1/* 2 * Copyright (c) 2010 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2010 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#ifndef __heimodadmin_h__ 37#define __heimodadmin_h__ 1 38 39#import <CoreFoundation/CoreFoundation.h> 40#import <CFOpenDirectory/CFOpenDirectory.h> 41#import <Security/Security.h> 42 43/* 44 * "CFTypeRef flags" is either a CFStringRef with the kPrincipalFlag 45 * or a CFArrayRef with CFStringRef with kPrincipalFlag 46 */ 47 48 49#define kPrincipalFlagInitial CFSTR("Initial") /* can only be used for initial tickets */ 50#define kPrincipalFlagForwardable CFSTR("Forwardable") /* forwardable ticket allowed */ 51#define kPrincipalFlagProxyable CFSTR("Proxiable") /* proxyable ticket allowed */ 52#define kPrincipalFlagRenewable CFSTR("Renewable") /* renewabled ticket allowed */ 53#define kPrincipalFlagServer CFSTR("Server") /* allowed to be used as server */ 54#define kPrincipalFlagPasswordChangeService CFSTR("PasswordChangeService") /* allowed to be used as the password change service */ 55#define kPrincipalFlagOKAsDelegate CFSTR("OkAsDelegate") /* ok to delegate/forward to */ 56#define kPrincipalFlagRequireStrongPreAuthentication CFSTR("RequireStrongPreAuth") /* require smartcard or other strong mech */ 57#define kPrincipalFlagImmutable CFSTR("Immutable") /* Immutable, can't remove or possibly change */ 58#define kPrincipalFlagInvalid CFSTR("Invalid") /* Invalid and not usable yet */ 59 60#define kHeimODACLAll CFSTR("kHeimODACLAll") 61#define kHeimODACLChangePassword CFSTR("kHeimODACLChangePassword") 62#define kHeimODACLList CFSTR("kHeimODACLList") 63#define kHeimODACLDelete CFSTR("kHeimODACLDelete") 64#define kHeimODACLModify CFSTR("kHeimODACLModify") 65#define kHeimODACLAdd CFSTR("kHeimODACLAdd") 66#define kHeimODACLGet CFSTR("kHeimODACLGet") 67 68 69enum { 70 kHeimODAdminSetKeysAppendKey = 1, 71 kHeimODAdminAppendKeySet = 1, /* add an additional keyset */ 72 kHeimODAdminDeleteEnctypes = 2 /* delete enctype from all keysets */ 73}; 74 75enum { 76 kHeimODAdminLoadAsAppend = 1 77}; 78 79#ifdef __cplusplus 80extern "C" { 81#endif 82 83/* Creates a support principal in the realm in node */ 84int HeimODCreateRealm(ODNodeRef node, CFStringRef realm, CFErrorRef *error); 85 86/* Principals are created with Invalid set and have be be cleared with DeleteFlags */ 87int HeimODCreatePrincipalData(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFStringRef principal, CFErrorRef *error); 88int HeimODRemovePrincipalData(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error); 89 90/* Manage kerberos flags for this entry */ 91int HeimODSetKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 92CFArrayRef HeimODCopyKerberosFlags(ODNodeRef node, ODRecordRef record, CFErrorRef *error); /* return set flags */ 93int HeimODClearKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 94 95/* Manage ACL for a entry */ 96int 97HeimODSetACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 98CFArrayRef 99HeimODCopyACL(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 100int 101HeimODClearACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 102 103/* Mange server aliases for this record */ 104int HeimODAddServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 105int HeimODRemoveServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 106CFArrayRef HeimODCopyServerAliases(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 107 108/* Lifetimes */ 109int HeimODSetKerberosMaxLife(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error); 110time_t HeimODGetKerberosMaxLife(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 111int HeimODSetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error); 112time_t HeimODGetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 113 114/* Set password */ 115 /* enctypes are optional, if NULL, default types are used */ 116 /* if password is NULL, a random password is used */ 117int HeimODSetKeys(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error); 118CFArrayRef HeimODCopyDefaultEnctypes(CFErrorRef *error); 119/** 120 * Add/delete/modify keyset 121 * 122 * Used manipulate Kerberos Keys. 123 * This function does not manipulate the keys stored in OpenDirectory, that up to the caller to do. 124 * 125 * Most callers should not pass in kHeimODAdminAppendKeySet when changing password for users, they should only be used for services that does key rollover and for Mac OS X Server that stores keysets for different principals in same computer record. 126 * 127 * @param prevKeyset keyset to be manipulated, can me NULL 128 * @param principal user changed for, used for salting 129 * @param enctypes to set, use HeimODCopyDefaultEnctypes() to get default list 130 * @param password new password, can be NULL is enctypes are deleted 131 * @param flags 132 * flags is 0, return a new keyset 133 * flags is kHeimODAdminAppendKeySet, add additional keyset (keep old versions) 134 * flags is kHeimODAdminDeleteEnctypes, delete enctype from old keysets 135 * 136 * @param error return CFErrorRef with user error in case there is one, NULL is allowed if no error is expected. 137 * @return the new keyset or NULL on failure, error might be set 138 */ 139CFArrayRef HeimODModifyKeys(CFArrayRef prevKeyset, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error) __attribute__((cf_returns_retained)); 140 141/** 142 * Debug function to print content of a keyset element 143 * 144 * @param element element to print 145 * @param error eventual error, by default, NULL 146 * @return the debug string 147 */ 148CFStringRef HeimODKeysetToString(CFDataRef element, CFErrorRef *error) __attribute__((cf_returns_retained)); 149 150/* Mange allowed cert names for this principal: aka AltSecurityIdentities */ 151int HeimODAddCertificate(ODNodeRef node, ODRecordRef record, SecCertificateRef ref, CFErrorRef *error); 152int HeimODAddSubjectAltCertName(ODNodeRef node, ODRecordRef record, CFStringRef subject, CFStringRef issuer, CFErrorRef *error); 153int HeimODAddSubjectAltCertSHA1Digest(ODNodeRef node, ODRecordRef record, CFDataRef hash, CFErrorRef *error); 154CFArrayRef HeimODCopySubjectAltNames(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 155int HeimODRemoveSubjectAltElement(ODNodeRef node, ODRecordRef record, CFTypeRef element, CFErrorRef *error); /* return on element as returned by HeimODCopySubjectAltNames */ 156 157/* These are for MMe/AppleId certs infratructure */ 158int HeimODAddCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error); 159int HeimODRemoveCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error); 160 161/* Add Kerberos principal alias for MMe/AppleID */ 162int HeimODAddAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 163int HeimODRemoveAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 164 165 166/* dump and load entries */ 167CFDictionaryRef HeimODDumpRecord(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error) __attribute__((cf_returns_retained)); 168bool HeimODLoadRecord(ODNodeRef node, ODRecordRef record, CFDictionaryRef dict, unsigned long flags, CFErrorRef *error); 169 170struct hdb_entry; 171CFDictionaryRef HeimODDumpHdbEntry(struct hdb_entry *, CFErrorRef *error) __attribute__((cf_returns_retained)); 172 173#ifdef __cplusplus 174}; 175#endif 176 177#endif /* __heimodadmin_h__ */ 178