include/krb5/kadm5_hook_plugin.h

0001 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
0002 /*
0003  * Copyright (C) 2010 by the Massachusetts Institute of Technology.
0004  * All rights reserved.
0005  *
0006  * Export of this software from the United States of America may
0007  *   require a specific license from the United States Government.
0008  *   It is the responsibility of any person or organization contemplating
0009  *   export to obtain such a license before exporting.
0010  *
0011  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
0012  * distribute this software and its documentation for any purpose and
0013  * without fee is hereby granted, provided that the above copyright
0014  * notice appear in all copies and that both that copyright notice and
0015  * this permission notice appear in supporting documentation, and that
0016  * the name of M.I.T. not be used in advertising or publicity pertaining
0017  * to distribution of the software without specific, written prior
0018  * permission.  Furthermore if you modify this software you must label
0019  * your software as modified software and not distribute it in such a
0020  * fashion that it might be confused with the original M.I.T. software.
0021  * M.I.T. makes no representations about the suitability of
0022  * this software for any purpose.  It is provided "as is" without express
0023  * or implied warranty.
0024  */
0025
0026 #ifndef H_KRB5_KADM5_HOOK_PLUGIN
0027 #define H_KRB5_KADM5_HOOK_PLUGIN
0028
0029 /**
0030  * @file krb5/krb5_kadm5_hook_plugin.h
0031  * Provide a plugin interface for kadm5 operations. This interface
0032  * permits a plugin to intercept principal modification, creation and
0033  * change password operations. Operations run at two stages: a
0034  * precommit stage that runs before the operation is committed to the
0035  * database and a postcommit operation that runs after the database
0036  * is updated; see #kadm5_hook_stage for details on semantics.
0037  *
0038  * This interface is based on a proposed extension to Heimdal by Russ
0039  * Allbery; it is likely that Heimdal will adopt an approach based on
0040  * stacked kdb modules rather than this interface. For MIT, writing a
0041  * plugin to this interface is significantly easier than stacking kdb
0042  * modules. Also, the kadm5 interface is significantly more stable
0043  * than the kdb interface, so this approach is more desirable than
0044  * stacked kdb modules.
0045  *
0046  * This interface depends on kadm5/admin.h. As such, the interface
0047  * does not provide strong guarantees of ABI stability.
0048  *
0049  * The kadm5_hook interface currently has only one supported major version,
0050  * which is 1.  Major version 1 has a current minor version number of 2.
0051  *
0052  * kadm5_hook plugins should:
0053  * kadm5_hook_<modulename>_initvt, matching the signature:
0054  *
0055  *   krb5_error_code
0056  *   kadm5_hook_modname_initvt(krb5_context context, int maj_ver, int min_ver,
0057  *                         krb5_plugin_vtable vtable);
0058  *
0059  * The initvt function should:
0060  *
0061  * - Check that the supplied maj_ver number is supported by the module, or
0062  *   return KRB5_PLUGIN_VER_NOTSUPP if it is not.
0063  *
0064  * - Cast the vtable pointer as appropriate for maj_ver:
0065  *     maj_ver == 1: Cast to kadm5_hook_vftable_1
0066  *
0067  * - Initialize the methods of the vtable, stopping as appropriate for the
0068  *   supplied min_ver.  Optional methods may be left uninitialized.
0069  *
0070  * Memory for the vtable is allocated by the caller, not by the module.
0071  */
0072
0073 #include <krb5/krb5.h>
0074 #include <krb5/plugin.h>
0075 #include <kadm5/admin.h>
0076
0077 /**
0078  * Whether the operation is being run before or after the database
0079  * update.
0080  */
0081 enum kadm5_hook_stage {
0082     /** In this stage, any plugin failure prevents following plugins from
0083      *         running and aborts the operation.*/
0084     KADM5_HOOK_STAGE_PRECOMMIT,
0085     /** In this stage, plugin failures are logged but otherwise ignored.*/
0086     KADM5_HOOK_STAGE_POSTCOMMIT
0087 };
0088
0089 /** Opaque module data pointer. */
0090 typedef struct kadm5_hook_modinfo_st kadm5_hook_modinfo;
0091
0092 /**
0093  * Interface for the v1 virtual table for the kadm5_hook plugin.
0094  * All entry points are optional. The name field must be provided.
0095  */
0096 typedef struct kadm5_hook_vtable_1_st {
0097
0098     /** A text string identifying the plugin for logging messages. */
0099     const char *name;
0100
0101     /** Initialize a plugin module.
0102      * @param modinfo returns newly allocated module info for future
0103      * calls.  Cleaned up by the fini() function.
0104      */
0105     kadm5_ret_t (*init)(krb5_context, kadm5_hook_modinfo **modinfo);
0106
0107     /** Clean up a module and free @a modinfo. */
0108     void (*fini)(krb5_context, kadm5_hook_modinfo *modinfo);
0109
0110     /** Indicates that the password is being changed.
0111      * @param stage is an integer from #kadm5_hook_stage enumeration
0112      * @param keepold is true if existing keys are being kept.
0113      * @param newpass is NULL if the key sare being randomized.
0114      */
0115     kadm5_ret_t (*chpass)(krb5_context,
0116                           kadm5_hook_modinfo *modinfo,
0117                           int stage,
0118                           krb5_principal, krb5_boolean keepold,
0119                           int n_ks_tuple,
0120                           krb5_key_salt_tuple *ks_tuple,
0121                           const char *newpass);
0122
0123     /** Indicate a principal is created. */
0124     kadm5_ret_t (*create)(krb5_context,
0125                           kadm5_hook_modinfo *,
0126                           int stage,
0127                           kadm5_principal_ent_t, long mask,
0128                           int n_ks_tuple,
0129                           krb5_key_salt_tuple *ks_tuple,
0130                           const char *password);
0131
0132     /** Modify a principal. */
0133     kadm5_ret_t (*modify)(krb5_context,
0134                           kadm5_hook_modinfo *,
0135                           int stage,
0136                           kadm5_principal_ent_t, long mask);
0137
0138     /** Indicate a principal is deleted. */
0139     kadm5_ret_t (*remove)(krb5_context,
0140                           kadm5_hook_modinfo *modinfo,
0141                           int stage, krb5_principal);
0142
0143     /* End of minor version 1. */
0144
0145     /** Indicate a principal is renamed. */
0146     kadm5_ret_t (*rename)(krb5_context,
0147                           kadm5_hook_modinfo *modinfo,
0148                           int stage, krb5_principal, krb5_principal);
0149
0150     /* End of minor version 2. */
0151
0152 } kadm5_hook_vftable_1;
0153
0154 #endif /*H_KRB5_KADM5_HOOK_PLUGIN*/