xref: /onnv-gate/usr/src/lib/krb5/kadm5/srv/server_acl.h (revision 0:68f95e015346) 
1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
3*0Sstevel@tonic-gate  * Use is subject to license terms.
4*0Sstevel@tonic-gate  */
5*0Sstevel@tonic-gate 
6*0Sstevel@tonic-gate #ifndef _SERVER_ACL_H
7*0Sstevel@tonic-gate #define	_SERVER_ACL_H
8*0Sstevel@tonic-gate 
9*0Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
10*0Sstevel@tonic-gate 
11*0Sstevel@tonic-gate #ifdef	__cplusplus
12*0Sstevel@tonic-gate extern "C" {
13*0Sstevel@tonic-gate #endif
14*0Sstevel@tonic-gate 
15*0Sstevel@tonic-gate 
16*0Sstevel@tonic-gate /*
17*0Sstevel@tonic-gate  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
18*0Sstevel@tonic-gate  *
19*0Sstevel@tonic-gate  *	Openvision retains the copyright to derivative works of
20*0Sstevel@tonic-gate  *	this source code.  Do *NOT* create a derivative of this
21*0Sstevel@tonic-gate  *	source code before consulting with your legal department.
22*0Sstevel@tonic-gate  *	Do *NOT* integrate *ANY* of this source code into another
23*0Sstevel@tonic-gate  *	product before consulting with your legal department.
24*0Sstevel@tonic-gate  *
25*0Sstevel@tonic-gate  *	For further information, read the top-level Openvision
26*0Sstevel@tonic-gate  *	copyright which is contained in the top-level MIT Kerberos
27*0Sstevel@tonic-gate  *	copyright.
28*0Sstevel@tonic-gate  *
29*0Sstevel@tonic-gate  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
30*0Sstevel@tonic-gate  *
31*0Sstevel@tonic-gate  */
32*0Sstevel@tonic-gate 
33*0Sstevel@tonic-gate 
34*0Sstevel@tonic-gate /*
35*0Sstevel@tonic-gate  * kadmin/v5server/kadm5_defs.h
36*0Sstevel@tonic-gate  *
37*0Sstevel@tonic-gate  * Copyright 1995 by the Massachusetts Institute of Technology.
38*0Sstevel@tonic-gate  * All Rights Reserved.
39*0Sstevel@tonic-gate  *
40*0Sstevel@tonic-gate  * Export of this software from the United States of America may
41*0Sstevel@tonic-gate  *   require a specific license from the United States Government.
42*0Sstevel@tonic-gate  *   It is the responsibility of any person or organization contemplating
43*0Sstevel@tonic-gate  *   export to obtain such a license before exporting.
44*0Sstevel@tonic-gate  *
45*0Sstevel@tonic-gate  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
46*0Sstevel@tonic-gate  * distribute this software and its documentation for any purpose and
47*0Sstevel@tonic-gate  * without fee is hereby granted, provided that the above copyright
48*0Sstevel@tonic-gate  * notice appear in all copies and that both that copyright notice and
49*0Sstevel@tonic-gate  * this permission notice appear in supporting documentation, and that
50*0Sstevel@tonic-gate  * the name of M.I.T. not be used in advertising or publicity pertaining
51*0Sstevel@tonic-gate  * to distribution of the software without specific, written prior
52*0Sstevel@tonic-gate  * permission.  Furthermore if you modify this software you must label
53*0Sstevel@tonic-gate  * your software as modified software and not distribute it in such a
54*0Sstevel@tonic-gate  * fashion that it might be confused with the original M.I.T. software.
55*0Sstevel@tonic-gate  * M.I.T. makes no representations about the suitability of
56*0Sstevel@tonic-gate  * this software for any purpose.  It is provided "as is" without express
57*0Sstevel@tonic-gate  * or implied warranty.
58*0Sstevel@tonic-gate  *
59*0Sstevel@tonic-gate  */
60*0Sstevel@tonic-gate 
61*0Sstevel@tonic-gate #include <admin.h> /* SUNWresync121 XXX */
62*0Sstevel@tonic-gate 
63*0Sstevel@tonic-gate /*
64*0Sstevel@tonic-gate  * Debug definitions.
65*0Sstevel@tonic-gate  */
66*0Sstevel@tonic-gate #define	DEBUG_SPROC	1
67*0Sstevel@tonic-gate #define	DEBUG_OPERATION	2
68*0Sstevel@tonic-gate #define	DEBUG_HOST	4
69*0Sstevel@tonic-gate #define	DEBUG_REALM	8
70*0Sstevel@tonic-gate #define	DEBUG_REQUESTS	16
71*0Sstevel@tonic-gate #define	DEBUG_ACL	32
72*0Sstevel@tonic-gate #define	DEBUG_PROTO	64
73*0Sstevel@tonic-gate #define	DEBUG_CALLS	128
74*0Sstevel@tonic-gate #define	DEBUG_NOSLAVES	256
75*0Sstevel@tonic-gate #ifdef	DEBUG
76*0Sstevel@tonic-gate #define	DPRINT(l1, cl, al)	if ((cl & l1) != 0) printf al
77*0Sstevel@tonic-gate #else	/* DEBUG */
78*0Sstevel@tonic-gate #define	DPRINT(l1, cl, al)
79*0Sstevel@tonic-gate #endif	/* DEBUG */
80*0Sstevel@tonic-gate #define	DLOG(l1, cl, msg)	if ((cl & l1) != 0)	\
81*0Sstevel@tonic-gate 					com_err(programname, 0, msg)
82*0Sstevel@tonic-gate 
83*0Sstevel@tonic-gate /*
84*0Sstevel@tonic-gate  * Access control bits.
85*0Sstevel@tonic-gate  */
86*0Sstevel@tonic-gate #define	ACL_INQUIRE		1	/* GET */
87*0Sstevel@tonic-gate #define	ACL_ADD			2
88*0Sstevel@tonic-gate #define	ACL_MODIFY		4
89*0Sstevel@tonic-gate #define	ACL_DELETE		8
90*0Sstevel@tonic-gate #define	ACL_LIST		16
91*0Sstevel@tonic-gate #define	ACL_CHANGEPW		32
92*0Sstevel@tonic-gate /* #define ACL_CHANGE_OWN_PW	16 */
93*0Sstevel@tonic-gate /* #define ACL_EXTRACT		64 */
94*0Sstevel@tonic-gate #define ACL_SETKEY		256
95*0Sstevel@tonic-gate #define	ACL_MIGRATE		512	/* pam_krb5_migrate */
96*0Sstevel@tonic-gate #define ACL_IPROP		65536	/* SUNW IProp */
97*0Sstevel@tonic-gate #define	ACL_RENAME		(ACL_ADD+ACL_DELETE)
98*0Sstevel@tonic-gate 
99*0Sstevel@tonic-gate #define	ACL_ALL_MASK		(ACL_ADD	| \
100*0Sstevel@tonic-gate 				 ACL_DELETE	| \
101*0Sstevel@tonic-gate 				 ACL_MODIFY	| \
102*0Sstevel@tonic-gate 				 ACL_CHANGEPW	| \
103*0Sstevel@tonic-gate 				 ACL_INQUIRE	| \
104*0Sstevel@tonic-gate 				 ACL_LIST	| \
105*0Sstevel@tonic-gate 				 ACL_IPROP	| \
106*0Sstevel@tonic-gate 				 ACL_MIGRATE	| \
107*0Sstevel@tonic-gate 				 ACL_SETKEY)
108*0Sstevel@tonic-gate 
109*0Sstevel@tonic-gate typedef struct _restriction {
110*0Sstevel@tonic-gate     long		mask;
111*0Sstevel@tonic-gate     krb5_flags		require_attrs;
112*0Sstevel@tonic-gate     krb5_flags		forbid_attrs;
113*0Sstevel@tonic-gate     krb5_deltat		princ_lifetime;
114*0Sstevel@tonic-gate     krb5_deltat		pw_lifetime;
115*0Sstevel@tonic-gate     krb5_deltat		max_life;
116*0Sstevel@tonic-gate     krb5_deltat		max_renewable_life;
117*0Sstevel@tonic-gate     long		aux_attributes;
118*0Sstevel@tonic-gate     char		*policy;
119*0Sstevel@tonic-gate } restriction_t;
120*0Sstevel@tonic-gate 
121*0Sstevel@tonic-gate krb5_error_code acl_init
122*0Sstevel@tonic-gate 	KRB5_PROTOTYPE((krb5_context,
123*0Sstevel@tonic-gate 		   int,
124*0Sstevel@tonic-gate 		   char *));
125*0Sstevel@tonic-gate void acl_finish
126*0Sstevel@tonic-gate 	KRB5_PROTOTYPE((krb5_context,
127*0Sstevel@tonic-gate 		   int));
128*0Sstevel@tonic-gate krb5_boolean acl_check
129*0Sstevel@tonic-gate 	KRB5_PROTOTYPE((krb5_context,
130*0Sstevel@tonic-gate 		   gss_name_t,
131*0Sstevel@tonic-gate 		   krb5_int32,
132*0Sstevel@tonic-gate 		   krb5_principal,
133*0Sstevel@tonic-gate 		   restriction_t **));
134*0Sstevel@tonic-gate krb5_error_code acl_impose_restrictions
135*0Sstevel@tonic-gate 	KRB5_PROTOTYPE((krb5_context,
136*0Sstevel@tonic-gate 		   kadm5_principal_ent_rec *,
137*0Sstevel@tonic-gate 		   long *,
138*0Sstevel@tonic-gate 		   restriction_t *));
139*0Sstevel@tonic-gate #ifdef	__cplusplus
140*0Sstevel@tonic-gate }
141*0Sstevel@tonic-gate #endif
142*0Sstevel@tonic-gate 
143*0Sstevel@tonic-gate #endif	/* !_SERVER_ACL_H */
144