xref: /onnv-gate/usr/src/lib/krb5/kadm5/srv/server_acl.h (revision 781:57319a72b15f)

/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#ifndef _SERVER_ACL_H
#define	_SERVER_ACL_H

#pragma ident	"%Z%%M%	%I%	%E% SMI"

#ifdef	__cplusplus
extern "C" {
#endif


/*
 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 *
 *	Openvision retains the copyright to derivative works of
 *	this source code.  Do *NOT* create a derivative of this
 *	source code before consulting with your legal department.
 *	Do *NOT* integrate *ANY* of this source code into another
 *	product before consulting with your legal department.
 *
 *	For further information, read the top-level Openvision
 *	copyright which is contained in the top-level MIT Kerberos
 *	copyright.
 *
 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 *
 */


/*
 * kadmin/v5server/kadm5_defs.h
 *
 * Copyright 1995 by the Massachusetts Institute of Technology.
 * All Rights Reserved.
 *
 * Export of this software from the United States of America may
 *   require a specific license from the United States Government.
 *   It is the responsibility of any person or organization contemplating
 *   export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 */

#include <admin.h> /* SUNWresync121 XXX */

/*
 * Debug definitions.
 */
#define	DEBUG_SPROC	1
#define	DEBUG_OPERATION	2
#define	DEBUG_HOST	4
#define	DEBUG_REALM	8
#define	DEBUG_REQUESTS	16
#define	DEBUG_ACL	32
#define	DEBUG_PROTO	64
#define	DEBUG_CALLS	128
#define	DEBUG_NOSLAVES	256
#ifdef	DEBUG
#define	DPRINT(l1, cl, al)	if ((cl & l1) != 0) printf al
#else	/* DEBUG */
#define	DPRINT(l1, cl, al)
#endif	/* DEBUG */
#define	DLOG(l1, cl, msg)	if ((cl & l1) != 0)	\
					com_err(programname, 0, msg)

/*
 * Access control bits.
 */
#define	ACL_INQUIRE		1	/* GET */
#define	ACL_ADD			2
#define	ACL_MODIFY		4
#define	ACL_DELETE		8
#define	ACL_LIST		16
#define	ACL_CHANGEPW		32
/* #define ACL_CHANGE_OWN_PW	16 */
/* #define ACL_EXTRACT		64 */
#define ACL_SETKEY		256
#define	ACL_MIGRATE		512	/* pam_krb5_migrate */
#define ACL_IPROP		65536	/* SUNW IProp */
#define	ACL_RENAME		(ACL_ADD+ACL_DELETE)

#define	ACL_ALL_MASK		(ACL_ADD	| \
				 ACL_DELETE	| \
				 ACL_MODIFY	| \
				 ACL_CHANGEPW	| \
				 ACL_INQUIRE	| \
				 ACL_LIST	| \
				 ACL_IPROP	| \
				 ACL_MIGRATE	| \
				 ACL_SETKEY)

typedef struct _restriction {
    long		mask;
    krb5_flags		require_attrs;
    krb5_flags		forbid_attrs;
    krb5_deltat		princ_lifetime;
    krb5_deltat		pw_lifetime;
    krb5_deltat		max_life;
    krb5_deltat		max_renewable_life;
    long		aux_attributes;
    char		*policy;
} restriction_t;

krb5_error_code acl_init
	(krb5_context,
		   int,
		   char *);
void acl_finish
	(krb5_context,
		   int);
krb5_boolean acl_check
	(krb5_context,
		   gss_name_t,
		   krb5_int32,
		   krb5_principal,
		   restriction_t **);
krb5_error_code acl_impose_restrictions
	(krb5_context,
		   kadm5_principal_ent_rec *,
		   long *,
		   restriction_t *);
#ifdef	__cplusplus
}
#endif

#endif	/* !_SERVER_ACL_H */