1 /* rbac.h - */ 2 /* $OpenLDAP$ */ 3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 * 5 * Copyright 1999-2021 The OpenLDAP Foundation. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted only as authorized by the OpenLDAP 10 * Public License. 11 * 12 * A copy of this license is available in the file LICENSE in the 13 * top-level directory of the distribution or, alternatively, at 14 * <http://www.OpenLDAP.org/license.html>. 15 */ 16 /* ACKNOWLEDGEMENTS: 17 * 18 */ 19 20 #ifndef RBAC_H 21 #define RBAC_H 22 23 LDAP_BEGIN_DECL 24 25 #include "ldap_rbac.h" 26 27 #define USE_NEW_THREAD_CONTEXT 1 28 #define RBAC_BUFLEN 1024 29 30 /* tenant initialization op */ 31 #define INIT_AUDIT_CONTAINER 0x01 32 #define INIT_SESSION_CONTAINER 0x02 33 34 typedef struct rbac_ad { 35 int type; 36 struct berval attr; 37 AttributeDescription **ad; 38 } rbac_ad_t; 39 40 /* RBAC AttributeDescriptions */ 41 struct slap_rbac_internal_schema { 42 /* slapd schema */ 43 AttributeDescription *ad_uid; 44 45 /* RBAC tenant */ 46 AttributeDescription *ad_tenant_id; 47 48 /* RBAC sessions */ 49 AttributeDescription *ad_session_id; 50 AttributeDescription *ad_session_user_dn; 51 AttributeDescription *ad_session_roles; 52 AttributeDescription *ad_session_role_constraints; 53 54 /* RBAC session permissions */ 55 AttributeDescription *ad_permission_opname; 56 AttributeDescription *ad_permission_objname; 57 AttributeDescription *ad_permission_rolename; 58 59 /* RBAC audit */ 60 AttributeDescription *ad_audit_op; /* rbac op: create_session */ 61 AttributeDescription *ad_audit_id; 62 AttributeDescription *ad_audit_roles; 63 AttributeDescription *ad_audit_requested_roles; 64 AttributeDescription *ad_audit_timestamp; 65 AttributeDescription *ad_audit_resources; 66 AttributeDescription *ad_audit_objects; 67 AttributeDescription *ad_audit_operations; /* resource ops */ 68 AttributeDescription *ad_audit_result; 69 AttributeDescription *ad_audit_properties; 70 AttributeDescription *ad_audit_messages; 71 72 /* RBAC session attributes */ 73 AttributeName *session_attrs; 74 }; 75 76 extern struct slap_rbac_internal_schema slap_rbac_schema; 77 78 /* attributes in tenant repository */ 79 struct slap_rbac_tenant_schema { 80 /* user role assignments, role constraints, and user constraint */ 81 AttributeDescription *ad_role; 82 AttributeDescription *ad_role_constraint; 83 AttributeDescription *ad_user_constraint; 84 AttributeDescription *ad_uid; 85 86 /* session permission */ 87 AttributeDescription *ad_permission_users; 88 AttributeDescription *ad_permission_roles; 89 AttributeDescription *ad_permission_objname; 90 AttributeDescription *ad_permission_opname; 91 92 /* the list of attributes when doing searches in the jts repo */ 93 AttributeName *user_attrs; 94 AttributeName *perm_attrs; /* attrs to retrieve for check access */ 95 AttributeName *session_perm_attrs; /* attrs for session permissions */ 96 97 /* the corresponding list of attribute description mapping */ 98 rbac_ad_t *user_ads; 99 rbac_ad_t *permission_ads; 100 rbac_ad_t *session_permissions_ads; 101 }; 102 103 extern struct slap_rbac_tenant_schema slap_rbac_jts_schema; 104 105 /* types of RBAC requests */ 106 typedef struct rbac_request { 107 int req_type; 108 struct berval sessid; 109 struct berval tenantid; 110 111 /* session creation */ 112 struct berval uid; 113 struct berval authtok; 114 BerVarray roles; 115 struct berval role; 116 117 /* check access */ 118 struct berval opname; 119 struct berval objname; 120 struct berval objid; 121 } rbac_req_t; 122 123 typedef struct rbac_constraint { 124 struct berval name; /* user name or role name */ 125 int allowed_inactivity; /* secs */ 126 int begin_time; /* secs */ 127 int end_time; /* secs */ 128 lutil_timet begin_date; 129 lutil_timet end_date; 130 lutil_timet begin_lock_date; 131 lutil_timet end_lock_date; 132 int day_mask; 133 struct rbac_constraint *next; 134 } rbac_constraint_t; 135 136 /* holds RBAC info */ 137 typedef struct tenant_info { 138 struct berval tid; /* tenant id */ 139 struct berval admin; 140 struct berval pwd; 141 struct berval users_basedn; 142 struct berval roles_basedn; 143 struct berval audit_basedn; 144 struct berval permissions_basedn; 145 struct berval sessions_basedn; 146 struct berval session_admin; 147 struct berval session_admin_pwd; 148 struct slap_rbac_tenant_schema *schema; 149 } tenant_info_t; 150 151 typedef struct rbac_tenant { 152 tenant_info_t tenant_info; 153 struct rbac_tenant *next; 154 } rbac_tenant_t; 155 156 /* for RBAC callback */ 157 typedef struct rbac_callback_info { 158 tenant_info_t *tenantp; 159 void *private; 160 } rbac_callback_info_t; 161 162 /* RBAC user */ 163 typedef struct rbac_user { 164 struct berval tenantid; 165 struct berval uid; 166 struct berval dn; 167 struct berval constraints; 168 struct berval password; 169 struct berval msg; 170 int authz; /* flag for bind (pwd policy) info */ 171 BerVarray roles; 172 BerVarray role_constraints; 173 #if 0 /* additional parameters from Fortress */ 174 private String userId; 175 @XmlElement(nillable = true) 176 private char[] password; 177 @XmlElement(nillable = true) 178 private char[] newPassword; 179 private String internalId; 180 @XmlElement(nillable = true) 181 private List<UserRole> roles; 182 @XmlElement(nillable = true) 183 private List<UserAdminRole> adminRoles; 184 private String pwPolicy; 185 private String cn; 186 private String sn; 187 private String dn; 188 private String ou; 189 private String description; 190 private String beginTime; 191 private String endTime; 192 private String beginDate; 193 private String endDate; 194 private String beginLockDate; 195 private String endLockDate; 196 private String dayMask; 197 private String name; 198 private int timeout; 199 private boolean reset; 200 private boolean locked; 201 private Boolean system; 202 @XmlElement(nillable = true) 203 private Props props = new Props(); 204 @XmlElement(nillable = true) 205 private Address address; 206 @XmlElement(nillable = true) 207 private List<String> phones; 208 @XmlElement(nillable = true) 209 private List<String> mobiles; 210 @XmlElement(nillable = true) 211 private List<String> emails; 212 #endif /* 0 */ 213 } rbac_user_t; 214 215 enum { 216 RBAC_NONE = 0, 217 RBAC_TENANT, 218 RBAC_TENANT_ID, 219 RBAC_USERS_BASE_DN, 220 RBAC_ROLES_BASE_DN, 221 RBAC_PERMISSIONS_BASE_DN, 222 RBAC_ADMIN_DN, 223 RBAC_ADMIN_PWD, 224 RBAC_SESSIONS_BASE_DN, 225 RBAC_SESSION_ADMIN_DN, 226 RBAC_SESSION_ADMIN_PWD, 227 RBAC_ROLE_ASSIGNMENT, 228 RBAC_ROLE_CONSTRAINTS, 229 RBAC_USER_CONSTRAINTS, 230 RBAC_UID, 231 RBAC_USERS, 232 RBAC_ROLES, 233 RBAC_OBJ_NAME, 234 RBAC_OP_NAME, 235 RBAC_ROLE_NAME, 236 RBAC_SESSION_ID, 237 RBAC_USER_DN, 238 RBAC_AUDIT_ROLES, 239 RBAC_AUDIT_RESOURCES, 240 RBAC_AUDIT_RESULT, 241 RBAC_AUDIT_TIMESTAMP, 242 RBAC_AUDIT_PROPERTIES, 243 RBAC_AUDIT_OP, 244 RBAC_AUDIT_ID, 245 RBAC_AUDIT_REQUESTED_ROLES, 246 RBAC_AUDIT_OBJS, 247 RBAC_AUDIT_OPS, 248 RBAC_AUDIT_MSGS, 249 RBAC_LAST 250 }; 251 252 enum { 253 RBAC_DEFAULT_TENANT_ID = RBAC_LAST, 254 RBAC_DEFAULT_USERS_BASE_DN, 255 RBAC_DEFAULT_PERMISSIONS_BASE_DN, 256 RBAC_DEFAULT_ROLES_BASE_DN, 257 RBAC_DEFAULT_SESSIONS_BASE_DN, 258 RBAC_DEFAULT_AUDIT_BASE_DN 259 }; 260 261 typedef struct rbac_user_idlist { 262 char *user_id; 263 struct rbac_user_idlist *next; 264 } rbac_user_idlist_t; 265 266 /* RBAC sessions */ 267 #define RBAC_SESSION_RDN_EQ "rbacSessid=" 268 #define RBAC_AUDIT_RDN_EQ "rbacAuditId=" 269 270 typedef struct rbac_session { 271 rbac_user_t *user; 272 struct berval tenantid; 273 struct berval sessid; 274 struct berval uid; 275 struct berval userdn; 276 char uuidbuf[ LDAP_LUTIL_UUIDSTR_BUFSIZE ]; 277 struct berval sessdn; 278 long last_access; 279 int timeout; 280 int warning_id; 281 int error_id; 282 int grace_logins; 283 int expiration_secs; 284 int is_authenticated; /* boolean */ 285 struct berval message; 286 BerVarray roles; 287 BerVarray role_constraints; 288 } rbac_session_t; 289 290 /* RBAC roles */ 291 typedef struct rbac_role { 292 char *name; 293 char *description; 294 struct rbac_role *parent; 295 struct rbac_role *next; 296 } rbac_role_t; 297 298 typedef struct rbac_role_list { 299 char *name; 300 struct rbac_role_list *next; 301 } rbac_role_list_t; 302 303 /* RBAC permissions */ 304 typedef struct rbac_permission { 305 struct berval dn; 306 int admin; /* boolean */ 307 struct berval internalId; 308 BerVarray opName; 309 BerVarray objName; 310 struct berval objectId; 311 struct berval abstractName; 312 struct berval type; 313 BerVarray roles; 314 BerVarray uids; 315 struct rbac_permission *next; 316 } rbac_permission_t; 317 318 /* RBAC Audit */ 319 typedef enum { 320 CreateSession = 0, 321 CheckAccess, 322 AddActiveRole, 323 DropActiveRole, 324 SessionPermissions, 325 DeleteSession, 326 SessionRoles 327 } audit_op_t; 328 329 /* function prototypes */ 330 331 int rbac_initialize_repository( void ); 332 int rbac_initialize_tenants( BackendDB *be, ConfigReply *cr ); 333 334 /* RBAC tenant information */ 335 tenant_info_t *rbac_tid2tenant( struct berval *tid ); 336 337 rbac_req_t *rbac_alloc_req( int type ); 338 void rbac_free_req( rbac_req_t *reqp ); 339 340 rbac_user_t *rbac_read_user( Operation *op, rbac_req_t *rabc_reqp ); 341 int rbac_authenticate_user( Operation *op, rbac_user_t *user ); 342 int rbac_user_temporal_constraint( rbac_user_t *userp ); 343 void rbac_free_user( rbac_user_t *user ); 344 345 rbac_session_t *rbac_alloc_session( void ); 346 int rbac_is_valid_session_id( struct berval *sessid ); 347 rbac_session_t *rbac_session_byid( Operation *op, rbac_req_t *reqp ); 348 int rbac_is_session_owner( rbac_session_t *sessp, rbac_req_t *reqp ); 349 int rbac_register_session( Operation *op, SlapReply *rs, rbac_session_t *sess ); 350 int rbac_int_delete_session( Operation *op, rbac_session_t *sessp ); 351 int rbac_session_add_role( 352 Operation *op, 353 rbac_session_t *sessp, 354 rbac_req_t *reqp ); 355 int rbac_session_drop_role( 356 Operation *op, 357 rbac_session_t *sessp, 358 rbac_req_t *reqp ); 359 int rbac_int_session_permissions( 360 Operation *op, 361 SlapReply *rs, 362 rbac_req_t *reqp, 363 rbac_session_t *sessp ); 364 int activate_session_roles( 365 rbac_session_t *sessp, 366 rbac_req_t *reqp, 367 rbac_user_t *userp ); 368 void rbac_free_session( rbac_session_t *sessp ); 369 370 rbac_constraint_t *rbac_user_role_constraints( BerVarray values ); 371 rbac_constraint_t *rbac_role2constraint( 372 struct berval *role, 373 rbac_constraint_t *role_constraints ); 374 rbac_constraint_t *rbac_bv2constraint( struct berval *bv ); 375 int rbac_check_time_constraint( rbac_constraint_t *cp ); 376 void rbac_free_constraint( rbac_constraint_t *cp ); 377 void rbac_free_constraints( rbac_constraint_t *constraints ); 378 379 rbac_permission_t *rbac_read_permission( Operation *op, rbac_req_t *rbac_reqp ); 380 int rbac_check_session_permission( 381 rbac_session_t *sessp, 382 rbac_permission_t *permp, 383 rbac_constraint_t *role_constraints ); 384 void rbac_free_permission( rbac_permission_t *permp ); 385 386 /* audit functions */ 387 void rbac_audit( 388 Operation *op, 389 audit_op_t rbac_op, 390 rbac_session_t *sessp, 391 rbac_req_t *reqp, 392 int result, 393 char *msg ); 394 395 /* acl functions */ 396 int rbac_create_session_acl_check( struct berval *sessid, rbac_user_t *userp ); 397 398 void rbac_to_lower( struct berval *bv ); 399 400 LDAP_END_DECL 401 402 #endif /* RBAC_H */ 403