(cp) & 0x80) ? USI_Decode((cp), (pval)) \ + : (((pval) ? (*(pval) = *(cp)) : 0), (cp)+1)) + +/* Define a type to reference a null-terminated string */ +typedef unsigned char * NTS_t; + +/* + * Decription (NTSLENGTH) + * + * Return the length, in octets, of a null-terminated string. + * It includes the terminating null octet. + */ + +#define NTSLENGTH(nts) ((nts) ? strlen((char *)(nts)) + 1 : 1) + +/* + * Description (NTSENCODE) + * + * This macro copies a null-terminated string to a specified + * attribute record buffer. It returns a pointer to the octet + * following the NTS in the buffer. + */ + +#define NTSENCODE(cp, nts) \ + ((ATR_t)memccpy((void *)(cp), \ + (void *)((nts) ? (NTS_t)(nts) : (NTS_t)""), \ + 0, NTSLENGTH(nts))) + +/* + * Description (NTSDECODE) + * + * This macro decodes a null-terminated string in a specified + * attribute record buffer into a dynamically allocated buffer. + * It returns a pointer to the first octet after the NTS in the + * attribute record buffer. + */ + +#define NTSDECODE(cp, pnts) NTS_Decode((cp), (pnts)) + +/* Functions in attrec.c */ +extern int NTS_Length(NTS_t ntsp); +extern ATR_t NTS_Decode(ATR_t cp, NTS_t * pnts); +extern ATR_t NTS_Encode(ATR_t cp, NTS_t nts); +extern ATR_t USI_Decode(ATR_t cp, USI_t * pval); +extern ATR_t USI_Encode(ATR_t cp, USI_t val); +extern ATR_t USI_Insert(ATR_t cp, USI_t val); +extern int USI_Length(USI_t val); + +NSPR_END_EXTERN_C + +#endif /* __attrec_h */ diff --git a/include/libaccess/authdb.h b/include/libaccess/authdb.h new file mode 100644 index 00000000..952f0d07 --- /dev/null +++ b/include/libaccess/authdb.h @@ -0,0 +1,24 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef AUTHDB_H +#define AUTHDB_H + +#include <base/plist.h> +#include <libaccess/nserror.h> +#include <libaccess/las.h> + +#define URL_PREFIX_LDAP "ldap" +#define URL_PREFIX_LDAP_LEN 4 + +typedef struct { + char *dbname; + ACLDbType_t dbtype; + void *dbinfo; +} AuthdbInfo_t; + +extern int acl_num_databases(); + +#endif /* AUTHDB_H */ diff --git a/include/libaccess/ava.h b/include/libaccess/ava.h new file mode 100644 index 00000000..c8570b90 --- /dev/null +++ b/include/libaccess/ava.h @@ -0,0 +1,40 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef _ava_h +#define _ava_h + +#define ENTRIES_ALLOCSIZE 100 +#define ORGS_ALLOCSIZE 15 + + +#ifdef XP_WIN32 +#define NSAPI_PUBLIC __declspec(dllexport) +#else /* !XP_WIN32 */ +#define NSAPI_PUBLIC +#endif + + +typedef struct { + char *email; + char *locality; + char *userid; + char *state; + char *country; + char *company; + int numOrgs; + char **organizations; + char *CNEntry; +} AVAEntry; + +typedef struct { + char *userdb; + int numEntries; + AVAEntry **enteredTable; +} AVATable; + + +#endif + diff --git a/include/libaccess/avadb.h b/include/libaccess/avadb.h new file mode 100644 index 00000000..bbb6c904 --- /dev/null +++ b/include/libaccess/avadb.h @@ -0,0 +1,15 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef _avadb_h_ +#define _avadb_h_ + +#define USE_NSAPI + +USE_NSAPI int AddEntry (char *key, char *value); +USE_NSAPI int DeleteEntry (char *key); +USE_NSAPI char *GetValue (char *key); + +#endif /*_avadb_h_*/ diff --git a/include/libaccess/avapfile.h b/include/libaccess/avapfile.h new file mode 100644 index 00000000..4b60117c --- /dev/null +++ b/include/libaccess/avapfile.h @@ -0,0 +1,59 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef _avaparsedfiles_h_ +#define _avaparsedfiles_h_ + +#include "libaccess/ava.h" +#include "frame/req.h" +#include "base/session.h" + +#define AUTH_DB_FILE "AvaCertmap" +#define AVADB_TAG "avadb" +#define AVA_DB_SEL "ava_db_sel" /*Variable name used in + *outputAVAdbs + */ + + +extern void outputAVAdbs (char *chosen); /*Outputs the selector of auth databases + *and makes it so that the form submits + *when onChange event occurs. + */ + + +/*For the following 3 functions, enter the full path of + *ava database file includint tag and filename + */ +/*Before calling _getTable, initializa yy_sn and yy_rq. Set to NULL if no + *Session* or Request* variables exist and an error will be reported with + *function report_error(libamin.h). Otherwise error will be logged into + *the server's error log + */ +extern AVATable *_getTable (char *avadbfile); +extern AVATable *_wasParsed (char *avadbfile);/*Assumes a call to yyparse was just + *completed + */ +extern int _hasBeenParsed (char *avadbfile);/*Check if _getTable returns NULL or not*/ + +extern AVAEntry* _getAVAEntry (char *groupid, AVATable *table); +extern AVAEntry* _deleteAVAEntry (char *groupid, AVATable *table); +extern void _addAVAtoTable (AVAEntry *entry, AVATable *table); +extern void AVAEntry_Free (AVAEntry *entry); + +/*Functions for writing out files*/ +extern void PrintHeader (FILE *outfile); +extern void writeOutFile (char *avadbfilename, AVATable *table); + + +extern int yyparse(); +extern FILE *yyin; + +extern char *currFile; + +extern Session *yy_sn; +extern Request *yy_rq; + + +#endif /*_avaparsedfiles_h_*/ diff --git a/include/libaccess/dbtlibaccess.h b/include/libaccess/dbtlibaccess.h new file mode 100644 index 00000000..f1eb420f --- /dev/null +++ b/include/libaccess/dbtlibaccess.h @@ -0,0 +1,161 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#define LIBRARY_NAME "libaccess" + +static char dbtlibaccessid[] = "$DBT: libaccess referenced v1 $"; + +#include "i18n.h" + +BEGIN_STR(libaccess) + ResDef( DBT_LibraryID_, -1, dbtlibaccessid )/* extracted from dbtlibaccess.h*/ + ResDef( DBT_basicNcsa_, 1, "basic-ncsa" )/*extracted from userauth.cpp*/ + ResDef( DBT_cannotOpenDatabaseS_, 2, "cannot open database %s" )/*extracted from userauth.cpp*/ + ResDef( DBT_basicNcsa_1, 3, "basic-ncsa" )/*extracted from userauth.cpp*/ + ResDef( DBT_userSPasswordDidNotMatchDatabase_, 4, "user %s password did not match database %s" )/*extracted from userauth.cpp*/ + ResDef( DBT_basicNcsa_2, 5, "basic-ncsa" )/*extracted from userauth.cpp*/ + ResDef( DBT_cannotOpenConnectionToLdapServer_, 6, "cannot open connection to LDAP server on %s:%d" )/*NOT USED - extracted from userauth.cpp*/ + ResDef( DBT_basicNcsa_3, 7, "basic-ncsa" )/*extracted from userauth.cpp*/ + ResDef( DBT_userSPasswordDidNotMatchLdapOnSD_, 8, "user %s password did not match LDAP on %s:%d" )/*NOT USED - extracted from userauth.cpp*/ + ResDef( DBT_aclState_, 9, "acl-state" )/*extracted from userauth.cpp*/ + ResDef( DBT_missingRealm_, 10, "missing realm" )/*extracted from userauth.cpp*/ + ResDef( DBT_unableToAllocateAclListHashN_, 11, "Unable to allocate ACL List Hash\n" )/*extracted from cache.cpp*/ + ResDef( DBT_aclevalbuildcontextUnableToPermM_, 12, "ACLEvalBuildContext unable to PERM_MALLOC cache structure\n" )/*extracted from eval.cpp*/ + ResDef( DBT_aclevalbuildcontextUnableToCreat_, 13, "ACLEvalBuildContext unable to create hash table\n" )/*extracted from eval.cpp*/ + ResDef( DBT_aclevalbuildcontextUnableToAlloc_, 14, "ACLEvalBuildContext unable to allocate ACE Entry\n" )/*extracted from eval.cpp*/ + ResDef( DBT_aclevalbuildcontextUnableToAlloc_1, 15, "ACLEvalBuildContext unable to allocate ACE entry\n" )/*extracted from eval.cpp*/ + ResDef( DBT_aclevalbuildcontextUnableToAlloc_2, 16, "ACLEvalBuildContext unable to allocate Boundary Entry\n" )/*extracted from eval.cpp*/ + ResDef( DBT_aclevalbuildcontextFailedN_, 17, "ACLEvalBuildContext failed.\n" )/*extracted from eval.cpp*/ + ResDef( DBT_aclEvaltestrightsAnInterimAbsolu_, 18, "ACL_EvalTestRights: an interim, absolute non-allow value was encountered. right=%s, value=%d\n" )/*NOT USED - extracted from eval.cpp*/ + ResDef( DBT_lasdnsbuildUnableToAllocateHashT_, 19, "LASDnsBuild unable to allocate hash table header\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsbuildUnableToAddKeySN_, 20, "LASDnsBuild unable to add key %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsbuildUnableToAddKeySN_1, 21, "LASDnsBuild unable to add key %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsbuildUnableToAddKeySN_2, 22, "LASDnsBuild unable to add key %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsbuildUnableToAddKeySN_3, 23, "LASDnsBuild unable to add key %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsbuildUnableToAddKeySN_4, 24, "LASDnsBuild unable to add key %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasDnsBuildReceivedRequestForAtt_, 25, "LAS DNS build received request for attribute %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsevalIllegalComparatorDN_, 26, "LASDnsEval - illegal comparator %s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsevalUnableToAllocateContex_, 27, "LASDnsEval unable to allocate Context struct\n\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsevalUnableToGetSessionAddr_, 28, "LASDnsEval unable to get session address %d\n" )/*NOT USED - extracted from lasdns.cpp*/ + ResDef( DBT_lasdnsevalUnableToGetDnsErrorDN_, 29, "LASDnsEval unable to get DNS - error=%s\n" )/*extracted from lasdns.cpp*/ + ResDef( DBT_lasGroupEvalReceivedRequestForAt_, 30, "LAS Group Eval received request for attribute %s\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalIllegalComparatorDN_, 31, "LASGroupEval - illegal comparator %s\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalRanOutOfMemoryN_, 32, "LASGroupEval - ran out of memory\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalUnableToGetSessionAd_, 33, "LASGroupEval unable to get session address %d\n" )/*NOT USED - extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalUnableToGetSessionAd_1, 34, "LASGroupEval unable to get session address %d\n" )/*NOT USED - extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalCouldnTLocateGetterF_, 35, "LASGroupEval - couldn't locate getter for auth-user\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalAttributeGetterForAu_, 36, "LASGroupEval - Attribute getter for auth-user failed\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasgroupevalAttributeGetterDidnT_, 37, "LASGroupEval - Attribute getter didn't set auth-user\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_checkGroupMembershipOfUserSForGr_, 38, "Check group membership of user \"%s\" for group \"%s\"\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_ldapuSuccessForGroupSN_, 39, "LDAPU_SUCCESS for group \"%s\"\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_ldapuFailedForGroupSN_, 40, "LDAPU_FAILED for group \"%s\"\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasEvalFalseN_, 41, "LAS_EVAL_FALSE\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasEvalTrueN_, 42, "LAS_EVAL_TRUE\n" )/*extracted from lasgroup.cpp*/ + ResDef( DBT_lasiptreeallocNoMemoryN_, 43, "LASIpTreeAlloc - no memory\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_ipLasUnableToAllocateTreeNodeN_, 44, "IP LAS unable to allocate tree node\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_ipLasUnableToAllocateTreeNodeN_1, 45, "IP LAS unable to allocate tree node\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_lasIpBuildReceivedRequestForAttr_, 46, "LAS IP build received request for attribute %s\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_lasipevalIllegalComparatorDN_, 47, "LASIpEval - illegal comparator %s\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_lasipevalUnableToGetSessionAddre_, 48, "LASIpEval unable to get session address - error=%s\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_lasipevalUnableToAllocateContext_, 49, "LASIpEval unable to allocate Context struct\n\n" )/*extracted from lasip.cpp*/ + ResDef( DBT_lasipevalReach32BitsWithoutConcl_, 50, "LASIpEval - reach 32 bits without conclusion value=%s" )/*extracted from lasip.cpp*/ + ResDef( DBT_lasProgramEvalReceivedRequestFor_, 51, "LAS Program Eval received request for attribute %s\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasprogramevalIllegalComparatorD_, 52, "LASProgramEval - illegal comparator %s\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasprogramUnableToGetSessionAddr_, 53, "LASProgram unable to get session address %d\n" )/*NOT USED - extracted from lasprogram.cpp*/ + ResDef( DBT_bin_, 54, "bin" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasprogramevalRequestNotOfTypeAd_, 55, "LASProgramEval: request not of type admin or bin, passing.\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasprogramevalCheckIfProgramSMat_, 56, "LASProgramEval: check if program %s matches pattern %s.\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasprogramevalInvalidWildcardExp_, 57, "LASProgramEval: Invalid wildcard expression %s.\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasEvalFalseN_1, 58, "LAS_EVAL_FALSE\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_lasEvalTrueN_1, 59, "LAS_EVAL_TRUE\n" )/*extracted from lasprogram.cpp*/ + ResDef( DBT_unexpectedAttributeInDayofweekSN_, 60, "Unexpected attribute in dayOfWeek - %s\n" )/*extracted from lastod.cpp*/ + ResDef( DBT_illegalComparatorForDayofweekDN_, 61, "Illegal comparator for dayOfWeek - %s\n" )/*extracted from lastod.cpp*/ + ResDef( DBT_unexpectedAttributeInTimeofdaySN_, 62, "Unexpected attribute in timeOfDay - %s\n" )/*extracted from lastod.cpp*/ + ResDef( DBT_lasUserEvalReceivedRequestForAtt_, 63, "LAS User Eval received request for attribute %s\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasuserevalIllegalComparatorDN_, 64, "LASUserEval - illegal comparator %s\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasuserevalRanOutOfMemoryN_, 65, "LASUserEval - ran out of memory\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasuserevalUnableToGetSessionAdd_, 66, "LASUserEval unable to get session address %d\n" )/*NOT USED - extracted from lasuser.cpp*/ + ResDef( DBT_lasuserevalUnableToGetSessionAdd_1, 67, "LASUserEval unable to get session address %d\n" )/*NOT USED - extracted from lasuser.cpp*/ + ResDef( DBT_lasgroupevalCouldnTLocateGetterF_1, 68, "LASGroupEval - couldn't locate getter for auth-user\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasgroupevalAttributeGetterForAu_1, 69, "LASGroupEval - Attribute getter for auth-user failed\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasgroupevalAttributeGetterDidnT_1, 70, "LASGroupEval - Attribute getter didn't set auth-user\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_checkIfUidUserIECheckSSN_, 71, "Check if uid == user (i.e. check \"%s\" == \"%s)\"\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_successForUserSN_, 72, "SUCCESS for user \"%s\"\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_failedForUserSN_, 73, "FAILED for user \"%s\"\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasEvalFalseN_2, 74, "LAS_EVAL_FALSE\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_lasEvalTrueN_2, 75, "LAS_EVAL_TRUE\n" )/*extracted from lasuser.cpp*/ + ResDef( DBT_Unused76, 76, "") + ResDef( DBT_lasProgramUnableToGetRequest_, 77, "LASProgram unable to get request address - error=%s" ) /*extracted from lasprogram.cpp*/ + ResDef( DBT_lasProgramRejectingRequestForProgram_, 78, "LASProgram rejecting request for program %s from pattern %s" ) /*extracted from lasprogram.cpp*/ + ResDef( DBT_aclcacheflushCannotParseFile, 79, "ACL_CacheFlush: unable to parse file \"%s\"\n" ) + ResDef( DBT_aclcacheflushCannotConcatList, 80, "ACL_CacheFlush: unable to concatenate ACL list \"%s\"\n" ) + ResDef( DBT_aclcacheflushCannotOpenMagnus, 81, "ACL_CacheFlush: unable to open and process the magnus file \"%s\"\n" ) + ResDef( DBT_illegalComparatorForTimeOfDayDN_, 82, "Illegal comparator for timeOfDay - %s\n" )/*extracted from lastod.cpp*/ + ResDef( DBT_EvalBuildContextUnableToCreateHash, 83, "ACL_EvalBuildContext unable to create hash table\n") + ResDef( DBT_EvalBuildContextUnableToAllocCache, 84, "ACL_EvalBuildContext unable to PERM_CALLOC cache structure\n") + ResDef( DBT_EvalBuildContextUnableToAllocAceEntry, 85, "ACL_EvalBuildContext unable to allocate ACE entry\n") + ResDef( DBT_EvalBuildContextUnableToAllocAuthPointerArray, 86, "ACL_EvalBuildContext unable to allocate auth pointer array\n") + ResDef( DBT_EvalBuildContextUnableToAllocAuthPlist, 87, "ACL_EvalBuildContext unable to allocate auth plist\n") + ResDef( DBT_EvalTestRightsInterimAbsoluteNonAllowValue, 88, "ACL_EvalTestRights: an interim, absolute non-allow value was encountered. right=%s, value=%s\n") + ResDef( DBT_EvalTestRightsEvalBuildContextFailed, 89, "ACL_INTEvalTestRights: call to ACL_EvalBuildContext returned failure status\n") + ResDef( DBT_ModuleRegisterModuleNameMissing, 90, "ACL_ModuleRegister: module name is missing\n") + ResDef( DBT_ModuleRegisterFailed, 91, "ACL_ModuleRegister: call to module init function returned a failed status\n") + ResDef( DBT_GetAttributeCouldntDetermineMethod, 92, "ACL_GetAttribute: couldn't determine method for %s\n") + ResDef( DBT_GetAttributeCouldntLocateGetter, 93, "ACL_GetAttribute: couldn't locate getter for %s") + ResDef( DBT_GetAttributeDidntGetAttr, 94, "ACL_GetAttribute: attr getter failed to get %s") + ResDef( DBT_GetAttributeDidntSetAttr, 95, "ACL_GetAttribute: attr getter failed to get %s") + ResDef( DBT_GetAttributeAllGettersDeclined, 96, "ACL_GetAttribute: All attribute getters declined for attr %s") + ResDef( DBT_DbtypeNoteDefinedYet, 97, "ACL_DatabaseRegister: dbtype for database \"%s\" is not defined yet!") + ResDef( DBT_DatabaseRegisterDatabaseNameMissing, 98, "ACL_DatabaseRegister: database name is missing") + ResDef( DBT_ReadDbMapFileErrorReadingFile, 99, "Error reading the DB Map File: %s. Reason: %s") + ResDef( DBT_ReadDbMapFileMissingUrl, 100, "URL is missing for database %s") + ResDef( DBT_ReadDbMapFileInvalidPropertyPair, 101, "Invalid property value pair for database %s") + ResDef( DBT_ReadDbMapFileDefaultDatabaseNotLdap, 102, "\"default\" database must be an LDAP database") + ResDef( DBT_ReadDbMapFileMultipleDefaultDatabases, 103, "Multiple \"default\" databases are being registered") + ResDef( DBT_ReadDbMapFileMissingDefaultDatabase, 104, "\"default\" LDAP database must be registered") + ResDef( DBT_lasGroupEvalUnableToGetDatabaseName, 105, "LASGroupEval unable to get database name - error= %s") + ResDef( DBT_lasProgramReceivedInvalidProgramExpression, 106, "received invalid program expression %s") + ResDef( DBT_ldapaclDatabaseUrlIsMissing, 107, "parse_ldap_url: database url is missing") + ResDef( DBT_ldapaclDatabaseNameIsMissing, 108, "parse_ldap_url: database name is missing") + ResDef( DBT_ldapaclErrorParsingLdapUrl, 109, "parse_ldap_url: error in parsing ldap url. Reason: %s") + ResDef( DBT_ldapaclUnableToGetDatabaseName, 110, "ldap password check: unable to get database name - error=%s") + ResDef( DBT_ldapaclUnableToGetParsedDatabaseName, 111, "ldap password check: unable to get parsed database %s") + ResDef( DBT_ldapaclCoudlntInitializeConnectionToLdap, 112, "ldap password check: couldn't initialize connection to LDAP. Reason: %s") + ResDef( DBT_ldapaclPassworkCheckLdapError, 113, "ldap password check: LDAP error: \"%s\"") + ResDef( DBT_GetUserIsMemberLdapUnabelToGetDatabaseName, 114, "get_user_ismember_ldap unable to get database name - error=%s") + ResDef( DBT_GetUserIsMemberLdapUnableToGetParsedDatabaseName, 115, "get_user_ismember_ldap unable to get parsed database %s") + ResDef( DBT_GetUserIsMemberLdapCouldntInitializeConnectionToLdap, 116, "ldap password check: couldn't initialize connection to LDAP. Reason: %s") + ResDef( DBT_GetUserIsMemberLdapGroupDoesntExist, 117, "get_user_ismember_ldap: group %s does not exist") + ResDef( DBT_GetUserIsMemberLdapError, 118, "get_user_ismember_ldap: LDAP error: \"%s\"") + ResDef( DBT_LdapDatabaseHandleNotARegisteredDatabase, 119, "ACL_LDAPDatabaseHandle: %s is not a registered database") + ResDef( DBT_LdapDatabaseHandleNotAnLdapDatabase, 120, "ACL_LDAPDatabaseHandle: %s is not an LDAP database") + ResDef( DBT_LdapDatabaseHandleOutOfMemory, 121, "ACL_LDAPDatabaseHandle: out of memory") + ResDef( DBT_LdapDatabaseHandleCouldntInitializeConnectionToLdap, 122, "ACL_LDAPDatabaseHandle: couldn't initialize connection to LDAP. Reason: %s") + ResDef( DBT_LdapDatabaseHandleCouldntBindToLdapServer, 123, "ACL_LDAPDatabaseHandle: couldn't bind to LDAP server. Reason: %s") + ResDef( DBT_AclerrfmtAclerrnomem, 124, "insufficient dynamic memory") + ResDef( DBT_AclerrfmtAclerropen, 125, "error opening file, %s: %s") + ResDef( DBT_AclerrfmtAclerrdupsym1, 126, "duplicate definition of %s") + ResDef( DBT_AclerrfmtAclerrdupsym3, 127, "file %s, line %s: duplicate definition of %s") + ResDef( DBT_AclerrfmtAclerrsyntax, 128, "file %s, line %s: syntax error") + ResDef( DBT_AclerrfmtAclerrundef, 129, "file %s, line %s: %s is undefined") + ResDef( DBT_AclerrfmtAclaclundef, 130, "in acl %s, %s %s is undefined") + ResDef( DBT_AclerrfmtAclerradb, 131, "database %s: error accessing %s") + ResDef( DBT_AclerrfmtAclerrparse1, 132, "%s") + ResDef( DBT_AclerrfmtAclerrparse2, 133, "file %s, line %s: invalid syntax") + ResDef( DBT_AclerrfmtAclerrparse3, 134, "file %s, line %s: syntax error at \"%s\"") + ResDef( DBT_AclerrfmtAclerrnorlm, 135, "realm %s is not defined") + ResDef( DBT_AclerrfmtUnknownerr, 136, "error code = %d") + ResDef( DBT_AclerrfmtAclerrinternal, 137, "internal ACL error") + ResDef( DBT_AclerrfmtAclerrinval, 138, "invalid argument") + ResDef( DBT_DbtypeNotDefinedYet, 139, "ACL_DatabaseRegister: dbtype for database \"%s\" is not defined yet!") + ResDef( DBT_ReadDbMapFileCouldntDetermineDbtype, 140, "couldn't determine dbtype from: %s") + ResDef( DBT_ReadDbMapFileRegisterDatabaseFailed, 141, "Failed to register database %s") + ResDef( DBT_AclerrfmtAclerrfail, 142, "ACL call returned failed status") + ResDef( DBT_AclerrfmtAclerrio, 143, "file %s: ACL IO error - %s") + ResDef( DBT_AclUserExistsOutOfMemory, 144, "acl_user_exists: out of memory") + ResDef( DBT_AclUserExistsNot, 145, "acl_user_exists: user doesn't exist anymore") + ResDef( DBT_AclUserPlistError, 146, "acl_user_exists: plist error") +END_STR(libaccess) diff --git a/include/libaccess/dnfstruct.h b/include/libaccess/dnfstruct.h new file mode 100644 index 00000000..d1ab28a3 --- /dev/null +++ b/include/libaccess/dnfstruct.h @@ -0,0 +1,51 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __dnfstruct_h +#define __dnfstruct_h + +/* + * Description (dnfstruct_h) + * + * This file defines types and structures used to represent a DNS + * name filter in memory. A DNS name filter contains specifications + * of fully or partially qualified DNS names. Each of these + * specifications can be associated with whatever information is + * appropriate for a particular use of a DNS name filter. + */ + +#include "nspr.h" +#include "plhash.h" + +NSPR_BEGIN_EXTERN_C + +/* + * Description (DNSLeaf_t) + * + * This type describes the structure of information associated with + * an entry in a DNS filter. The filter itself is implemented as a + * hash table, keyed by the DNS name specification string. The + * value associated with a key is a pointer to a DNSLeaf_t structure. + */ + +typedef struct DNSLeaf_s DNSLeaf_t; +struct DNSLeaf_s { + PLHashEntry dnl_he; /* NSPR hash table entry */ +}; + +#define dnl_next dnl_he.next /* hash table collision link */ +#define dnl_keyhash dnl_he.keyHash /* symbol hash value */ +#define dnl_key dnl_he.key /* pointer to Symbol_t structure */ +#define dnl_ref dnl_he.value /* pointer to named structure */ + +typedef struct DNSFilter_s DNSFilter_t; +struct DNSFilter_s { + DNSFilter_t * dnf_next; /* link to next filter */ + void * dnf_hash; /* pointer to constructed hash table */ +}; + +NSPR_END_EXTERN_C + +#endif /* __dnfstruct_h */ diff --git a/include/libaccess/ipfstruct.h b/include/libaccess/ipfstruct.h new file mode 100644 index 00000000..acb0349e --- /dev/null +++ b/include/libaccess/ipfstruct.h @@ -0,0 +1,81 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __ipfstruct_h +#define __ipfstruct_h + +/* + * Description (ipfstruct.h) + * + * This file defines types and structures used to represent an + * IP address filter in memory. An IP address filter contains + * specifications of IP host and network addresses. Each of + * these specifications can be associated with whatever information + * is appropriate for a particular use of an IP address filter. + */ + +/* Define a scalar IP address value */ +#ifndef __IPADDR_T_ +#define __IPADDR_T_ +typedef unsigned long IPAddr_t; +#endif /* __IPADDR_T_ */ + +/* + * Description (IPNode_t) + * + * This type describes an internal node in the radix tree. An internal + * node has a link up the tree to its parent, and up to three links + * down the tree to its descendants. Each internal node is used to + * test a particular bit in a given IP address, and traverse down the + * tree in a direction which depends on whether the bit is set, clear, + * or masked out. The descendants of an internal node may be internal + * nodes or leaf nodes (IPLeaf_t). + */ + +/* Define indices of links in an IPNode_t */ +#define IPN_CLEAR 0 /* link to node with ipn_bit clear */ +#define IPN_SET 1 /* link to node with ipn_bit set */ +#define IPN_MASKED 2 /* link to node with ipn_bit masked out */ +#define IPN_NLINKS 3 /* number of links */ + +typedef struct IPNode_s IPNode_t; +struct IPNode_s { + char ipn_type; /* node type */ +#define IPN_LEAF 0 /* leaf node */ +#define IPN_NODE 1 /* internal node */ + + char ipn_bit; /* bit number (31-0) to test */ + IPNode_t * ipn_parent; /* link to parent node */ + IPNode_t * ipn_links[IPN_NLINKS]; +}; + +/* Helper definitions */ +#define ipn_clear ipn_links[IPN_CLEAR] +#define ipn_set ipn_links[IPN_SET] +#define ipn_masked ipn_links[IPN_MASKED] + +/* + * Description (IPLeaf_t) + * + * This type describes a leaf node in the radix tree. A leaf node + * contains an IP host or network address, and a network mask. A + * given IP address matches a leaf node if the IP address, when masked + * by ipl_netmask, equals ipl_ipaddr. + */ + +typedef struct IPLeaf_s IPLeaf_t; +struct IPLeaf_s { + char ipl_type; /* see ipn_type in IPNode_t */ + IPAddr_t ipl_netmask; /* IP network mask */ + IPAddr_t ipl_ipaddr; /* IP address of host or network */ +}; + +typedef struct IPFilter_s IPFilter_t; +struct IPFilter_s { + IPFilter_t * ipf_next; /* link to next filter */ + IPNode_t * ipf_tree; /* pointer to radix tree structure */ +}; + +#endif /* __ipfstruct_h */ diff --git a/include/libaccess/las.h b/include/libaccess/las.h new file mode 100644 index 00000000..252e3619 --- /dev/null +++ b/include/libaccess/las.h @@ -0,0 +1,184 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef ACL_LAS_HEADER +#define ACL_LAS_HEADER + +#ifndef NOINTNSACL +#define INTNSACL +#endif /* !NOINTNSACL */ + +/* #include <prhash.h> */ +#include <plhash.h> +#include <prclist.h> + +#include <base/pblock.h> +#include <base/plist.h> +#include <libaccess/nserror.h> +#include <libaccess/acl.h> + +#ifndef PUBLIC_NSACL_ACLDEF_H +#include "public/nsacl/acldef.h" +#endif /* !PUBLIC_NSACL_ACLDEF_H */ + +#define ACL_MAX_METHOD 32 +#define ACL_MAX_DBTYPE 32 + +struct ACLAttrGetter { + PRCList list; /* must be first */ + ACLMethod_t method; + ACLDbType_t dbtype; + ACLAttrGetterFn_t fn; + void *arg; +}; + +NSPR_BEGIN_EXTERN_C + +NSAPI_PUBLIC extern int + ACL_LasRegister(NSErr_t *errp, char *attr_name, LASEvalFunc_t + eval_func, LASFlushFunc_t flush_func); +NSAPI_PUBLIC extern int + ACL_LasFindEval(NSErr_t *errp, char *attr_name, LASEvalFunc_t + *eval_funcp); +NSAPI_PUBLIC extern int + ACL_LasFindFlush(NSErr_t *errp, char *attr_name, LASFlushFunc_t + *flush_funcp); +extern void + ACL_LasHashInit(void); +extern void + ACL_LasHashDestroy(void); + +/* + * Revised, normalized method/dbtype registration routines + */ +NSAPI_PUBLIC extern int + ACL_MethodRegister(NSErr_t *errp, const char *name, ACLMethod_t *t); +NSAPI_PUBLIC extern int + ACL_MethodIsEqual(NSErr_t *errp, const ACLMethod_t t1, const ACLMethod_t t2); +NSAPI_PUBLIC extern int + ACL_MethodNameIsEqual(NSErr_t *errp, const ACLMethod_t t, const char *name); +NSAPI_PUBLIC extern int + ACL_MethodFind(NSErr_t *errp, const char *name, ACLMethod_t *t); +NSAPI_PUBLIC extern ACLMethod_t + ACL_MethodGetDefault(NSErr_t *errp); +NSAPI_PUBLIC extern int + ACL_MethodSetDefault(NSErr_t *errp, const ACLMethod_t t); +NSAPI_PUBLIC extern int + ACL_AuthInfoGetMethod(NSErr_t *errp, PList_t auth_info, ACLMethod_t *t); +NSAPI_PUBLIC extern int + ACL_AuthInfoSetMethod(NSErr_t *errp, PList_t auth_info, ACLMethod_t t); +NSAPI_PUBLIC extern int + ACL_DbTypeRegister(NSErr_t *errp, const char *name, DbParseFn_t func, ACLDbType_t *t); +NSAPI_PUBLIC extern int + ACL_DbTypeIsEqual(NSErr_t *errp, const ACLDbType_t t1, const ACLDbType_t t2); +NSAPI_PUBLIC extern int + ACL_DbTypeNameIsEqual(NSErr_t *errp, const ACLDbType_t t, const char *name); +NSAPI_PUBLIC extern int + ACL_DbTypeFind(NSErr_t *errp, const char *name, ACLDbType_t *t); +NSAPI_PUBLIC extern ACLDbType_t + ACL_DbTypeGetDefault(NSErr_t *errp); +NSAPI_PUBLIC extern const char * + ACL_DatabaseGetDefault(NSErr_t *errp); +NSAPI_PUBLIC extern int + ACL_DatabaseSetDefault(NSErr_t *errp, const char *dbname); +NSAPI_PUBLIC extern int + ACL_AuthInfoGetDbType(NSErr_t *errp, PList_t auth_info, ACLDbType_t *t); +NSAPI_PUBLIC extern int + ACL_DbTypeIsRegistered(NSErr_t *errp, const ACLDbType_t dbtype); +NSAPI_PUBLIC extern int + ACL_AttrGetterRegister(NSErr_t *errp, const char *attr, + ACLAttrGetterFn_t fn, ACLMethod_t m, + ACLDbType_t d, int position, void *arg); + +extern ACLDbType_t ACL_DbTypeLdap; + +NSAPI_PUBLIC extern int + ACL_DbTypeSetDefault(NSErr_t *errp, ACLDbType_t t); +NSAPI_PUBLIC extern DbParseFn_t + ACL_DbTypeParseFn(NSErr_t *errp, const ACLDbType_t dbtype); +NSAPI_PUBLIC extern int + ACL_AttrGetterFind(NSErr_t *errp, const char *attr, + ACLAttrGetterList_t *getters); +NSAPI_PUBLIC extern ACLAttrGetter_t * + ACL_AttrGetterFirst(ACLAttrGetterList_t *getters); +NSAPI_PUBLIC extern ACLAttrGetter_t * + ACL_AttrGetterNext(ACLAttrGetterList_t *getters, + ACLAttrGetter_t *last); + +/* typedef PRHashTable AttrGetterTable_t; */ +typedef PLHashTable AttrGetterTable_t; + +typedef struct { + char *method; + char *authtype; + char *dbtype; + AttrGetterTable_t *attrGetters; +} MethodInfo_t; + +NSAPI_PUBLIC int ACL_ModuleRegister (NSErr_t *errp, const char *moduleName, AclModuleInitFunc func); + +NSAPI_PUBLIC int ACL_GetAttribute(NSErr_t *errp, const char *attr, void **val, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth); + +NSAPI_PUBLIC int ACL_DatabaseRegister(NSErr_t *errp, ACLDbType_t dbtype, const char *dbname, const char *url, PList_t plist); + +NSAPI_PUBLIC int ACL_RegisterDbFromACL(NSErr_t *errp, const char *url, ACLDbType_t *dbtype); +NSAPI_PUBLIC int ACL_DatabaseFind(NSErr_t *errp, const char *dbname, + ACLDbType_t *dbtype, void **db); +NSAPI_PUBLIC int ACL_LDAPDatabaseHandle (NSErr_t *errp, + const char *dbname, LDAP **ld, + char **basedn); +NSAPI_PUBLIC int ACL_AuthInfoGetDbname (PList_t auth_info, char **dbname); +NSAPI_PUBLIC int ACL_AuthInfoSetDbname (NSErr_t *errp, PList_t auth_info, + const char *dbname); +NSAPI_PUBLIC int ACL_CacheFlushRegister(AclCacheFlushFunc_t func); +NSAPI_PUBLIC int ACL_SetDefaultResult (NSErr_t *errp, + ACLEvalHandle_t *acleval, + int result); +NSAPI_PUBLIC int ACL_GetDefaultResult (ACLEvalHandle_t *acleval); + +struct program_groups { + char *type; + char **groups; + char **programs; +}; + +extern int LASTimeOfDayEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); +extern int LASDayOfWeekEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); +extern int LASIpEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); +extern int LASDnsEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); +extern int LASGroupEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); +extern int LASUserEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); +extern int LASProgramEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, + char *pattern, ACLCachable_t *cachable, void **las_cookie, + PList_t subject, PList_t resource, PList_t auth_info, + PList_t global_auth); + +extern void LASTimeOfDayFlush(void **cookie); +extern void LASDayOfWeekFlush(void **cookie); +extern void LASIpFlush(void **cookie); +extern void LASDnsFlush(void **cookie); + +NSPR_END_EXTERN_C + +#endif /* ACL_LAS_HEADER */ diff --git a/include/libaccess/ldapacl.h b/include/libaccess/ldapacl.h new file mode 100644 index 00000000..94a00333 --- /dev/null +++ b/include/libaccess/ldapacl.h @@ -0,0 +1,62 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef ACL_AUTH_H +#define ACL_AUTH_H + +#include <ldap.h> +#include <base/plist.h> +#include <ldaputil/ldapdb.h> +#include <libaccess/nserror.h> + +NSPR_BEGIN_EXTERN_C + +extern void init_ldb_rwlock (); + +NSAPI_PUBLIC extern int parse_ldap_url (NSErr_t *errp, ACLDbType_t dbtype, + const char *name, const char *url, + PList_t plist, void **db); + +extern int get_is_valid_password_basic_ldap (NSErr_t *errp, + PList_t subject, + PList_t resource, + PList_t auth_info, + PList_t global_auth, + void *arg); + +extern int get_user_ismember_ldap (NSErr_t *errp, + PList_t subject, + PList_t resource, + PList_t auth_info, + PList_t global_auth, + void *arg); + +extern int get_userdn_ldap (NSErr_t *errp, + PList_t subject, + PList_t resource, + PList_t auth_info, + PList_t global_auth, + void *arg); + +extern int ACL_NeedLDAPOverSSL(); + +extern int acl_map_cert_to_user (NSErr_t *errp, const char *dbname, + LDAPDatabase_t *ldb, void *cert, + PList_t resource, pool_handle_t *pool, + char **user, char **userdn); + +extern int get_user_exists_ldap (NSErr_t *errp, PList_t subject, + PList_t resource, PList_t auth_info, + PList_t global_auth, void *unused); + +NSAPI_PUBLIC extern int acl_user_exists (const char *user, + const char *userdn, + const char *dbname, + const int logerr); + +NSPR_END_EXTERN_C + +#endif /* ACL_AUTH_H */ diff --git a/include/libaccess/nsadb.h b/include/libaccess/nsadb.h new file mode 100644 index 00000000..07fb2ca2 --- /dev/null +++ b/include/libaccess/nsadb.h @@ -0,0 +1,87 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsadb_h +#define __nsadb_h + +/* + * Description (nsadb.h) + * + * This file describes the interface for retrieving information + * from a Netscape authentication database. This facility is + * built on top of the Netscape (server) database interface as + * defined in nsdb.h. It represents a subclass of a more general + * authentication database interface defined in nsauth.h. + */ + +#include "nserror.h" /* error frame list support */ +#include "nsautherr.h" /* authentication error codes */ +#include "nsauth.h" + +/* Begin private definitions */ +#ifdef __PRIVATE_NSADB + +#include "nsdb.h" + +#if defined(CLIENT_AUTH) +#define ADBDBNAMES 3 /* number of named files */ +#else +#define ADBDBNAMES 2 /* number of named files */ +#endif +#define ADBUSERDBNAME "Users" /* name of user database */ +#define ADBGROUPDBNAME "Groups" /* name of group database */ +#if defined(CLIENT_AUTH) +#define ADBCERTDBNAME "Certs" /* name of certificate mapping DB */ +#define ADBUMAPDBNAME "Certs.nm" /* name of mapped user names DB */ +#endif + +typedef struct AuthDB_s AuthDB_t; +struct AuthDB_s { + char * adb_dbname; /* database name */ + void * adb_userdb; /* handle for user database */ + void * adb_groupdb; /* handle for group database */ +#if defined(CLIENT_AUTH) + void * adb_certdb; /* handle for cert mapping database */ + void * adb_certlock; /* lock for cert mapping database */ + void * adb_certnm; /* handle for username-to-certid DB */ +#endif + int adb_flags; /* flags */ +}; + +/* Definitions for adb_flags (also used on nsadbOpenXxxx() calls) */ +#define ADBF_NEW 0x1 /* newly created database */ +#define ADBF_UREAD 0x10 /* user database open for read */ +#define ADBF_UWRITE 0x20 /* user database open for write */ +#define ADBF_GREAD 0x100 /* group database open for read */ +#define ADBF_GWRITE 0x200 /* group database open for write */ +#define ADBF_CREAD 0x1000 /* cert database open for read */ +#define ADBF_CWRITE 0x2000 /* cert database open for write */ +#endif /* __PRIVATE_NSADB */ + +NSPR_BEGIN_EXTERN_C + +/* Functions in nsadb.c */ +extern NSAPI_PUBLIC int nsadbOpen(NSErr_t * errp, + char * adbname, int flags, void **rptr); +extern NSAPI_PUBLIC void nsadbClose(void * authdb, int flags); +extern NSAPI_PUBLIC int nsadbOpenUsers(NSErr_t * errp, + void * authdb, int flags); +extern NSAPI_PUBLIC int nsadbOpenGroups(NSErr_t * errp, + void * authdb, int flags); +extern NSAPI_PUBLIC int nsadbIdToName(NSErr_t * errp, void * authdb, + USI_t id, int flags, char **rptr); +extern NSAPI_PUBLIC int nsadbFindByName(NSErr_t * errp, void * authdb, + char * name, int flags, void **rptr); + +#if defined(CLIENT_AUTH) +#include "nscert.h" +#endif + +/* Authentication database interface structure in nsadb.c */ +extern AuthIF_t NSADB_AuthIF; + +NSPR_END_EXTERN_C + +#endif /* __nsadb_h */ diff --git a/include/libaccess/nsamgmt.h b/include/libaccess/nsamgmt.h new file mode 100644 index 00000000..c6b82ca4 --- /dev/null +++ b/include/libaccess/nsamgmt.h @@ -0,0 +1,122 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsamgmt_h +#define __nsamgmt_h + +/* + * Description (nsamgmt.h) + * + * This file defines the interface for managing information in a + * Netscape authentication database. An authentication database + * consists of a user database and a group database. This + * implementation of an authentication database based on Netscape + * user and group databases defined in nsuser.h and nsgroup.h, + * which in turn are based on the Netscape (server) database + * implementation defined in nsdb.h. The interface for retrieving + * information from an authentication database is described + * separately in nsadb.h. + */ + +#include "nsadb.h" + +/* Flags used in enumeration call-back function return value */ +#define ADBF_KEEPOBJ 0x1 /* do not free user or group object */ +#define ADBF_STOPENUM 0x2 /* stop the enumeration */ + +NSPR_BEGIN_EXTERN_C + +/* Functions in nsamgmt.c */ +NSAPI_PUBLIC extern int nsadbAddGroupToGroup(NSErr_t * errp, void * authdb, + GroupObj_t * pgoptr, + GroupObj_t * cgoptr); + +NSAPI_PUBLIC extern int nsadbAddUserToGroup(NSErr_t * errp, void * authdb, + GroupObj_t * goptr, + UserObj_t * uoptr); + +NSAPI_PUBLIC extern int nsadbCreateGroup(NSErr_t * errp, + void * authdb, GroupObj_t * goptr); + +NSAPI_PUBLIC extern int nsadbCreateUser(NSErr_t * errp, + void * authdb, UserObj_t * uoptr); + +/* +for ANSI C++ standard on SCO UDK must typedef fn in arg list, otherwise fn +name is managled +*/ + +#ifdef UnixWare +typedef int(*ArgFn_EnumUsers)(NSErr_t * ferrp, void * authdb, void * parg, + UserObj_t * uoptr); + +NSAPI_PUBLIC extern int nsadbEnumerateUsers(NSErr_t * errp, void * authdb, + void * argp, ArgFn_EnumUsers); +#else /* UnixWare */ +NSAPI_PUBLIC extern int nsadbEnumerateUsers(NSErr_t * errp, void * authdb, + void * argp, + int (*func)(NSErr_t * ferrp, + void * authdb, + void * parg, + UserObj_t * uoptr)); +#endif /* UnixWare */ + +#ifdef UnixWare +typedef int(*ArgFn_EnumGroups)(NSErr_t * ferrp, void * authdb, void * parg, + GroupObj_t * goptr); +NSAPI_PUBLIC extern int nsadbEnumerateGroups(NSErr_t * errp, + void * authdb, void * argp, + ArgFn_EnumGroups); +#else /* UnixWare */ +NSAPI_PUBLIC extern int nsadbEnumerateGroups(NSErr_t * errp, + void * authdb, void * argp, + int (*func)(NSErr_t * ferrp, + void * authdb, + void * parg, + GroupObj_t * goptr)); +#endif /* UnixWare */ + +NSAPI_PUBLIC extern int nsadbIsUserInGroup(NSErr_t * errp, void * authdb, + USI_t uid, USI_t gid, + int ngroups, USI_t * grplist); + +NSAPI_PUBLIC extern int nsadbModifyGroup(NSErr_t * errp, + void * authdb, GroupObj_t * goptr); + +NSAPI_PUBLIC extern int nsadbModifyUser(NSErr_t * errp, + void * authdb, UserObj_t * uoptr); + +NSAPI_PUBLIC extern int nsadbRemoveGroup(NSErr_t * errp, + void * authdb, char * name); + +NSAPI_PUBLIC extern int nsadbRemoveUser(NSErr_t * errp, + void * authdb, char * name); + +NSAPI_PUBLIC extern int nsadbRemGroupFromGroup(NSErr_t * errp, void * authdb, + GroupObj_t * pgoptr, + GroupObj_t * cgoptr); + +NSAPI_PUBLIC extern int nsadbRemUserFromGroup(NSErr_t * errp, void * authdb, + GroupObj_t * goptr, + UserObj_t * uoptr); + +NSAPI_PUBLIC extern int nsadbSuperGroups(NSErr_t * errp, void * authdb, + GroupObj_t * goptr, + USIList_t * gsuper); + + +NSPR_END_EXTERN_C + +#if defined(CLIENT_AUTH) + +/* Removed for new ns security integration +#include <sec.h> +*/ +#include <key.h> +#include <cert.h> + +#endif /* defined(CLIENT_AUTH) */ + +#endif /* __nsamgmt_h */ diff --git a/include/libaccess/nsauth.h b/include/libaccess/nsauth.h new file mode 100644 index 00000000..8f5ce877 --- /dev/null +++ b/include/libaccess/nsauth.h @@ -0,0 +1,288 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsauth_h +#define __nsauth_h + +/* + * Description (nsauth.h) + * + * This file defines types and interfaces which pertain to client + * authentication. The key types are Realm_t, which describes a + * context for authentication, and ClAuth_t, which is used to + * pass authentication information about a particular client + * into and out of authentication interface functions. + */ + +#ifdef CLIENT_AUTH + +#include "ssl.h" + +#if 0 +/* Removed for new ns security */ +#include "sec.h" /* SECCertificate */ +#endif +#include "cert.h" /* CERTCertificate for new ns security bin */ +#endif /* CLIENT_AUTH */ + +#include "usi.h" /* identifier list support */ +#include "attrec.h" /* attribute record types */ +#include "nserror.h" /* error frame list support */ +#include "nsautherr.h" /* authentication error codes */ + +/* Define a scalar IP address value */ +#ifndef __IPADDR_T_ +#define __IPADDR_T_ +typedef unsigned long IPAddr_t; +#endif /* __IPADDR_T_ */ + +/* + * Description (UserObj_t) + * + * This type defines the structure of a user object. A user object + * contains information about a user which might be contained in + * an authentication database, including user name, password, user id, + * and group membership. + */ + +typedef struct UserObj_s UserObj_t; +struct UserObj_s { + NTS_t uo_name; /* user account name */ + NTS_t uo_pwd; /* encrypted password */ + USI_t uo_uid; /* user id */ + USI_t uo_flags; /* bit flags */ +#define UOF_DBFLAGS 0x1f /* mask for flags stored in DB file */ +#define UOF_ERROR 0x20 /* error on last operation */ +#define UOF_NEW 0x40 /* new user object */ +#define UOF_MODIFIED 0x80 /* internal object modified */ +#define UOF_DELPEND 0x100 /* delete pending */ + + NTS_t uo_rname; /* real user name (gecos string) */ + USIList_t uo_groups; /* list of group ids containing user */ +}; + +/* + * Description (GroupObj_t) + * + * This type defines the structure of a group object. A group object + * contains information about a group which might be contained in + * an authentication database, including group name, group id, and + * relationships to other groups. + */ + +typedef struct GroupObj_s GroupObj_t; +struct GroupObj_s { + NTS_t go_name; /* group name */ + USI_t go_gid; /* group id */ + USI_t go_flags; /* bit flags */ +#define GOF_DBFLAGS 0x3f /* mask for flags stored in DB file */ +#define GOF_NEW 0x40 /* new group object */ +#define GOF_MODIFIED 0x80 /* internal object modified */ +#define GOF_DELPEND 0x100 /* delete pending */ + + NTS_t go_desc; /* group description */ + USIList_t go_users; /* list of user members (uids) */ + USIList_t go_groups; /* list of group members (gids) */ + USIList_t go_pgroups; /* list of parent groups (gids) */ +}; + +/* + * Description (AuthIF_t) + * + * This type describes a structure containing pointers to functions + * which provide a standard interface to an authentication database. + * The functions are described below. + * + * Description (aif_close) + * + * The referenced function closes an authentication database which + * was previously opened via the aif_open function. + * + * Arguments: + * + * authdb - handle for database returned by aif_open + * flags - close flags (unused - must be zero) + * + * + * Description (aif_findid) + * + * The referenced function looks up a specified user or group id + * in a given authentication database. Flags can be specified to + * search for only matching user ids, only matching group ids, + * or both. The result value for a successful search indicates + * whether a matching user or group id was found, and a pointer to + * a user or group object is returned accordingly. + * + * Arguments: + * + * authdb - handle for database returned by aif_open + * id - user/group id value + * flags - bit flags to control search + * rptr - pointer to returned user or group object + * pointer (may be null) + * + * Returns: + * + * If successful, the result value is greater than zero, and contains + * a subset of the search flags, indicating what was found, and a user + * or group object pointer is returned through 'rptr' if it is non-null. + * An unsuccessful search is indicated by a return value of zero. An + * error is indicated by a negative return value (defined in + * nsautherr.h). + * + * + * Description (aif_findname) + * + * The referenced function looks up a specified user or group name + * in a given authentication database. Flags can be specified to + * search for only matching user names, only matching group names, + * or both. The result value for a successful search indicates + * whether a matching user or group was found, and a pointer to a + * user or group object is returned accordingly. + * + * Arguments: + * + * authdb - handle for database returned by aif_open + * name - user/group name string pointer + * flags - bit flags to control search + * rptr - pointer to returned user or group object + * pointer (may be null) + * + * Returns: + * + * If successful, the result value is greater than zero, and contains + * a subset of the search flags, indicating what was found, and a user + * or group object pointer is returned through 'rptr' if it is non-null. + * An unsuccessful search is indicated by a return value of zero. An + * error is indicated by a negative return value (defined in + * nsautherr.h). + * + * + * Description (aif_idtoname) + * + * The referenced function looks up a specified user or group id + * in a given authentication database, and returns the associated + * user or group name. Flags can be specified to search for only + * matching user ids, only matching group ids, or both. The result + * value for a successful search indicates whether a matching user + * or group id was found, and a pointer to the user or group name + * is returned accordingly. + * + * Arguments: + * + * authdb - handle for database returned by aif_open + * id - user/group id value + * flags - bit flags to control search + * rptr - pointer to returned user or group name + * pointer (may be null) + * + * Returns: + * + * If successful, the result value is greater than zero, and contains + * a subset of the search flags, indicating what was found, and a user + * or group name pointer is returned through 'rptr' if it is non-null. + * An unsuccessful search is indicated by a return value of zero. An + * error is indicated by a negative return value (defined in + * nsautherr.h). + * + * + * Description (aif_open) + * + * The referenced function opens a named authentication database of + * the type supported by this interface. The actual effect of the + * open function depends on the particular type of database, but a + * call to the aif_open function should generally be followed by a + * call to the aif_close function at some point. + * + * Arguments: + * + * adbname - authentication database name string pointer + * flags - open flags (definitions below) + * rptr - pointer to returned handle for the database + * + * Returns: + * + * The return value is zero if the operation is successful, and a + * handle for the authentication database is returned through 'rptr'. + * An error is indicated by a negative return value (defined in + * nsautherr.h). + */ + +typedef struct AuthIF_s AuthIF_t; +struct AuthIF_s { + int (*aif_findid)(NSErr_t * errp, + void * authdb, USI_t id, int flags, void **rptr); + int (*aif_findname)(NSErr_t * errp, + void * authdb, char * name, int flags, void **rptr); + int (*aif_idtoname)(NSErr_t * errp, + void * authdb, USI_t id, int flags, char **rptr); + int (*aif_open)(NSErr_t * errp, char * adbname, int flags, void **rptr); + void (*aif_close)(void * authdb, int flags); + int (*aif_addmember)(void **pmlist, char * name, int flags); + int (*aif_ismember)(void * mlist, char * name, int flags); +}; + +/* Define flags for the aif_open function */ +#define AIF_CREATE 0x1 /* new database (create it) */ + +/* + * Define bits for flags and return value of aif_findid, aif_findid, + * and aif_idtoname functions. + */ +#define AIF_NONE 0 /* no matching group or user name */ +#define AIF_GROUP 0x1 /* matching group name/id found */ +#define AIF_USER 0x2 /* matching user name/id found */ + +/* + * Description (Realm_t) + * + * This type defines a structure which represents an authentication + * realm. Each realm has a unique name, which is accessed through + * a Symbol_t structure, which in turn references a Realm_t as the + * symbol value. This structure specifies an authentication + * method and an authentication database. + */ + +typedef struct Realm_s Realm_t; +struct Realm_s { + int rlm_ameth; /* authentication method type */ + char * rlm_dbname; /* authentication database name */ + AuthIF_t * rlm_aif; /* authentication interface pointer */ + void * rlm_authdb; /* authentication database handle */ + char * rlm_prompt; /* realm prompt string */ +}; + +/* Define supported authentication method codes for rlm_ameth */ +#define AUTH_METHOD_BASIC 1 /* basic authentication */ +#define AUTH_METHOD_SSL 2 /* SSL client authentication */ + +/* + * Description (ClAuth_t) + * + * This type describes a structure containing information about a + * particular client. It is used to pass information into and out + * of authentication support functions, as well as to other functions + * needing access to client authentication information. + * FUTURE: + * - add client certificate pointer + */ + +typedef struct ClAuth_s ClAuth_t; +struct ClAuth_s { + Realm_t * cla_realm; /* authentication realm pointer */ + IPAddr_t cla_ipaddr; /* IP address */ + char * cla_dns; /* DNS name string pointer */ + UserObj_t * cla_uoptr; /* authenticated user object pointer */ + GroupObj_t * cla_goptr; /* pointer to list of group objects */ +#ifdef CLIENT_AUTH +#if 0 + /* Removed for new ns security */ + SECCertificate * cla_cert; /* certificate from SSL client auth */ +#endif + CERTCertificate * cla_cert; /* certificate from SSL client auth */ +#endif /* CLIENT_AUTH */ +}; + +#endif /* __nsauth_h */ diff --git a/include/libaccess/nsautherr.h b/include/libaccess/nsautherr.h new file mode 100644 index 00000000..02951b9f --- /dev/null +++ b/include/libaccess/nsautherr.h @@ -0,0 +1,97 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsautherr_h +#define __nsautherr_h + +/* Define error id codes */ + +/* Define error ids generated by nsumgmt.c */ + +/* userRename() */ +#define NSAUERR1000 1000 /* insufficient dynamic memory */ + +/* userStore() */ +#define NSAUERR1100 1100 /* insufficient dynamic memory */ + +/* Define error ids generated by nsgmgmt.c */ + +/* groupStore() */ +#define NSAUERR2000 2000 /* insufficient dynamic memory */ + +/* Define error ids generated by nsadb.c */ + +/* nsadbOpen() */ +#define NSAUERR3000 3000 /* invalid function argument */ +#define NSAUERR3020 3020 /* insufficient dynamic memory */ +#define NSAUERR3040 3040 /* create directory operation failed */ +#define NSAUERR3060 3060 /* open directory operation failed */ + +/* nsadbOpenUsers() */ +#define NSAUERR3200 3200 /* invalid function argument */ +#define NSAUERR3220 3220 /* insufficient dynamic memory */ +#define NSAUERR3240 3240 /* error opening user database */ + +/* nsadbOpenGroups() */ +#define NSAUERR3300 3300 /* invalid function argument */ +#define NSAUERR3320 3320 /* insufficient dynamic memory */ +#define NSAUERR3340 3340 /* error opening group database */ + +#if defined(CLIENT_AUTH) +/* nsadbOpenClients() */ +#define NSAUERR3400 3400 /* invalid function argument */ +#define NSAUERR3420 3420 /* insufficient dynamic memory */ +#define NSAUERR3430 3430 /* error initializing DB lock */ +#define NSAUERR3440 3440 /* error opening group database */ + +/* nsadbPutUserByCert() */ +#define NSAUERR3500 3500 /* invalid username length */ +#define NSAUERR3520 3520 /* user-to-cert map already exists */ + +/* nsadbOpenCertUsers() */ +#define NSAUERR3600 3600 /* error opening user-to-cert id DB */ + +/* nsadbFindCertUser() */ +#define NSAUERR3700 3700 /* specified user name not found */ + +/* nsadbAddCertUser() */ +#define NSAUERR3800 3800 /* error adding entry to database */ + +/* nsadbRemoveCertUser() */ +#define NSAUERR3900 3900 /* error deleting entry in database */ + +#endif /* defined(CLIENT_AUTH) */ + +/* Define error ids generated by nsamgmt.c */ + +/* nsadbRemoveUser() */ +#define NSAUERR4000 4000 /* user name not found */ + +/* nsadbRemoveGroup() */ +#define NSAUERR4100 4100 /* group name not found */ + +/* Define error codes */ +#define NSAERRNOMEM -1 /* insufficient dynamic memory */ +#define NSAERRINVAL -2 /* invalid function argument */ +#define NSAERROPEN -3 /* error opening database */ +#define NSAERRMKDIR -4 /* error creating database directory */ +#define NSAERRNAME -5 /* user or group name not found */ +#define NSAERRPUT -6 /* error writing record to database */ +#define NSAERRCMAP -7 /* certificate map already exists */ +#define NSAERRDEL -8 /* error deleting database entry */ +#define NSAERRLOCK -9 /* error initializing DB lock */ + +NSPR_BEGIN_EXTERN_C + +/* Authentication facility name in nsuser.c */ +extern char * NSAuth_Program; + + /* Functions in nsautherr.c */ +extern NSAPI_PUBLIC void nsadbErrorFmt(NSErr_t * errp, + char * msgbuf, int maxlen, int maxdepth); + +NSPR_END_EXTERN_C + +#endif /* __nsautherr_h */ diff --git a/include/libaccess/nscert.h b/include/libaccess/nscert.h new file mode 100644 index 00000000..b704bbdf --- /dev/null +++ b/include/libaccess/nscert.h @@ -0,0 +1,102 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nscert_h +#define __nscert_h + +/* + * Description (nscert.h) + * + * This file describes the interface for accessing and storing + * information in a Netscape client certificate to username + * database. This facility is built on top of the Netscape + * (server) database interface as defined in nsdb.h. + */ + +#include <libaccess/nserror.h> /* error frame list support */ +#include <libaccess/nsautherr.h> /* authentication error codes */ +#include <libaccess/nsauth.h> + +#include <prtypes.h> +/* Removed for new ns security integration +#include <sec.h> +*/ +#include <cert.h> + +#if defined(CLIENT_AUTH) + +/* Certificate to user record attribute tags */ +#define CAT_USERNAME 0x61 /* username associated with cert */ +#define CAT_CERTID 0x62 /* id assigned to cert */ + +/* Attribute tags used in certificate key encoding */ +#define KAT_ISSUER 0x01 /* issuer DER */ +#define KAT_SUBJECT 0x02 /* subject DER */ + +typedef struct CertObj_s CertObj_t; +struct CertObj_s { + SECItem co_issuer; /* issuing authority */ + SECItem co_subject; /* certicate's subject */ + char * co_username; /* the local name it mapps to */ + USI_t co_certid; /* internal id for this client certificate */ +}; + +typedef int (*CertEnumCallback)(NSErr_t * ferrp, void * authdb, + void * argp, CertObj_t * coptr); + +NSPR_BEGIN_EXTERN_C + +extern NSAPI_PUBLIC int nsadbCertInitialize(void); + +extern NSAPI_PUBLIC int nsadbDecodeCertKey(int keylen, char * keyptr, + SECItem * issuer, + SECItem * subject); + +extern NSAPI_PUBLIC int nsadbDecodeCertRec(int reclen, char * recptr, + CertObj_t * coptr); + +extern NSAPI_PUBLIC int nsadbEncodeCertKey(SECItem * issuer, SECItem * subject, + int * keylen, char **keyptr); + +extern NSAPI_PUBLIC int nsadbEnumerateCerts(NSErr_t * errp, void * authdb, + void * argp, + CertEnumCallback func); + +extern NSAPI_PUBLIC void nsadbFreeCertObj(CertObj_t * coptr); + +extern NSAPI_PUBLIC int nsadbGetCertById(NSErr_t * errp, void * authdb, + USI_t certid, CertObj_t **coptr); + +extern NSAPI_PUBLIC int nsadbGetUserByCert(NSErr_t * errp, void * authdb, + CERTCertificate * cert, + char **username); + +extern NSAPI_PUBLIC int nsadbOpenCerts(NSErr_t * errp, + void * authdb, int flags); + +extern NSAPI_PUBLIC int nsadbPutUserByCert(NSErr_t * errp, void * authdb, + CERTCertificate * cert, + const char * username); + +extern NSAPI_PUBLIC int nsadbRemoveCert(NSErr_t * errp, void * authdb, + void * username, CertObj_t * coptr); + +extern NSAPI_PUBLIC int nsadbRemoveUserCert(NSErr_t * errp, void * authdb, + char * username); + +extern NSAPI_PUBLIC void nsadbCloseCerts(void * authdb, int flags); + +extern NSAPI_PUBLIC void nsadbCloseCertUsers(void * authdb, int flags); + +extern NSAPI_PUBLIC int nsadbFindCertUser(NSErr_t * errp, void * authdb, + const char * username, USI_t * id); + + +NSPR_END_EXTERN_C + +#endif /* CLIENT_AUTH */ + + +#endif /* __nscert_h */ diff --git a/include/libaccess/nsdb.h b/include/libaccess/nsdb.h new file mode 100644 index 00000000..c5b39e1c --- /dev/null +++ b/include/libaccess/nsdb.h @@ -0,0 +1,182 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsdb_h +#define __nsdb_h + +/* + * Description (nsdb.h) + * + * This file describes the interface for retrieving information + * from a Netscape (server) database. A database is composed of + * two (libdbm) DB files. One of these (<dbname>.db) contains + * records indexed by a string key. These records contain the + * primary information in the database. A second DB file + * (<dbname>.id) is used to map an integer id value to a string + * key, which can then be used to locate a record in the first file. + * The interface for managing information in a database is described + * in nsdbmgmt.h. + */ + +/* Begin private definitions */ +#ifdef __PRIVATE_NSDB + +#include "mcom_db.h" + +/* + * Description (NSDB_t) + * + * This type describes the structure that used to represent a + * Netscape server database. It includes fields to reference + * both the primary and id-to-name DB files, and information + * about the current state of the database. + */ + +typedef struct NSDB_s NSDB_t; +struct NSDB_s { + char * ndb_pname; /* primary DB file name pointer */ + DB * ndb_pdb; /* primary DB file handle */ + char * ndb_iname; /* id-to-name DB file name pointer */ + DB * ndb_idb; /* id-to-name DB file handle */ + int ndb_flags; /* bit flags */ +#define NDBF_RDNAME 0x1 /* primary DB open for read */ +#define NDBF_WRNAME 0x2 /* primary DB open for write */ +#define NDBF_NONAME 0x4 /* primary DB does not exist */ +#define NDBF_RDID 0x10 /* id-to-name DB open for read */ +#define NDBF_WRID 0x20 /* id-to-name DB open for write */ +#define NDBF_NOID 0x40 /* id-to-name DB does not exist */ + + int ndb_dbtype; /* database type */ + int ndb_version; /* type-specific version number */ +}; + +/* Define metadata record keys (must start with NDB_MDPREFIX) */ +#define NDB_DBTYPE "?dbtype" /* database type and version info */ +#define NDB_IDMAP "?idmap" /* id allocation bitmap */ + +#endif /* __PRIVATE_NSDB */ + +/* Begin public definitions */ + +#include "nserror.h" /* error frame list support */ +#include "nsdberr.h" /* error codes for NSDB facility */ + +/* Define the NSDB version number */ +#define NDB_VERSION 0x10 /* NSDB version 1.0 */ + +/* Define reserved database type codes for ndb_dbtype */ +#define NDB_TYPE_USERDB 1 /* user database */ +#define NDB_TYPE_GROUPDB 2 /* group database */ +#define NDB_TYPE_CLIENTDB 3 /* client database */ +#define NDB_TYPE_ACLDB 4 /* access control list database */ + +/* + * Define the metadata record key prefix character. Normal data record + * keys (names) cannot begin with this character. + */ +#define NDB_MDPREFIX '?' + +/* Define flags for ndbEnumerate() */ +#define NDBF_ENUMNORM 0x1 /* enumerate normal data records */ +#define NDBF_ENUMMETA 0x2 /* enumerate metadata records */ + +/* Define return values for a user function called by ndbEnumerate */ +#define NDB_ENUMSTOP -1 /* terminate enumeration */ +#define NDB_ENUMCONT 0 /* continue enumeration */ +#define NDB_ENUMRESET 1 /* restart enumeration at beginning */ + +NSPR_BEGIN_EXTERN_C + +/* Functions for database information retrieval in nsdb.c */ +extern void ndbClose(void * ndb, int flags); + +/* for ANSI C++ standard on SCO UDK, otherwise fn name is mangled */ +#ifdef UnixWare +typedef int (*ArgFn_ndbEnum)(NSErr_t * ferrp, void * parg, int namelen, + char * name, int reclen, char * recptr); +extern int ndbEnumerate(NSErr_t * errp, void * ndb, int flags, void * argp, + ArgFn_ndbEnum); +#else /* UnixWare */ +extern int ndbEnumerate(NSErr_t * errp, void * ndb, int flags, void * argp, + int (*func)(NSErr_t * ferrp, void * parg, + int namelen, char * name, + int reclen, char * recptr)); +#endif /* UnixWare */ +extern int ndbFindName(NSErr_t * errp, void * ndb, int namelen, char * name, + int * reclen, char **recptr); +extern int ndbIdToName(NSErr_t * errp, + void * ndb, unsigned int id, int * plen, char **pname); +extern int ndbInitPrimary(NSErr_t * errp, void * ndb); +extern void * ndbOpen(NSErr_t * errp, + char * dbname, int flags, int dbtype, int * version); +extern int ndbReOpen(NSErr_t * errp, void * ndb, int flags); + +NSPR_END_EXTERN_C + +/* richm - 20020218 - these macros were added as part of the port to DBM 1.6 + * apparently, these were exported for outside use from mcom_db.h in + * DBM 1.5x and earlier, but were made private in 1.6 - so I copied them + * here + */ +/* + * Little endian <==> big endian 32-bit swap macros. + * M_32_SWAP swap a memory location + * P_32_SWAP swap a referenced memory location + * P_32_COPY swap from one location to another + */ +#ifndef M_32_SWAP +#define M_32_SWAP(a) { \ + uint32 _tmp = a; \ + ((char *)&a)[0] = ((char *)&_tmp)[3]; \ + ((char *)&a)[1] = ((char *)&_tmp)[2]; \ + ((char *)&a)[2] = ((char *)&_tmp)[1]; \ + ((char *)&a)[3] = ((char *)&_tmp)[0]; \ +} +#endif +#ifndef P_32_SWAP +#define P_32_SWAP(a) { \ + uint32 _tmp = *(uint32 *)a; \ + ((char *)a)[0] = ((char *)&_tmp)[3]; \ + ((char *)a)[1] = ((char *)&_tmp)[2]; \ + ((char *)a)[2] = ((char *)&_tmp)[1]; \ + ((char *)a)[3] = ((char *)&_tmp)[0]; \ +} +#endif +#ifndef P_32_COPY +#define P_32_COPY(a, b) { \ + ((char *)&(b))[0] = ((char *)&(a))[3]; \ + ((char *)&(b))[1] = ((char *)&(a))[2]; \ + ((char *)&(b))[2] = ((char *)&(a))[1]; \ + ((char *)&(b))[3] = ((char *)&(a))[0]; \ +} +#endif +/* + * Little endian <==> big endian 16-bit swap macros. + * M_16_SWAP swap a memory location + * P_16_SWAP swap a referenced memory location + * P_16_COPY swap from one location to another + */ +#ifndef M_16_SWAP +#define M_16_SWAP(a) { \ + uint16 _tmp = a; \ + ((char *)&a)[0] = ((char *)&_tmp)[1]; \ + ((char *)&a)[1] = ((char *)&_tmp)[0]; \ +} +#endif +#ifndef P_16_SWAP +#define P_16_SWAP(a) { \ + uint16 _tmp = *(uint16 *)a; \ + ((char *)a)[0] = ((char *)&_tmp)[1]; \ + ((char *)a)[1] = ((char *)&_tmp)[0]; \ +} +#endif +#ifndef P_16_COPY +#define P_16_COPY(a, b) { \ + ((char *)&(b))[0] = ((char *)&(a))[1]; \ + ((char *)&(b))[1] = ((char *)&(a))[0]; \ +} +#endif + +#endif /* __nsdb_h */ diff --git a/include/libaccess/nsdberr.h b/include/libaccess/nsdberr.h new file mode 100644 index 00000000..224bd483 --- /dev/null +++ b/include/libaccess/nsdberr.h @@ -0,0 +1,92 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsdberr_h +#define __nsdberr_h + +/* NSDB facility name (defined in nsdb,c) */ +extern char * NSDB_Program; + +/* Define error identifiers for NSDB facility */ + +/* Errors generated in nsdb.c */ + +/* ndbFindName() */ +#define NSDBERR1000 1000 /* primary DB get operation failed */ + +/* ndbIdToName() */ +#define NSDBERR1100 1100 /* id-to-name DB get operation failed */ + +/* ndbInitPrimary() */ +#define NSDBERR1200 1200 /* primary database already exists */ +#define NSDBERR1220 1220 /* primary database open failed */ +#define NSDBERR1240 1240 /* primary DB put operation failed */ +#define NSDBERR1260 1260 /* primary DB put operation failed */ + +/* ndbOpen() */ +#define NSDBERR1400 1400 /* insufficient dynamic memory */ +#define NSDBERR1420 1420 /* insufficient dynamic memory */ +#define NSDBERR1440 1440 /* insufficient dynamic memory */ +#define NSDBERR1460 1460 /* primary DB get metadata operation failed */ +#define NSDBERR1480 1480 /* metadata format error */ +#define NSDBERR1500 1500 /* unsupported database version number */ +#define NSDBERR1520 1520 /* wrong database type */ + +/* ndbReOpen() */ +#define NSDBERR1600 1600 /* create primary DB failed */ +#define NSDBERR1620 1620 /* open primary/write failed */ +#define NSDBERR1640 1640 /* open primary/read failed */ +#define NSDBERR1660 1660 /* create id-to-name DB failed */ +#define NSDBERR1680 1680 /* open id-to-name DB for write failed */ +#define NSDBERR1700 1700 /* open id-to-name DB for read failed */ + +/* Define error ids generated in nsdbmgmt.c */ + +/* ndbAllocId() */ +#define NSDBERR2000 2000 /* bad DB name key */ +#define NSDBERR2020 2020 /* metadata get operation failed */ +#define NSDBERR2040 2040 /* no space to grow DB id bitmap */ +#define NSDBERR2060 2060 /* no space to copy DB id bitmap */ +#define NSDBERR2080 2080 /* put bitmap to DB operation failed */ +#define NSDBERR2100 2100 /* put id-to-name operation failed */ + +/* ndbDeleteName() */ +#define NSDBERR2200 2200 /* error deleting record */ + +/* ndbFreeId() */ +#define NSDBERR2300 2300 /* invalid id value */ +#define NSDBERR2320 2320 /* error deleting id-to-name record */ +#define NSDBERR2340 2340 /* error reading id bitmap from primary DB */ +#define NSDBERR2360 2360 /* invalid id value */ +#define NSDBERR2380 2380 /* insufficient dynamic memory */ +#define NSDBERR2400 2400 /* error writing id bitmap back to DB */ + +/* ndbRenameId() */ +#define NSDBERR2500 2500 /* invalid new key name string */ +#define NSDBERR2520 2520 /* get id record operation failed */ +#define NSDBERR2540 2540 /* put id record operation failed */ + +/* ndbStoreName() */ +#define NSDBERR2700 2700 /* database put operation failed */ + +/* Define error return codes */ +#define NDBERRNOMEM -1 /* insufficient dynamic memory */ +#define NDBERRNAME -2 /* invalid key name string */ +#define NDBERROPEN -3 /* database open error */ +#define NDBERRMDGET -4 /* database metadata get failed */ +#define NDBERRMDPUT -5 /* database metadata put failed */ +#define NDBERRIDPUT -6 /* id-to-name record put failed */ +#define NDBERRNMDEL -7 /* delete named record failed */ +#define NDBERRPINIT -8 /* error creating primary DB file */ +#define NDBERRGET -9 /* database get failed */ +#define NDBERREXIST -10 /* DB already exists */ +#define NDBERRMDFMT -11 /* invalid metadata format */ +#define NDBERRDBTYPE -12 /* wrong DB type */ +#define NDBERRBADID -13 /* invalid id value for name */ +#define NDBERRPUT -14 /* database put operation failed */ +#define NDBERRVERS -15 /* unsupported database version */ +#define NDBERRIDDEL -16 /* delete id-to-name record failed */ + +#endif /* __nsdberr_h */ diff --git a/include/libaccess/nsdbmgmt.h b/include/libaccess/nsdbmgmt.h new file mode 100644 index 00000000..2977e6a2 --- /dev/null +++ b/include/libaccess/nsdbmgmt.h @@ -0,0 +1,52 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsdbmgmt_h +#define __nsdbmgmt_h + +/* + * Description (nsdbmgmt.h) + * + * The file describes the interface for managing information in + * a Netscape (server) database. A database is composed of + * two (libdbm) DB files. One of these (<dbname>.db) contains + * records indexed by a string key. These records contain the + * primary information in the database. A second DB file + * (<dbname>.id) is used to map an integer id value to a string + * key, which can then be used to locate a record in the first file. + * The interface for retrieving information from a database is + * described in nsdb.h. + * + * FUTURE: + * Normally the records in the primary DB file will contain the + * id values which are used to key the id-to-name DB. When this + * is the case, it is possible to construct the id-to-name DB from + * the primary DB file, and an interface is provided to facilitate + * this. + */ + +#include "nsdb.h" /* database access */ + +/* Define flags for ndbStoreName() */ +#define NDBF_NEWNAME 0x1 /* this is (should be) a new name */ + +NSPR_BEGIN_EXTERN_C + +/* Functions for database management in nsdbmgmt.c */ +extern int ndbAllocId(NSErr_t * errp, void * ndb, + int namelen, char * name, unsigned int * id); +extern int ndbDeleteName(NSErr_t * errp, + void * ndb, int flags, int namelen, char * name); +extern int ndbFreeId(NSErr_t * errp, + void * ndb, int namelen, char * name, unsigned int id); +extern int ndbRenameId(NSErr_t * errp, void * ndb, + int namelen, char * newname, unsigned int id); +extern int ndbStoreName(NSErr_t * errp, void * ndb, int flags, + int namelen, char * name, int reclen, char * recptr); +extern int ndbSync(NSErr_t * errp, void * ndb, int flags); + +NSPR_END_EXTERN_C + +#endif /* __nsdbmgmt_h */ diff --git a/include/libaccess/nserror.h b/include/libaccess/nserror.h new file mode 100644 index 00000000..2a28c4f9 --- /dev/null +++ b/include/libaccess/nserror.h @@ -0,0 +1,47 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nserror_h +#define __nserror_h + +#ifndef NOINTNSACL +#define INTNSACL +#endif /* !NOINTNSACL */ + +/* + * Description (nserror.h) + * + * This file describes the interface to an error handling mechanism + * that is intended for general use. This mechanism uses a data + * structure known as an "error frame" to capture information about + * an error. Multiple error frames are used in nested function calls + * to capture the interpretation of an error at the different levels + * of a nested call. + */ + +#include <stdarg.h> +#include <prtypes.h> +#include "public/nsacl/nserrdef.h" + +#ifdef INTNSACL + +NSPR_BEGIN_EXTERN_C + +/* Functions in nseframe.c */ +extern void nserrDispose(NSErr_t * errp); +extern NSEFrame_t * nserrFAlloc(NSErr_t * errp); +extern void nserrFFree(NSErr_t * errp, NSEFrame_t * efp); +extern NSEFrame_t * nserrGenerate(NSErr_t * errp, long retcode, long errorid, + char * program, int errc, ...); + +/* Functions in nserrmsg.c */ +extern char * nserrMessage(NSEFrame_t * efp, int flags); +extern char * nserrRetrieve(NSEFrame_t * efp, int flags); + +NSPR_END_EXTERN_C + +#endif /* INTNSACL */ + +#endif /* __nserror_h */ diff --git a/include/libaccess/nsgmgmt.h b/include/libaccess/nsgmgmt.h new file mode 100644 index 00000000..8fc59e12 --- /dev/null +++ b/include/libaccess/nsgmgmt.h @@ -0,0 +1,35 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsgmgmt_h +#define __nsgmgmt_h + +/* + * Description (nsgmgmt.h) + * + * This file defines the interface to group management facilities + * implemented using a Netscape group database. This interface + * provides functions for adding, modifying, and removing group + * entries in the database, using the group object (GroupObj_t) + * structure to convey information across the interface. + */ + +#define __PRIVATE_NSGROUP +#include "nsgroup.h" /* group object access */ + +NSPR_BEGIN_EXTERN_C + +/* Group information management operations in nsgmgmt.c */ +extern NSAPI_PUBLIC int groupAddMember(GroupObj_t * goptr, int isgid, USI_t id); +extern NSAPI_PUBLIC GroupObj_t * groupCreate(NTS_t name, NTS_t desc); +extern NSAPI_PUBLIC int groupDeleteMember(GroupObj_t * goptr, int isgid, USI_t id); +extern NSAPI_PUBLIC int groupEncode(GroupObj_t * goptr, int * ureclen, ATR_t * urecptr); +extern NSAPI_PUBLIC int groupRemove(NSErr_t * errp, void * groupdb, int flags, NTS_t name); +extern NSAPI_PUBLIC int groupStore(NSErr_t * errp, + void * groupdb, int flags, GroupObj_t * goptr); + +NSPR_END_EXTERN_C + +#endif /* __nsgmgmt_h */ diff --git a/include/libaccess/nsgroup.h b/include/libaccess/nsgroup.h new file mode 100644 index 00000000..8f4bf56a --- /dev/null +++ b/include/libaccess/nsgroup.h @@ -0,0 +1,73 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsgroup_h +#define __nsgroup_h + +/* + * Description (nsgroup.h) + * + * This file describes the interface to group information stored in + * a Netscape group database. Information about a group is provided + * to the caller in the form of a group object (GroupObj_t), defined + * in nsauth.h. This interface provides only read access to group + * information. The interface for managing the group database is + * described in nsgmgmt.h. + */ + +#include "nserror.h" /* error frame list support */ +#include "nsautherr.h" /* authentication error codes */ +#include "nsauth.h" /* authentication types */ + +/* Begin private definitions */ +#ifdef __PRIVATE_NSGROUP + +#include "nsdb.h" + +/* + * Define structure used to communicate between groupEnumerate() and + * groupEnumHelp(). + */ + +typedef struct GroupEnumArgs_s GroupEnumArgs_t; +struct GroupEnumArgs_s { + void * groupdb; /* group database handle */ + int flags; /* groupEnumerate() flags */ + int (*func)(NSErr_t * ferrp, void * parg, + GroupObj_t * goptr); /* user function pointer */ + void * user; /* user's argp pointer */ +}; + +/* Define attribute tags for group DB records */ +#define GAT_GID 0x50 /* group id (USI) */ +#define GAT_FLAGS 0x51 /* flags (USI) */ +#define GAT_DESCRIPT 0x52 /* group description (NTS) */ +#define GAT_USERS 0x53 /* list of users (USI...) */ +#define GAT_GROUPS 0x54 /* list of groups (USI...) */ +#define GAT_PGROUPS 0x55 /* list of paret groups (USI...) */ + +#endif /* __PRIVATE_NSGROUP */ + +/* Begin public definitions */ + +/* Define flags for groupEnumerate() */ +#define GOF_ENUMKEEP 0x1 /* don't free group objects */ + +NSPR_BEGIN_EXTERN_C + + /* Operations on a group object (see nsgroup.c) */ +extern NSAPI_PUBLIC GroupObj_t * groupDecode(NTS_t name, int ureclen, ATR_t urecptr); +extern NSAPI_PUBLIC int groupEnumerate(NSErr_t * errp, + void * groupdb, int flags, void * argp, + int (*func)(NSErr_t * ferrp, + void * parg, GroupObj_t * goptr)); +extern NSAPI_PUBLIC GroupObj_t * groupFindByName(NSErr_t * errp, + void * groupdb, NTS_t name); +extern NSAPI_PUBLIC GroupObj_t * groupFindByGid(NSErr_t * errp, void * groupdb, USI_t gid); +extern NSAPI_PUBLIC void groupFree(GroupObj_t * goptr); + +NSPR_END_EXTERN_C + +#endif /* __nsgroup_h */ diff --git a/include/libaccess/nslock.h b/include/libaccess/nslock.h new file mode 100644 index 00000000..af205863 --- /dev/null +++ b/include/libaccess/nslock.h @@ -0,0 +1,74 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nslock_h +#define __nslock_h + +/* + * Description (nslock.h) + * + * This file defines to interface for a locking facility that + * provides exclusive access to a resource across multiple + * server processes. + */ + +#include "nserror.h" +#include "base/crit.h" + +#ifdef __PRIVATE_NSLOCK + +/* + * Description (NSLock_t) + * + * This type represents a lock. It includes a name which + * uniquely identifies the lock, and a handle for referencing + * the lock once it has been initialized. + */ + +typedef struct NSLock_s NSLock_t; +struct NSLock_s { + NSLock_t * nl_next; /* next lock on NSLock_List */ + char * nl_name; /* name associate with lock */ +#if defined(FILE_UNIX) + CRITICAL nl_crit; /* critical section for threads */ + SYS_FILE nl_fd; /* file descriptor */ + int nl_cnt; /* nsLockAcquire() count */ +#elif defined(XP_WIN32) +#else +#error "nslock.h needs work for this platform" +#endif +}; + +#endif /* __PRIVATE_NSLOCK */ + +/* Define error identifiers */ + +/* nsLockOpen() */ +#define NSLERR1000 1000 /* insufficient dynamic memory */ +#define NSLERR1020 1020 /* error creating lock */ +#define NSLERR1040 1040 /* error accessing lock */ + +/* nsLockAcquire() */ +#define NSLERR1100 1100 /* error acquiring lock */ + +/* Define error return codes */ + +#define NSLERRNOMEM -1 /* insufficient dynamic memory */ +#define NSLERRCREATE -2 /* error creating lock */ +#define NSLERROPEN -3 /* error accessing lock */ +#define NSLERRLOCK -4 /* error acquiring lock */ + +NSPR_BEGIN_EXTERN_C + +/* Functions in nslock.c */ +extern NSAPI_PUBLIC int nsLockOpen(NSErr_t * errp, + char * lockname, void **plock); +extern NSAPI_PUBLIC int nsLockAcquire(NSErr_t * errp, void * lock); +extern NSAPI_PUBLIC void nsLockRelease(void * lock); +extern NSAPI_PUBLIC void nsLockClose(void * lock); + +NSPR_END_EXTERN_C + +#endif __nslock_h diff --git a/include/libaccess/nsumgmt.h b/include/libaccess/nsumgmt.h new file mode 100644 index 00000000..6d295a85 --- /dev/null +++ b/include/libaccess/nsumgmt.h @@ -0,0 +1,36 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsumgmt_h +#define __nsumgmt_h + +/* + * Description (nsumgmt.h) + * + * This file defines the interface to user management facilities + * implemented using a Netscape user database. This interface + * provides functions for adding, modifying, and removing user + * entries in the database, using the user object (UserObj_t) + * structure to convey information across the interface. + */ + +#include "nsuser.h" /* user object access */ + +NSPR_BEGIN_EXTERN_C + +/* User information management operations in nsumgmt.c */ +extern int userAddGroup(UserObj_t * uoptr, USI_t gid); +extern NSAPI_PUBLIC UserObj_t * userCreate(NTS_t name, NTS_t pwd, NTS_t rname); +extern int userDeleteGroup(UserObj_t * uoptr, USI_t gid); +extern int userEncode(UserObj_t * uoptr, int * ureclen, ATR_t * urecptr); +extern NSAPI_PUBLIC int userRemove(NSErr_t * errp, void * userdb, int flags, NTS_t name); +extern NSAPI_PUBLIC int userRename(NSErr_t * errp, + void * userdb, UserObj_t * uoptr, NTS_t newname); +extern NSAPI_PUBLIC int userStore(NSErr_t * errp, + void * userdb, int flags, UserObj_t * uoptr); + +NSPR_END_EXTERN_C + +#endif /* __nsumgmt_h */ diff --git a/include/libaccess/nsuser.h b/include/libaccess/nsuser.h new file mode 100644 index 00000000..fbc51ba3 --- /dev/null +++ b/include/libaccess/nsuser.h @@ -0,0 +1,70 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __nsuser_h +#define __nsuser_h + +/* + * Description (nsuser.h) + * + * This file describes the interface to user information stored in + * a Netscape user database. Information about a user is provided + * to the caller in the form of a user object (UserObj_t), defined + * in nsauth.h. This interface provides only read access to user + * information. The interface for managing the user database is + * described in nsumgmt.h. + */ + +#include "nserror.h" /* error frame list support */ +#include "nsautherr.h" /* authentication error codes */ +#include "nsauth.h" /* authentication types */ + +/* Begin private definitions */ +#ifdef __PRIVATE_NSUSER + +#include "nsdb.h" + +/* + * Define structure used to communicate between userEnumerate() and + * userEnumHelp(). + */ + +typedef struct UserEnumArgs_s UserEnumArgs_t; +struct UserEnumArgs_s { + void * userdb; /* user database handle */ + int flags; /* userEnumerate() flags */ + int (*func)(NSErr_t * ferrp, void * parg, + UserObj_t * uoptr); /* user function pointer */ + void * user; /* user's argp pointer */ +}; + +/* Define attribute tags for user DB records */ +#define UAT_PASSWORD 0x40 /* password (NTS) */ +#define UAT_UID 0x41 /* user id (USI) */ +#define UAT_ACCFLAGS 0x42 /* account flags (USI) */ +#define UAT_REALNAME 0x43 /* real name (NTS) */ +#define UAT_GROUPS 0x44 /* list of groups (USI...) */ + +#endif /* __PRIVATE_NSUSER */ + +/* Begin public definitions */ + +/* Define flags for userEnumerate() */ +#define UOF_ENUMKEEP 0x1 /* don't free user objects */ + +NSPR_BEGIN_EXTERN_C + +/* User information retrieval operations in nsuser.c */ +extern UserObj_t * userDecode(NTS_t name, int ureclen, ATR_t urecptr); +extern int userEnumerate(NSErr_t * errp, void * userdb, int flags, void * argp, + int (*func)(NSErr_t * ferrp, + void * parg, UserObj_t * uoptr)); +extern UserObj_t * userFindByName(NSErr_t * errp, void * userdb, NTS_t name); +extern UserObj_t * userFindByUid(NSErr_t * errp, void * userdb, USI_t uid); +NSAPI_PUBLIC extern void userFree(UserObj_t * uoptr); + +NSPR_END_EXTERN_C + +#endif /* __nsuser_h */ diff --git a/include/libaccess/register.h b/include/libaccess/register.h new file mode 100644 index 00000000..9b5837e4 --- /dev/null +++ b/include/libaccess/register.h @@ -0,0 +1,215 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef ACL_REGISTER_HEADER +#define ACL_REGISTER_HEADER + +#include <prhash.h> + +#include <ldap.h> +#include <base/pblock.h> +#include <base/plist.h> +#include <libaccess/nserror.h> +#include <libaccess/acl.h> + +typedef void * ACLMethod_t; +#define ACL_METHOD_ANY (ACLMethod_t)-1 +#define ACL_METHOD_INVALID (ACLMethod_t)-2 +extern ACLMethod_t ACL_METHOD_BASIC; + +typedef void * ACLDbType_t; +#define ACL_DBTYPE_ANY (ACLDbType_t)-1 +#define ACL_DBTYPE_INVALID (ACLDbType_t)-2 +extern ACLDbType_t ACL_ACL_DBTYPE_LDAP; + +typedef int (*AttrGetterFn)(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg); +typedef int (*AclModuleInitFunc)(pblock *pb, Session *sn, Request *rq); +typedef int (*DbParseFn_t)(NSErr_t *errp, ACLDbType_t dbtype, + const char *name, const char *url, + PList_t plist, void **db); +typedef int (*AclCacheFlushFunc_t)(void); + +#ifdef __cplusplus +typedef int (*LASEvalFunc_t)(NSErr_t*, char*, CmpOp_t, char*, int*, void**, PList_t, PList_t, PList_t, PList_t); +typedef void (*LASFlushFunc_t)(void **); +#else +typedef int (*LASEvalFunc_t)(); +typedef void (*LASFlushFunc_t)(); +#endif + +/* We need to hide ACLGetter_t */ +typedef struct ACLGetter_s { + ACLMethod_t method; + ACLDbType_t db; + AttrGetterFn fn; + void *arg; +} ACLGetter_t; +typedef ACLGetter_t *ACLGetter_p; + +/* + * Command values for the "position" argument to ACL_RegisterGetter + * Any positive >0 value is the specific position in the list to insert + * the new function. + */ +#define ACL_AT_FRONT 0 +#define ACL_AT_END -1 +#define ACL_REPLACE_ALL -2 +#define ACL_REPLACE_MATCHING -3 + +#ifdef ACL_LIB_INTERNAL +#define ACL_MAX_METHOD 32 +#define ACL_MAX_DBTYPE 32 +#endif + +NSPR_BEGIN_EXTERN_C + +NSAPI_PUBLIC extern int + ACL_LasRegister( NSErr_t *errp, char *attr_name, LASEvalFunc_t + eval_func, LASFlushFunc_t flush_func ); +NSAPI_PUBLIC extern int + ACL_LasFindEval( NSErr_t *errp, char *attr_name, LASEvalFunc_t + *eval_funcp ); +NSAPI_PUBLIC extern int + ACL_LasFindFlush( NSErr_t *errp, char *attr_name, LASFlushFunc_t + *flush_funcp ); +extern void + ACL_LasHashInit( void ); +extern void + ACL_LasHashDestroy( void ); + +/* + * Revised, normalized method/dbtype registration routines + */ +NSAPI_PUBLIC extern int + ACL_MethodRegister(const char *name, ACLMethod_t *t); +NSAPI_PUBLIC extern int + ACL_MethodIsEqual(const ACLMethod_t t1, const ACLMethod_t t2); +NSAPI_PUBLIC extern int + ACL_MethodNameIsEqual(const ACLMethod_t t, const char *name); +NSAPI_PUBLIC extern int + ACL_MethodFind(const char *name, ACLMethod_t *t); +NSAPI_PUBLIC extern ACLMethod_t + ACL_MethodGetDefault(); +NSAPI_PUBLIC extern void + ACL_MethodSetDefault(const ACLMethod_t t); +NSAPI_PUBLIC extern int + ACL_AuthInfoGetMethod(PList_t auth_info, ACLMethod_t *t); + +NSAPI_PUBLIC extern int + ACL_DbTypeRegister(const char *name, DbParseFn_t func, ACLDbType_t *t); +NSAPI_PUBLIC extern int + ACL_DbTypeIsEqual(const ACLDbType_t t1, const ACLDbType_t t2); +NSAPI_PUBLIC extern int + ACL_DbTypeNameIsEqual(const ACLDbType_t t, const char *name); +NSAPI_PUBLIC extern int + ACL_DbTypeFind(const char *name, ACLDbType_t *t); +NSAPI_PUBLIC extern const ACLDbType_t + ACL_DbTypeGetDefault(); +NSAPI_PUBLIC extern void + ACL_DbTypeSetDefault(ACLDbType_t t); +NSAPI_PUBLIC extern int + ACL_AuthInfoGetDbType(PList_t auth_info, ACLDbType_t *t); +NSAPI_PUBLIC extern int + ACL_DbTypeIsRegistered(const ACLDbType_t dbtype); +NSAPI_PUBLIC extern DbParseFn_t + ACL_DbTypeParseFn(const ACLDbType_t dbtype); + +NSAPI_PUBLIC extern int + ACL_AttrGetterRegister(const char *attr, AttrGetterFn fn, ACLMethod_t m, + ACLDbType_t d, int position, void *arg); +typedef ACLGetter_t *AttrGetterList; /* TEMPORARY */ +NSAPI_PUBLIC extern int + ACL_AttrGetterFind(PList_t auth_info, const char *attr, + AttrGetterList *getters); + +NSPR_END_EXTERN_C + + +/* LAS return codes - Must all be negative numbers */ +#define LAS_EVAL_TRUE -1 +#define LAS_EVAL_FALSE -2 +#define LAS_EVAL_DECLINE -3 +#define LAS_EVAL_FAIL -4 +#define LAS_EVAL_INVALID -5 +#define LAS_EVAL_NEED_MORE_INFO -6 + +#define ACL_ATTR_GROUP "group" +#define ACL_ATTR_RAW_USER_LOGIN "user-login" +#define ACL_ATTR_AUTH_USER "auth-user" +#define ACL_ATTR_AUTH_TYPE "auth-type" +#define ACL_ATTR_AUTH_DB "auth-db" +#define ACL_ATTR_AUTH_PASSWORD "auth-password" +#define ACL_ATTR_USER "user" +#define ACL_ATTR_PASSWORD "pw" +#define ACL_ATTR_USERDN "userdn" +#define ACL_ATTR_RAW_USER "raw-user" +#define ACL_ATTR_RAW_PASSWORD "raw-pw" +#define ACL_ATTR_USER_ISMEMBER "user-ismember" +#define ACL_ATTR_DATABASE "database" +#define ACL_ATTR_DBTYPE "dbtype" +#define ACL_ATTR_DBNAME "dbname" +#define ACL_ATTR_DATABASE_URL "url" +#define ACL_ATTR_METHOD "method" +#define ACL_ATTR_AUTHTYPE "authtype" +#define ACL_ATTR_AUTHORIZATION "authorization" +#define ACL_ATTR_PARSEFN "parsefn" +#define ACL_ATTR_ATTRIBUTE "attr" +#define ACL_ATTR_GETTERFN "getterfunc" +#define ACL_ATTR_IP "ip" +#define ACL_ATTR_DNS "dns" +#define ACL_ATTR_MODULE "module" +#define ACL_ATTR_MODULEFUNC "func" +#define ACL_ATTR_GROUPS "groups" +#define ACL_ATTR_IS_VALID_PASSWORD "isvalid-password" +#define ACL_ATTR_CERT2USER "cert2user" +#define ACL_ATTR_USER_CERT "cert" +#define ACL_ATTR_PROMPT "prompt" +#define ACL_ATTR_TIME "time" +#define ACL_ATTR_USERS_GROUP "users-group" + +#define ACL_DBTYPE_LDAP "ldap" + +#define METHOD_DEFAULT "default" + +typedef PRHashTable AttrGetterTable_t; + +typedef struct { + char *method; + char *authtype; + char *dbtype; + AttrGetterTable_t *attrGetters; +} MethodInfo_t; + +NSPR_BEGIN_EXTERN_C + +NSAPI_PUBLIC int ACL_FindMethod (NSErr_t *errp, const char *method, MethodInfo_t **method_info_handle); +NSAPI_PUBLIC int ACL_RegisterModule (NSErr_t *errp, const char *moduleName, AclModuleInitFunc func); +NSAPI_PUBLIC int ACL_RegisterMethod (NSErr_t *errp, const char *method, const char *authtype, const char *dbtype, MethodInfo_t **method_info_handle); +NSAPI_PUBLIC int ACL_RegisterAttrGetter (NSErr_t *errp, MethodInfo_t *method_info_handle, const char *attr, AttrGetterFn func); +NSAPI_PUBLIC int ACL_UseAttrGettersFromMethod (NSErr_t *errp, const char *method, const char *usefrom); +NSAPI_PUBLIC int ACL_GetAttribute(NSErr_t *errp, const char *attr, void **val, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth); +NSAPI_PUBLIC int ACL_FindAttrGetter (NSErr_t *errp, const char *method, const char *attr, AttrGetterFn *func); +NSAPI_PUBLIC int ACL_CallAttrGetter (NSErr_t *errp, const char *method, const char *attr, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth); +NSAPI_PUBLIC int ACL_RegisterDbType(NSErr_t *errp, const char *dbtype, DbParseFn_t func); +NSAPI_PUBLIC int ACL_RegisterDbName(NSErr_t *errp, ACLDbType_t dbtype, const char *dbname, const char *url, PList_t plist); +NSAPI_PUBLIC int ACL_RegisterDbFromACL(NSErr_t *errp, const char *url, ACLDbType_t *dbtype); +NSAPI_PUBLIC int ACL_DatabaseFind(NSErr_t *errp, const char *dbname, + ACLDbType_t *dbtype, void **db); +NSAPI_PUBLIC int ACL_SetDefaultDatabase (NSErr_t *errp, const char *dbname); +NSAPI_PUBLIC int ACL_SetDefaultMethod (NSErr_t *errp, const char *method); +NSAPI_PUBLIC const char *ACL_DbnameGetDefault (NSErr_t *errp); +NSAPI_PUBLIC int ACL_LDAPDatabaseHandle (NSErr_t *errp, const char *dbname, LDAP **ld); +NSAPI_PUBLIC int ACL_AuthInfoGetDbname (NSErr_t *errp, PList_t auth_info, char **dbname); +NSAPI_PUBLIC int ACL_CacheFlushRegister(AclCacheFlushFunc_t func); + +NSPR_END_EXTERN_C + +struct program_groups { + char **groups; + char **programs; +}; + +#endif diff --git a/include/libaccess/stubs.h b/include/libaccess/stubs.h new file mode 100644 index 00000000..8efa0923 --- /dev/null +++ b/include/libaccess/stubs.h @@ -0,0 +1,6 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +typedef void PropList_t; diff --git a/include/libaccess/symbols.h b/include/libaccess/symbols.h new file mode 100644 index 00000000..c711f351 --- /dev/null +++ b/include/libaccess/symbols.h @@ -0,0 +1,99 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __symbols_h +#define __symbols_h + +/* + * Description (symbols.h) + * + * This file describes the interface to an ACL symbol table + * implementation. The symbol table provides for storing symbols + * keyed by name and type, creating a separate name space for + * each symbol type. + */ + +#ifdef __PRIVATE_SYMBOLS + +#include "plhash.h" +#include "base/crit.h" + +/* + * Description (SymTable_t) + * + * This type describes a symbols table. It contains a pointer to + * an NSPR hash table and a pointer to a monitor. The monitor is + * needed even for read access to the symbol table because NSPR + * modifies the list for a hash bucket when a name is looked up. + */ + +typedef struct SymTable_s SymTable_t; +struct SymTable_s { + CRITICAL stb_crit; /* monitor pointer */ + PLHashTable * stb_ht; /* hash table pointer */ +}; + + +/* Private functions defined in symbols.c */ +/* +static PLHashEntry * symAllocEntry(void * pool, const void *unused); +static void * symAllocTable(void * pool, PRSize size); +static int symCmpName(const void * name1, const void * name2); +static int symCmpValue(const void * value1, const void * value2); +static PLHashNumber symHash(const void * symkey); +static void symFreeEntry(void * pool, PLHashEntry * he, PRUintn flag); +static void symFreeTable(void * pool, void * item); +*/ +#endif /* __PRIVATE_SYMBOLS */ + +/* + * Description (Symbol_t) + * + * This type describes a symbol table entry. A symbol is + * identified by the combination of its name and type. This + * structure is normally embedded in a structure for a particular + * symbol type, which will contain the symbol "value" information + * as well. + */ + +typedef struct Symbol_s Symbol_t; +struct Symbol_s { + char * sym_name; /* pointer to symbol name string */ + int sym_type; /* symbol type */ + void *sym_data; /* symbol data storage */ +}; + +/* Define error return codes */ +#define SYMERRNOMEM -1 /* insufficient dynamic memory */ +#define SYMERRDUPSYM -2 /* duplicate symbol name and type */ +#define SYMERRNOSYM -3 /* symbol name and type not found */ + +/* Define return flags for symTableEnumerate() func() */ +#define SYMENUMSTOP 0x1 /* terminate enumeration */ +#define SYMENUMREMOVE 0x2 /* remove entry from symbol table */ + +NSPR_BEGIN_EXTERN_C + +/* Public functions defined in symbols.c */ +extern int symTableAddSym(void * table, Symbol_t * newsym, void * symref); +extern void symTableRemoveSym(void * table, Symbol_t * sym); +extern void symTableDestroy(void * table, int flags); + +/* for ANSI C++ on SCO UDK, otherwise fn name is managled */ +#ifdef UnixWare +typedef int (*ArgFn_symTableEnum)(Symbol_t * sym, void * parg); +extern void symTableEnumerate(void * table, void * argp, ArgFn_symTableEnum); +#else /* UnixWare */ +extern void symTableEnumerate(void * table, void * argp, + int (*func)(Symbol_t * sym, void * parg)); +#endif /* UnixWare */ + +extern int symTableFindSym(void * table, char * symname, + int symtype, void **psymref); +extern int symTableNew(void **ptable); + +NSPR_END_EXTERN_C + +#endif /* __symbols_h */ diff --git a/include/libaccess/userauth.h b/include/libaccess/userauth.h new file mode 100644 index 00000000..84bf4d8a --- /dev/null +++ b/include/libaccess/userauth.h @@ -0,0 +1,13 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef USERAUTH_H +#define USERAUTH_H + +NSPR_BEGIN_EXTERN_C + + +NSPR_END_EXTERN_C +#endif diff --git a/include/libaccess/usi.h b/include/libaccess/usi.h new file mode 100644 index 00000000..7cbe7371 --- /dev/null +++ b/include/libaccess/usi.h @@ -0,0 +1,81 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifndef __usi_h +#define __usi_h + +/* + * Description (usi.h) + * + * This file defines the interface to an unsigned integer datatype. + * Unsigned integers are used to represent object identifiers of + * various sorts, including user ids and group ids. Functions + * for manipulating lists of USIs are also provided in this + * interface. + */ + +/* Define a type to contain an unsigned integer value */ +typedef unsigned int USI_t; + +/* Define a type to describe a list of USI_t values */ +typedef struct USIList_s USIList_t; +struct USIList_s { + int uil_count; /* number of active values in list */ + int uil_size; /* current size of list area in USI_t */ + USI_t * uil_list; /* pointer to array of values */ +}; + +/* Define macro to initialize a USIList_t structure */ +#define UILINIT(uilptr) \ + { \ + (uilptr)->uil_count = 0; \ + (uilptr)->uil_size = 0; \ + (uilptr)->uil_list = 0; \ + } + +/* Define a macro to replace the contents of one USIList_t with another's */ +#define UILREPLACE(dst, src) \ + { \ + if ((dst)->uil_size > 0) { \ + FREE((dst)->uil_list); \ + } \ + (dst)->uil_count = (src)->uil_count; \ + (dst)->uil_size = (src)->uil_size; \ + (dst)->uil_list = (src)->uil_list; \ + (src)->uil_count = 0; \ + (src)->uil_size = 0; \ + (src)->uil_list = 0; \ + } + +/* Define a variation of UILINIT() that frees any allocated space */ +#define UILFREE(uilptr) \ + { \ + if ((uilptr)->uil_size > 0) { \ + FREE((uilptr)->uil_list); \ + } \ + (uilptr)->uil_count = 0; \ + (uilptr)->uil_size = 0; \ + (uilptr)->uil_list = 0; \ + } + +/* Define a macro to extract the current number of items in a USIList_t */ +#define UILCOUNT(uilptr) ((uilptr)->uil_count) + +/* Define a macro to return a pointer to the array of values */ +#define UILLIST(uilptr) ((uilptr)->uil_list) + +NSPR_BEGIN_EXTERN_C + +/* Define functions in usi.c */ +extern USI_t * usiAlloc(USIList_t * uilptr, int count); +extern int usiInsert(USIList_t * uilptr, USI_t usi); +extern int usiPresent(USIList_t * uilptr, USI_t usi); +extern int usiRemove(USIList_t * uilptr, USI_t usi); +extern int uilDuplicate(USIList_t * dstptr, USIList_t * srcptr); +extern int uilMerge(USIList_t * dstptr, USIList_t * srcptr); + +NSPR_END_EXTERN_C + +#endif /* __usi_h */ diff --git a/include/libaccess/usrcache.h b/include/libaccess/usrcache.h new file mode 100644 index 00000000..646d1fd9 --- /dev/null +++ b/include/libaccess/usrcache.h @@ -0,0 +1,104 @@ +/** BEGIN COPYRIGHT BLOCK + * Copyright 2001 Sun Microsystems, Inc. + * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifndef ACL_USER_CACHE_H +#define ACL_USER_CACHE_H + +#ifdef NSPR20 +#include <plhash.h> +#else +#include <nspr/prhash.h> +#endif + +#include <sys/types.h> +#include <time.h> +/* Removed for new ns security integration +#include <sec.h> +*/ +#include <key.h> +#include <cert.h> +#include <prclist.h> + +typedef struct { + PRCList list; /* pointer to next & prev obj */ + char *uid; /* unique within a database */ + char *userdn; /* LDAP DN if using LDAP db */ + char *passwd; /* password */ + SECItem *derCert; /* raw certificate data */ + char *group; /* group recently checked for membership */ + time_t time; /* last time when the cache was validated */ + PRHashTable *hashtable; /* hash table where this obj is being used */ +} UserCacheObj; + +NSPR_BEGIN_EXTERN_C + +/* Set the number of seconds the cache is valid */ +extern int acl_usr_cache_set_timeout (const int nsec); + +/* Is the cache enabled? */ +extern int acl_usr_cache_enabled(); + +/* initialize user cache */ +extern int acl_usr_cache_init (); + +/* Creates a new user obj entry */ +extern int acl_usr_cache_insert (const char *uid, const char *dbname, + const char *dn, const char *passwd, + const char *group, const SECItem *derCert, + const time_t time); + +/* Add group to the user's cache obj. */ +extern int acl_usr_cache_set_group (const char *uid, const char *dbname, + const char *group, const time_t time); + +/* Add userdn to the user's cache obj. */ +extern int acl_usr_cache_set_userdn (const char *uid, const char *dbname, + const char *userdn, const time_t time); + +/* Returns LAS_EVAL_TRUE if the user's password matches -- also returns the dn */ +extern int acl_usr_cache_passwd_check (const char *uid, const char *dbname, + const char *passwd, + const time_t time, char **dn, + pool_handle_t *pool); + +/* Returns LAS_EVAL_TRUE if the user is a member of the group */ +extern int acl_usr_cache_group_check (const char *uid, const char *dbname, + const char *group, const time_t time); + +/* Returns LAS_EVAL_TRUE if the user is a member of the group */ +extern int acl_usr_cache_group_len_check (const char *uid, const char *dbname, + const char *group, + const int len, + const time_t time); + +/* Returns LAS_EVAL_TRUE if the user's cache is valid and has a group */ +extern int acl_usr_cache_get_group (const char *uid, const char *dbname, + const time_t time, char **group, + pool_handle_t *pool); + +/* Returns LAS_EVAL_TRUE if the user is a member of the group */ +extern int acl_usr_cache_userdn_check (const char *uid, const char *dbname, + const char *userdn, const time_t time); + +/* Returns LAS_EVAL_TRUE if the user's cache is valid and has userdn */ +extern int acl_usr_cache_get_userdn (const char *uid, const char *dbname, + const time_t time, char **userdn, + pool_handle_t *pool); + +/* Creates a new user obj entry for cert to user mapping */ +extern int acl_cert_cache_insert (void *cert, const char *dbname, + const char *uid, const char *dn, + const time_t time); + +/* Returns LAS_EVAL_TRUE if the user's cache is valid and returns uid */ +extern int acl_cert_cache_get_uid (void *cert, const char *dbname, + const time_t time, char **uid, + char **dn, pool_handle_t *pool); + +NSPR_END_EXTERN_C + + +#endif /* ACL_USER_CACHE_H */ |