1/*
2 * Copyright (c) 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 *    may be used to endorse or promote products derived from this software
21 *    without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#ifndef __heimodadmin_h__
37#define __heimodadmin_h__ 1
38
39#import <CoreFoundation/CoreFoundation.h>
40#import <CFOpenDirectory/CFOpenDirectory.h>
41#import <Security/Security.h>
42
43/*
44 * "CFTypeRef flags" is either a CFStringRef with the kPrincipalFlag
45 *     or a CFArrayRef with CFStringRef with kPrincipalFlag
46 */
47
48
49#define kPrincipalFlagInitial			CFSTR("Initial") /* can only be used for initial tickets */
50#define kPrincipalFlagForwardable		CFSTR("Forwardable") /* forwardable ticket allowed */
51#define kPrincipalFlagProxyable			CFSTR("Proxiable") /* proxyable ticket allowed */
52#define kPrincipalFlagRenewable			CFSTR("Renewable") /* renewabled ticket allowed */
53#define kPrincipalFlagServer			CFSTR("Server") /* allowed to be used as server */
54#define kPrincipalFlagPasswordChangeService	CFSTR("PasswordChangeService") /* allowed to be used as the password change service */
55#define kPrincipalFlagOKAsDelegate		CFSTR("OkAsDelegate") /* ok to delegate/forward to */
56#define kPrincipalFlagRequireStrongPreAuthentication	CFSTR("RequireStrongPreAuth") /* require smartcard or other strong mech */
57#define kPrincipalFlagImmutable			CFSTR("Immutable") /* Immutable, can't remove or possibly change */
58#define kPrincipalFlagInvalid			CFSTR("Invalid") /* Invalid and not usable yet */
59
60#define kHeimODACLAll				CFSTR("kHeimODACLAll")
61#define kHeimODACLChangePassword		CFSTR("kHeimODACLChangePassword")
62#define kHeimODACLList				CFSTR("kHeimODACLList")
63#define kHeimODACLDelete			CFSTR("kHeimODACLDelete")
64#define kHeimODACLModify			CFSTR("kHeimODACLModify")
65#define kHeimODACLAdd				CFSTR("kHeimODACLAdd")
66#define kHeimODACLGet				CFSTR("kHeimODACLGet")
67
68/* constants for the srptype argument to HeimODCreateSRPKeys */
69#define kHeimSRPGroupRFC5054_4096_PBKDF2_SHA512	CFSTR("kHeimSRPGroupRFC5054_4096_PBKDF2_SHA512")
70
71enum {
72    kHeimODAdminSetKeysAppendKey			= 1,
73    kHeimODAdminAppendKeySet			= 1, /* add an additional keyset */
74    kHeimODAdminDeleteEnctypes			= 2  /* delete enctype from all keysets */
75};
76
77enum {
78    kHeimODAdminLoadAsAppend				= 1
79};
80
81#ifdef __cplusplus
82extern "C" {
83#endif
84
85/* Creates a support principal in the realm in node */
86int		HeimODCreateRealm(ODNodeRef node, CFStringRef realm, CFErrorRef *error);
87
88/* Principals are created with Invalid set and have be be cleared with DeleteFlags */
89int		HeimODCreatePrincipalData(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFStringRef principal, CFErrorRef *error);
90int		HeimODRemovePrincipalData(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error);
91
92/* Manage kerberos flags for this entry */
93int		HeimODSetKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
94CFArrayRef	HeimODCopyKerberosFlags(ODNodeRef node, ODRecordRef record, CFErrorRef *error); /* return set flags */
95int		HeimODClearKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
96
97/* Manage ACL for a entry */
98int
99HeimODSetACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
100CFArrayRef
101HeimODCopyACL(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
102int
103HeimODClearACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
104
105/* Mange server aliases for this record */
106int		HeimODAddServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
107int		HeimODRemoveServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
108CFArrayRef	HeimODCopyServerAliases(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
109
110/* Lifetimes */
111int		HeimODSetKerberosMaxLife(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error);
112time_t		HeimODGetKerberosMaxLife(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
113int		HeimODSetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error);
114time_t		HeimODGetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
115
116/* Set password */
117                /* enctypes are optional, if NULL, default types are used */
118                /* if password is NULL, a random password is used */
119int		HeimODSetKeys(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error);
120CFArrayRef	HeimODCopyDefaultEnctypes(CFErrorRef *error);
121
122/* SRP */
123bool		HeimODSetVerifiers(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFArrayRef types, CFTypeRef password, unsigned long flags, CFErrorRef *error);
124
125/**
126 * Add/delete/modify keyset
127 *
128 * Used manipulate Kerberos Keys.
129 * This function does not manipulate the keys stored in OpenDirectory, that up to the caller to do.
130 *
131 * Most callers should not pass in kHeimODAdminAppendKeySet when changing password for users, they should only be used for services that does key rollover and for Mac OS X Server that stores keysets for different principals in same computer record.
132 *
133 * @param prevKeyset keyset to be manipulated, can me NULL
134 * @param principal user changed for, used for salting
135 * @param enctypes to set, use HeimODCopyDefaultEnctypes() to get default list
136 * @param password new password, can be NULL is enctypes are deleted
137 * @param flags
138 * 	flags is 0, return a new keyset
139 * 	flags is kHeimODAdminAppendKeySet, add additional keyset (keep old versions)
140 * 	flags is kHeimODAdminDeleteEnctypes, delete enctype from old keysets
141 *
142 * @param error return CFErrorRef with user error in case there is one, NULL is allowed if no error is expected.
143 * @return the new keyset or NULL on failure, error might be set
144 */
145CFArrayRef	HeimODModifyKeys(CFArrayRef prevKeyset, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error) __attribute__((cf_returns_retained));
146
147
148CFArrayRef	HeimODCreateSRPKeys(CFArrayRef srptype, CFStringRef principal, CFTypeRef password, unsigned long flags, CFErrorRef *error);
149
150/**
151 * Debug function to print content of a keyset element
152 *
153 * @param element element to print
154 * @param error eventual error, by default, NULL
155 * @return the debug string
156 */
157CFStringRef	HeimODKeysetToString(CFDataRef element, CFErrorRef *error) __attribute__((cf_returns_retained));
158
159/* Mange allowed cert names for this principal: aka AltSecurityIdentities */
160int		HeimODAddCertificate(ODNodeRef node, ODRecordRef record, SecCertificateRef ref, CFErrorRef *error);
161int		HeimODAddSubjectAltCertName(ODNodeRef node, ODRecordRef record, CFStringRef subject, CFStringRef issuer, CFErrorRef *error);
162int		HeimODAddSubjectAltCertSHA1Digest(ODNodeRef node, ODRecordRef record, CFDataRef hash, CFErrorRef *error);
163CFArrayRef	HeimODCopySubjectAltNames(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
164int		HeimODRemoveSubjectAltElement(ODNodeRef node, ODRecordRef record, CFTypeRef element, CFErrorRef *error); /* return on element as returned by HeimODCopySubjectAltNames */
165
166/* These are for MMe/AppleId certs infratructure */
167int		HeimODAddCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error);
168int		HeimODRemoveCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error);
169
170/* Add Kerberos principal alias for MMe/AppleID */
171int		HeimODAddAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
172int		HeimODRemoveAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
173
174
175/* dump and load entries */
176CFDictionaryRef	HeimODDumpRecord(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error) __attribute__((cf_returns_retained));
177bool		HeimODLoadRecord(ODNodeRef node, ODRecordRef record, CFDictionaryRef dict, unsigned long flags, CFErrorRef *error);
178
179struct hdb_entry;
180CFDictionaryRef	HeimODDumpHdbEntry(struct hdb_entry *, CFErrorRef *error) __attribute__((cf_returns_retained));
181
182#ifdef __cplusplus
183};
184#endif
185
186#endif /* __heimodadmin_h__ */
187