1/*
2 * Copyright (c) 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 *    may be used to endorse or promote products derived from this software
21 *    without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#ifndef __heimodadmin_h__
37#define __heimodadmin_h__ 1
38
39#import <CoreFoundation/CoreFoundation.h>
40#import <CFOpenDirectory/CFOpenDirectory.h>
41#import <Security/Security.h>
42
43/*
44 * "CFTypeRef flags" is either a CFStringRef with the kPrincipalFlag
45 *     or a CFArrayRef with CFStringRef with kPrincipalFlag
46 */
47
48
49#define kPrincipalFlagInitial			CFSTR("Initial") /* can only be used for initial tickets */
50#define kPrincipalFlagForwardable		CFSTR("Forwardable") /* forwardable ticket allowed */
51#define kPrincipalFlagProxyable			CFSTR("Proxiable") /* proxyable ticket allowed */
52#define kPrincipalFlagRenewable			CFSTR("Renewable") /* renewabled ticket allowed */
53#define kPrincipalFlagServer			CFSTR("Server") /* allowed to be used as server */
54#define kPrincipalFlagPasswordChangeService	CFSTR("PasswordChangeService") /* allowed to be used as the password change service */
55#define kPrincipalFlagOKAsDelegate		CFSTR("OkAsDelegate") /* ok to delegate/forward to */
56#define kPrincipalFlagRequireStrongPreAuthentication	CFSTR("RequireStrongPreAuth") /* require smartcard or other strong mech */
57#define kPrincipalFlagImmutable			CFSTR("Immutable") /* Immutable, can't remove or possibly change */
58#define kPrincipalFlagInvalid			CFSTR("Invalid") /* Invalid and not usable yet */
59
60#define kHeimODACLAll				CFSTR("kHeimODACLAll")
61#define kHeimODACLChangePassword		CFSTR("kHeimODACLChangePassword")
62#define kHeimODACLList				CFSTR("kHeimODACLList")
63#define kHeimODACLDelete			CFSTR("kHeimODACLDelete")
64#define kHeimODACLModify			CFSTR("kHeimODACLModify")
65#define kHeimODACLAdd				CFSTR("kHeimODACLAdd")
66#define kHeimODACLGet				CFSTR("kHeimODACLGet")
67
68
69enum {
70    kHeimODAdminSetKeysAppendKey			= 1,
71    kHeimODAdminAppendKeySet			= 1, /* add an additional keyset */
72    kHeimODAdminDeleteEnctypes			= 2  /* delete enctype from all keysets */
73};
74
75enum {
76    kHeimODAdminLoadAsAppend				= 1
77};
78
79#ifdef __cplusplus
80extern "C" {
81#endif
82
83/* Creates a support principal in the realm in node */
84int		HeimODCreateRealm(ODNodeRef node, CFStringRef realm, CFErrorRef *error);
85
86/* Principals are created with Invalid set and have be be cleared with DeleteFlags */
87int		HeimODCreatePrincipalData(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFStringRef principal, CFErrorRef *error);
88int		HeimODRemovePrincipalData(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error);
89
90/* Manage kerberos flags for this entry */
91int		HeimODSetKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
92CFArrayRef	HeimODCopyKerberosFlags(ODNodeRef node, ODRecordRef record, CFErrorRef *error); /* return set flags */
93int		HeimODClearKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
94
95/* Manage ACL for a entry */
96int
97HeimODSetACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
98CFArrayRef
99HeimODCopyACL(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
100int
101HeimODClearACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error);
102
103/* Mange server aliases for this record */
104int		HeimODAddServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
105int		HeimODRemoveServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
106CFArrayRef	HeimODCopyServerAliases(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
107
108/* Lifetimes */
109int		HeimODSetKerberosMaxLife(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error);
110time_t		HeimODGetKerberosMaxLife(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
111int		HeimODSetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error);
112time_t		HeimODGetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
113
114/* Set password */
115                /* enctypes are optional, if NULL, default types are used */
116                /* if password is NULL, a random password is used */
117int		HeimODSetKeys(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error);
118CFArrayRef	HeimODCopyDefaultEnctypes(CFErrorRef *error);
119/**
120 * Add/delete/modify keyset
121 *
122 * Used manipulate Kerberos Keys.
123 * This function does not manipulate the keys stored in OpenDirectory, that up to the caller to do.
124 *
125 * Most callers should not pass in kHeimODAdminAppendKeySet when changing password for users, they should only be used for services that does key rollover and for Mac OS X Server that stores keysets for different principals in same computer record.
126 *
127 * @param prevKeyset keyset to be manipulated, can me NULL
128 * @param principal user changed for, used for salting
129 * @param enctypes to set, use HeimODCopyDefaultEnctypes() to get default list
130 * @param password new password, can be NULL is enctypes are deleted
131 * @param flags
132 * 	flags is 0, return a new keyset
133 * 	flags is kHeimODAdminAppendKeySet, add additional keyset (keep old versions)
134 * 	flags is kHeimODAdminDeleteEnctypes, delete enctype from old keysets
135 *
136 * @param error return CFErrorRef with user error in case there is one, NULL is allowed if no error is expected.
137 * @return the new keyset or NULL on failure, error might be set
138 */
139CFArrayRef	HeimODModifyKeys(CFArrayRef prevKeyset, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error) __attribute__((cf_returns_retained));
140
141/**
142 * Debug function to print content of a keyset element
143 *
144 * @param element element to print
145 * @param error eventual error, by default, NULL
146 * @return the debug string
147 */
148CFStringRef	HeimODKeysetToString(CFDataRef element, CFErrorRef *error) __attribute__((cf_returns_retained));
149
150/* Mange allowed cert names for this principal: aka AltSecurityIdentities */
151int		HeimODAddCertificate(ODNodeRef node, ODRecordRef record, SecCertificateRef ref, CFErrorRef *error);
152int		HeimODAddSubjectAltCertName(ODNodeRef node, ODRecordRef record, CFStringRef subject, CFStringRef issuer, CFErrorRef *error);
153int		HeimODAddSubjectAltCertSHA1Digest(ODNodeRef node, ODRecordRef record, CFDataRef hash, CFErrorRef *error);
154CFArrayRef	HeimODCopySubjectAltNames(ODNodeRef node, ODRecordRef record, CFErrorRef *error);
155int		HeimODRemoveSubjectAltElement(ODNodeRef node, ODRecordRef record, CFTypeRef element, CFErrorRef *error); /* return on element as returned by HeimODCopySubjectAltNames */
156
157/* These are for MMe/AppleId certs infratructure */
158int		HeimODAddCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error);
159int		HeimODRemoveCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error);
160
161/* Add Kerberos principal alias for MMe/AppleID */
162int		HeimODAddAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
163int		HeimODRemoveAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error);
164
165
166/* dump and load entries */
167CFDictionaryRef	HeimODDumpRecord(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error) __attribute__((cf_returns_retained));
168bool		HeimODLoadRecord(ODNodeRef node, ODRecordRef record, CFDictionaryRef dict, unsigned long flags, CFErrorRef *error);
169
170struct hdb_entry;
171CFDictionaryRef	HeimODDumpHdbEntry(struct hdb_entry *, CFErrorRef *error) __attribute__((cf_returns_retained));
172
173#ifdef __cplusplus
174};
175#endif
176
177#endif /* __heimodadmin_h__ */
178