1 /* 2 * vacm.h 3 * 4 * SNMPv3 View-based Access Control Model 5 * 6 * Portions of this file are subject to the following copyright(s). See 7 * the Net-SNMP's COPYING file for more details and other copyrights 8 * that may apply: 9 * 10 * Portions of this file are copyrighted by: 11 * Copyright (c) 2016 VMware, Inc. All rights reserved. 12 * Use is subject to license terms specified in the COPYING file 13 * distributed with the Net-SNMP package. 14 */ 15 16 #ifndef VACM_H 17 #define VACM_H 18 19 #ifdef __cplusplus 20 extern "C" { 21 #endif 22 23 #define VACM_SUCCESS 0 24 #define VACM_NOSECNAME 1 25 #define VACM_NOGROUP 2 26 #define VACM_NOACCESS 3 27 #define VACM_NOVIEW 4 28 #define VACM_NOTINVIEW 5 29 #define VACM_NOSUCHCONTEXT 6 30 #define VACM_SUBTREE_UNKNOWN 7 31 32 #define SECURITYMODEL 1 33 #define SECURITYNAME 2 34 #define SECURITYGROUP 3 35 #define SECURITYSTORAGE 4 36 #define SECURITYSTATUS 5 37 38 #define ACCESSPREFIX 1 39 #define ACCESSMODEL 2 40 #define ACCESSLEVEL 3 41 #define ACCESSMATCH 4 42 #define ACCESSREAD 5 43 #define ACCESSWRITE 6 44 #define ACCESSNOTIFY 7 45 #define ACCESSSTORAGE 8 46 #define ACCESSSTATUS 9 47 48 #define VACMVIEWSPINLOCK 1 49 #define VIEWNAME 2 50 #define VIEWSUBTREE 3 51 #define VIEWMASK 4 52 #define VIEWTYPE 5 53 #define VIEWSTORAGE 6 54 #define VACMVIEWSTATUS 7 55 56 #define VACM_MAX_STRING 32 57 #define VACMSTRINGLEN 34 /* VACM_MAX_STRING + 2 */ 58 59 struct vacm_groupEntry { 60 int securityModel; 61 char securityName[VACMSTRINGLEN]; 62 char groupName[VACMSTRINGLEN]; 63 int storageType; 64 int status; 65 66 u_long bitMask; 67 struct vacm_groupEntry *reserved; 68 struct vacm_groupEntry *next; 69 }; 70 71 #define CONTEXT_MATCH_EXACT 1 72 #define CONTEXT_MATCH_PREFIX 2 73 74 /* VIEW ENUMS ---------------------------------------- */ 75 76 /* SNMPD usage: get/set/send-notification views */ 77 #define VACM_VIEW_READ 0 78 #define VACM_VIEW_WRITE 1 79 #define VACM_VIEW_NOTIFY 2 80 81 /* SNMPTRAPD usage: log execute and net-access (forward) usage */ 82 #define VACM_VIEW_LOG 3 83 #define VACM_VIEW_EXECUTE 4 84 #define VACM_VIEW_NET 5 85 86 /* VIEW BIT MASK VALUES-------------------------------- */ 87 88 /* SNMPD usage: get/set/send-notification views */ 89 #define VACM_VIEW_READ_BIT (1 << VACM_VIEW_READ) 90 #define VACM_VIEW_WRITE_BIT (1 << VACM_VIEW_WRITE) 91 #define VACM_VIEW_NOTIFY_BIT (1 << VACM_VIEW_NOTIFY) 92 93 /* SNMPTRAPD usage: log execute and net-access (forward) usage */ 94 #define VACM_VIEW_LOG_BIT (1 << VACM_VIEW_LOG) 95 #define VACM_VIEW_EXECUTE_BIT (1 << VACM_VIEW_EXECUTE) 96 #define VACM_VIEW_NET_BIT (1 << VACM_VIEW_NET) 97 98 #define VACM_VIEW_NO_BITS 0 99 100 /* Maximum number of views in the view array */ 101 #define VACM_MAX_VIEWS 8 102 103 #define VACM_VIEW_ENUM_NAME "vacmviews" 104 105 void init_vacm(void); 106 107 struct vacm_accessEntry { 108 char groupName[VACMSTRINGLEN]; 109 char contextPrefix[VACMSTRINGLEN]; 110 int securityModel; 111 int securityLevel; 112 int contextMatch; 113 char views[VACM_MAX_VIEWS][VACMSTRINGLEN]; 114 int storageType; 115 int status; 116 117 u_long bitMask; 118 struct vacm_accessEntry *reserved; 119 struct vacm_accessEntry *next; 120 }; 121 122 struct vacm_viewEntry { 123 char viewName[VACMSTRINGLEN]; 124 oid viewSubtree[MAX_OID_LEN+1]; /* keep len in [0] */ 125 size_t viewSubtreeLen; 126 u_char viewMask[VACMSTRINGLEN]; 127 size_t viewMaskLen; 128 int viewType; 129 int viewStorageType; 130 int viewStatus; 131 132 u_long bitMask; 133 134 struct vacm_viewEntry *reserved; 135 struct vacm_viewEntry *next; 136 }; 137 138 NETSNMP_IMPORT 139 void vacm_destroyViewEntry(const char *, oid *, size_t); 140 NETSNMP_IMPORT 141 void vacm_destroyAllViewEntries(void); 142 143 #define VACM_MODE_FIND 0 144 #define VACM_MODE_IGNORE_MASK 1 145 #define VACM_MODE_CHECK_SUBTREE 2 146 NETSNMP_IMPORT 147 struct vacm_viewEntry *vacm_getViewEntry(const char *, oid *, size_t, 148 int); 149 /* 150 * Returns a pointer to the viewEntry with the 151 * same viewName and viewSubtree 152 * Returns NULL if that entry does not exist. 153 */ 154 155 NETSNMP_IMPORT 156 int vacm_checkSubtree(const char *, oid *, size_t); 157 158 /* 159 * Check to see if everything within a subtree is in view, not in view, 160 * or possibly both. 161 * 162 * Returns: 163 * VACM_SUCCESS The OID is included in the view. 164 * VACM_NOTINVIEW If no entry in the view list includes the 165 * provided OID, or the OID is explicitly excluded 166 * from the view. 167 * VACM_SUBTREE_UNKNOWN The entire subtree has both allowed and 168 * disallowed portions. 169 */ 170 171 NETSNMP_IMPORT 172 void 173 vacm_scanViewInit(void); 174 /* 175 * Initialized the scan routines so that they will begin at the 176 * beginning of the list of viewEntries. 177 * 178 */ 179 180 181 NETSNMP_IMPORT 182 struct vacm_viewEntry *vacm_scanViewNext(void); 183 /* 184 * Returns a pointer to the next viewEntry. 185 * These entries are returned in no particular order, 186 * but if N entries exist, N calls to view_scanNext() will 187 * return all N entries once. 188 * Returns NULL if all entries have been returned. 189 * view_scanInit() starts the scan over. 190 */ 191 192 NETSNMP_IMPORT 193 struct vacm_viewEntry *vacm_createViewEntry(const char *, oid *, 194 size_t); 195 /* 196 * Creates a viewEntry with the given index 197 * and returns a pointer to it. 198 * The status of this entry is created as invalid. 199 */ 200 201 NETSNMP_IMPORT 202 void vacm_destroyGroupEntry(int, const char *); 203 NETSNMP_IMPORT 204 void vacm_destroyAllGroupEntries(void); 205 NETSNMP_IMPORT 206 struct vacm_groupEntry *vacm_createGroupEntry(int, const char *); 207 NETSNMP_IMPORT 208 struct vacm_groupEntry *vacm_getGroupEntry(int, const char *); 209 NETSNMP_IMPORT 210 void vacm_scanGroupInit(void); 211 NETSNMP_IMPORT 212 struct vacm_groupEntry *vacm_scanGroupNext(void); 213 214 NETSNMP_IMPORT 215 void vacm_destroyAccessEntry(const char *, const char *, 216 int, int); 217 NETSNMP_IMPORT 218 void vacm_destroyAllAccessEntries(void); 219 NETSNMP_IMPORT 220 struct vacm_accessEntry *vacm_createAccessEntry(const char *, 221 const char *, int, 222 int); 223 NETSNMP_IMPORT 224 struct vacm_accessEntry *vacm_getAccessEntry(const char *, 225 const char *, int, int); 226 NETSNMP_IMPORT 227 void vacm_scanAccessInit(void); 228 NETSNMP_IMPORT 229 struct vacm_accessEntry *vacm_scanAccessNext(void); 230 231 void vacm_destroySecurityEntry(const char *); 232 struct vacm_securityEntry *vacm_createSecurityEntry(const char *); 233 struct vacm_securityEntry *vacm_getSecurityEntry(const char *); 234 void vacm_scanSecurityInit(void); 235 struct vacm_securityEntry *vacm_scanSecurityEntry(void); 236 NETSNMP_IMPORT 237 int vacm_is_configured(void); 238 239 void vacm_save(const char *token, const char *type); 240 void vacm_save_view(struct vacm_viewEntry *view, 241 const char *token, const char *type); 242 void vacm_save_access(struct vacm_accessEntry *access_entry, 243 const char *token, const char *type); 244 void vacm_save_auth_access(struct vacm_accessEntry *access_entry, 245 const char *token, const char *type, int authtype); 246 void vacm_save_group(struct vacm_groupEntry *group_entry, 247 const char *token, const char *type); 248 249 NETSNMP_IMPORT 250 void vacm_parse_config_view(const char *token, const char *line); 251 NETSNMP_IMPORT 252 void vacm_parse_config_group(const char *token, 253 const char *line); 254 NETSNMP_IMPORT 255 void vacm_parse_config_access(const char *token, 256 const char *line); 257 NETSNMP_IMPORT 258 void vacm_parse_config_auth_access(const char *token, 259 const char *line); 260 261 NETSNMP_IMPORT 262 int store_vacm(int majorID, int minorID, void *serverarg, 263 void *clientarg); 264 265 NETSNMP_IMPORT 266 struct vacm_viewEntry *netsnmp_view_get(struct vacm_viewEntry *head, 267 const char *viewName, 268 oid * viewSubtree, 269 size_t viewSubtreeLen, int mode); 270 271 NETSNMP_IMPORT 272 int netsnmp_vacm_simple_usm_add(const char *user, int rw, int authLevel, 273 const char *view, oid *oidView, 274 size_t oidViewLen, const char *context); 275 276 NETSNMP_IMPORT 277 int netsnmp_vacm_simple_usm_del(const char *user, int authLevel, 278 const char *view, oid *oidView, 279 size_t oidViewLen, const char *context); 280 281 #ifdef __cplusplus 282 } 283 #endif 284 #endif /* VACM_H */ 285