1/* $NetBSD: rbac.h,v 1.2 2021/08/14 16:14:53 christos Exp $ */ 2 3/* rbac.h - */ 4/* $OpenLDAP$ */ 5/* This work is part of OpenLDAP Software <http://www.openldap.org/>. 6 * 7 * Copyright 1999-2021 The OpenLDAP Foundation. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted only as authorized by the OpenLDAP 12 * Public License. 13 * 14 * A copy of this license is available in the file LICENSE in the 15 * top-level directory of the distribution or, alternatively, at 16 * <http://www.OpenLDAP.org/license.html>. 17 */ 18/* ACKNOWLEDGEMENTS: 19 * 20 */ 21 22#ifndef RBAC_H 23#define RBAC_H 24 25LDAP_BEGIN_DECL 26 27#include "ldap_rbac.h" 28 29#define USE_NEW_THREAD_CONTEXT 1 30#define RBAC_BUFLEN 1024 31 32/* tenant initialization op */ 33#define INIT_AUDIT_CONTAINER 0x01 34#define INIT_SESSION_CONTAINER 0x02 35 36typedef struct rbac_ad { 37 int type; 38 struct berval attr; 39 AttributeDescription **ad; 40} rbac_ad_t; 41 42/* RBAC AttributeDescriptions */ 43struct slap_rbac_internal_schema { 44 /* slapd schema */ 45 AttributeDescription *ad_uid; 46 47 /* RBAC tenant */ 48 AttributeDescription *ad_tenant_id; 49 50 /* RBAC sessions */ 51 AttributeDescription *ad_session_id; 52 AttributeDescription *ad_session_user_dn; 53 AttributeDescription *ad_session_roles; 54 AttributeDescription *ad_session_role_constraints; 55 56 /* RBAC session permissions */ 57 AttributeDescription *ad_permission_opname; 58 AttributeDescription *ad_permission_objname; 59 AttributeDescription *ad_permission_rolename; 60 61 /* RBAC audit */ 62 AttributeDescription *ad_audit_op; /* rbac op: create_session */ 63 AttributeDescription *ad_audit_id; 64 AttributeDescription *ad_audit_roles; 65 AttributeDescription *ad_audit_requested_roles; 66 AttributeDescription *ad_audit_timestamp; 67 AttributeDescription *ad_audit_resources; 68 AttributeDescription *ad_audit_objects; 69 AttributeDescription *ad_audit_operations; /* resource ops */ 70 AttributeDescription *ad_audit_result; 71 AttributeDescription *ad_audit_properties; 72 AttributeDescription *ad_audit_messages; 73 74 /* RBAC session attributes */ 75 AttributeName *session_attrs; 76}; 77 78extern struct slap_rbac_internal_schema slap_rbac_schema; 79 80/* attributes in tenant repository */ 81struct slap_rbac_tenant_schema { 82 /* user role assignments, role constraints, and user constraint */ 83 AttributeDescription *ad_role; 84 AttributeDescription *ad_role_constraint; 85 AttributeDescription *ad_user_constraint; 86 AttributeDescription *ad_uid; 87 88 /* session permission */ 89 AttributeDescription *ad_permission_users; 90 AttributeDescription *ad_permission_roles; 91 AttributeDescription *ad_permission_objname; 92 AttributeDescription *ad_permission_opname; 93 94 /* the list of attributes when doing searches in the jts repo */ 95 AttributeName *user_attrs; 96 AttributeName *perm_attrs; /* attrs to retrieve for check access */ 97 AttributeName *session_perm_attrs; /* attrs for session permissions */ 98 99 /* the corresponding list of attribute description mapping */ 100 rbac_ad_t *user_ads; 101 rbac_ad_t *permission_ads; 102 rbac_ad_t *session_permissions_ads; 103}; 104 105extern struct slap_rbac_tenant_schema slap_rbac_jts_schema; 106 107/* types of RBAC requests */ 108typedef struct rbac_request { 109 int req_type; 110 struct berval sessid; 111 struct berval tenantid; 112 113 /* session creation */ 114 struct berval uid; 115 struct berval authtok; 116 BerVarray roles; 117 struct berval role; 118 119 /* check access */ 120 struct berval opname; 121 struct berval objname; 122 struct berval objid; 123} rbac_req_t; 124 125typedef struct rbac_constraint { 126 struct berval name; /* user name or role name */ 127 int allowed_inactivity; /* secs */ 128 int begin_time; /* secs */ 129 int end_time; /* secs */ 130 lutil_timet begin_date; 131 lutil_timet end_date; 132 lutil_timet begin_lock_date; 133 lutil_timet end_lock_date; 134 int day_mask; 135 struct rbac_constraint *next; 136} rbac_constraint_t; 137 138/* holds RBAC info */ 139typedef struct tenant_info { 140 struct berval tid; /* tenant id */ 141 struct berval admin; 142 struct berval pwd; 143 struct berval users_basedn; 144 struct berval roles_basedn; 145 struct berval audit_basedn; 146 struct berval permissions_basedn; 147 struct berval sessions_basedn; 148 struct berval session_admin; 149 struct berval session_admin_pwd; 150 struct slap_rbac_tenant_schema *schema; 151} tenant_info_t; 152 153typedef struct rbac_tenant { 154 tenant_info_t tenant_info; 155 struct rbac_tenant *next; 156} rbac_tenant_t; 157 158/* for RBAC callback */ 159typedef struct rbac_callback_info { 160 tenant_info_t *tenantp; 161 void *private; 162} rbac_callback_info_t; 163 164/* RBAC user */ 165typedef struct rbac_user { 166 struct berval tenantid; 167 struct berval uid; 168 struct berval dn; 169 struct berval constraints; 170 struct berval password; 171 struct berval msg; 172 int authz; /* flag for bind (pwd policy) info */ 173 BerVarray roles; 174 BerVarray role_constraints; 175#if 0 /* additional parameters from Fortress */ 176 private String userId; 177 @XmlElement(nillable = true) 178 private char[] password; 179 @XmlElement(nillable = true) 180 private char[] newPassword; 181 private String internalId; 182 @XmlElement(nillable = true) 183 private List<UserRole> roles; 184 @XmlElement(nillable = true) 185 private List<UserAdminRole> adminRoles; 186 private String pwPolicy; 187 private String cn; 188 private String sn; 189 private String dn; 190 private String ou; 191 private String description; 192 private String beginTime; 193 private String endTime; 194 private String beginDate; 195 private String endDate; 196 private String beginLockDate; 197 private String endLockDate; 198 private String dayMask; 199 private String name; 200 private int timeout; 201 private boolean reset; 202 private boolean locked; 203 private Boolean system; 204 @XmlElement(nillable = true) 205 private Props props = new Props(); 206 @XmlElement(nillable = true) 207 private Address address; 208 @XmlElement(nillable = true) 209 private List<String> phones; 210 @XmlElement(nillable = true) 211 private List<String> mobiles; 212 @XmlElement(nillable = true) 213 private List<String> emails; 214#endif /* 0 */ 215} rbac_user_t; 216 217enum { 218 RBAC_NONE = 0, 219 RBAC_TENANT, 220 RBAC_TENANT_ID, 221 RBAC_USERS_BASE_DN, 222 RBAC_ROLES_BASE_DN, 223 RBAC_PERMISSIONS_BASE_DN, 224 RBAC_ADMIN_DN, 225 RBAC_ADMIN_PWD, 226 RBAC_SESSIONS_BASE_DN, 227 RBAC_SESSION_ADMIN_DN, 228 RBAC_SESSION_ADMIN_PWD, 229 RBAC_ROLE_ASSIGNMENT, 230 RBAC_ROLE_CONSTRAINTS, 231 RBAC_USER_CONSTRAINTS, 232 RBAC_UID, 233 RBAC_USERS, 234 RBAC_ROLES, 235 RBAC_OBJ_NAME, 236 RBAC_OP_NAME, 237 RBAC_ROLE_NAME, 238 RBAC_SESSION_ID, 239 RBAC_USER_DN, 240 RBAC_AUDIT_ROLES, 241 RBAC_AUDIT_RESOURCES, 242 RBAC_AUDIT_RESULT, 243 RBAC_AUDIT_TIMESTAMP, 244 RBAC_AUDIT_PROPERTIES, 245 RBAC_AUDIT_OP, 246 RBAC_AUDIT_ID, 247 RBAC_AUDIT_REQUESTED_ROLES, 248 RBAC_AUDIT_OBJS, 249 RBAC_AUDIT_OPS, 250 RBAC_AUDIT_MSGS, 251 RBAC_LAST 252}; 253 254enum { 255 RBAC_DEFAULT_TENANT_ID = RBAC_LAST, 256 RBAC_DEFAULT_USERS_BASE_DN, 257 RBAC_DEFAULT_PERMISSIONS_BASE_DN, 258 RBAC_DEFAULT_ROLES_BASE_DN, 259 RBAC_DEFAULT_SESSIONS_BASE_DN, 260 RBAC_DEFAULT_AUDIT_BASE_DN 261}; 262 263typedef struct rbac_user_idlist { 264 char *user_id; 265 struct rbac_user_idlist *next; 266} rbac_user_idlist_t; 267 268/* RBAC sessions */ 269#define RBAC_SESSION_RDN_EQ "rbacSessid=" 270#define RBAC_AUDIT_RDN_EQ "rbacAuditId=" 271 272typedef struct rbac_session { 273 rbac_user_t *user; 274 struct berval tenantid; 275 struct berval sessid; 276 struct berval uid; 277 struct berval userdn; 278 char uuidbuf[ LDAP_LUTIL_UUIDSTR_BUFSIZE ]; 279 struct berval sessdn; 280 long last_access; 281 int timeout; 282 int warning_id; 283 int error_id; 284 int grace_logins; 285 int expiration_secs; 286 int is_authenticated; /* boolean */ 287 struct berval message; 288 BerVarray roles; 289 BerVarray role_constraints; 290} rbac_session_t; 291 292/* RBAC roles */ 293typedef struct rbac_role { 294 char *name; 295 char *description; 296 struct rbac_role *parent; 297 struct rbac_role *next; 298} rbac_role_t; 299 300typedef struct rbac_role_list { 301 char *name; 302 struct rbac_role_list *next; 303} rbac_role_list_t; 304 305/* RBAC permissions */ 306typedef struct rbac_permission { 307 struct berval dn; 308 int admin; /* boolean */ 309 struct berval internalId; 310 BerVarray opName; 311 BerVarray objName; 312 struct berval objectId; 313 struct berval abstractName; 314 struct berval type; 315 BerVarray roles; 316 BerVarray uids; 317 struct rbac_permission *next; 318} rbac_permission_t; 319 320/* RBAC Audit */ 321typedef enum { 322 CreateSession = 0, 323 CheckAccess, 324 AddActiveRole, 325 DropActiveRole, 326 SessionPermissions, 327 DeleteSession, 328 SessionRoles 329} audit_op_t; 330 331/* function prototypes */ 332 333int rbac_initialize_repository( void ); 334int rbac_initialize_tenants( BackendDB *be, ConfigReply *cr ); 335 336/* RBAC tenant information */ 337tenant_info_t *rbac_tid2tenant( struct berval *tid ); 338 339rbac_req_t *rbac_alloc_req( int type ); 340void rbac_free_req( rbac_req_t *reqp ); 341 342rbac_user_t *rbac_read_user( Operation *op, rbac_req_t *rabc_reqp ); 343int rbac_authenticate_user( Operation *op, rbac_user_t *user ); 344int rbac_user_temporal_constraint( rbac_user_t *userp ); 345void rbac_free_user( rbac_user_t *user ); 346 347rbac_session_t *rbac_alloc_session( void ); 348int rbac_is_valid_session_id( struct berval *sessid ); 349rbac_session_t *rbac_session_byid( Operation *op, rbac_req_t *reqp ); 350int rbac_is_session_owner( rbac_session_t *sessp, rbac_req_t *reqp ); 351int rbac_register_session( Operation *op, SlapReply *rs, rbac_session_t *sess ); 352int rbac_int_delete_session( Operation *op, rbac_session_t *sessp ); 353int rbac_session_add_role( 354 Operation *op, 355 rbac_session_t *sessp, 356 rbac_req_t *reqp ); 357int rbac_session_drop_role( 358 Operation *op, 359 rbac_session_t *sessp, 360 rbac_req_t *reqp ); 361int rbac_int_session_permissions( 362 Operation *op, 363 SlapReply *rs, 364 rbac_req_t *reqp, 365 rbac_session_t *sessp ); 366int activate_session_roles( 367 rbac_session_t *sessp, 368 rbac_req_t *reqp, 369 rbac_user_t *userp ); 370void rbac_free_session( rbac_session_t *sessp ); 371 372rbac_constraint_t *rbac_user_role_constraints( BerVarray values ); 373rbac_constraint_t *rbac_role2constraint( 374 struct berval *role, 375 rbac_constraint_t *role_constraints ); 376rbac_constraint_t *rbac_bv2constraint( struct berval *bv ); 377int rbac_check_time_constraint( rbac_constraint_t *cp ); 378void rbac_free_constraint( rbac_constraint_t *cp ); 379void rbac_free_constraints( rbac_constraint_t *constraints ); 380 381rbac_permission_t *rbac_read_permission( Operation *op, rbac_req_t *rbac_reqp ); 382int rbac_check_session_permission( 383 rbac_session_t *sessp, 384 rbac_permission_t *permp, 385 rbac_constraint_t *role_constraints ); 386void rbac_free_permission( rbac_permission_t *permp ); 387 388/* audit functions */ 389void rbac_audit( 390 Operation *op, 391 audit_op_t rbac_op, 392 rbac_session_t *sessp, 393 rbac_req_t *reqp, 394 int result, 395 char *msg ); 396 397/* acl functions */ 398int rbac_create_session_acl_check( struct berval *sessid, rbac_user_t *userp ); 399 400void rbac_to_lower( struct berval *bv ); 401 402LDAP_END_DECL 403 404#endif /* RBAC_H */ 405