1 /* zxid.h - Definitions for zxid CGI 2 * Copyright (c) 2012-2013 Synergetics NV (sampo@synergetics.be), All Rights Reserved. 3 * Copyright (c) 2009-2011 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved. 4 * Copyright (c) 2006-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved. 5 * Author: Sampo Kellomaki (sampo@iki.fi) 6 * This is confidential unpublished proprietary source code of the author. 7 * NO WARRANTY, not even implied warranties. Contains trade secrets. 8 * Distribution prohibited unless authorized in writing. 9 * Licensed under Apache License 2.0, see file COPYING. 10 * $Id: zxid.h,v 1.94 2010-01-08 02:10:09 sampo Exp $ 11 * 12 * 12.8.2006, created --Sampo 13 * 18.11.2006, log signing support --Sampo 14 * 12.10.2007, new conf options --Sampo 15 * 22.2.2008, added path_supplied feature --Sampo 16 * 4.10.2008, added documentation --Sampo 17 * 29.9.2009, added PDP_URL --Sampo 18 * 7.1.2010, added WSC and WSP signing options --Sampo 19 * 26.5.2010, reworked typedefs --Sampo 20 * 31.5.2010, eliminated many include dependencies from the public API --Sampo 21 * 13.11.2010, added ZXID_DECL for benefit of the Windows port --Sampo 22 * 12.12.2010, separate zxidpriv.h and zxidutil.h from zxid.h --Sampo 23 * 17.8.2012, added audit bus configuration --Sampo 24 * 16.2.2013, added WD option --Sampo 25 * 14.3.2013 added language/skin dependent templates --Sampo 26 * 21.6.2013, added wsp_pat --Sampo 27 * 18.12.2015, applied patch from soconnor, perceptyx --Sampo 28 */ 29 30 #ifndef _zxid_h 31 #define _zxid_h 32 33 #include <memory.h> 34 #include <string.h> 35 #include <sys/time.h> /* for struct timeval */ 36 #ifdef USE_CURL 37 #include <curl/curl.h> 38 #endif 39 #ifdef USE_OPENSSL 40 #include <openssl/ssl.h> 41 #endif 42 43 /*(c) ZXID configuration and working directory path 44 * Where metadata cache and session files are created. Note that the directory 45 * is not hashed: you should use a file system that scales easily to oodles 46 * of small files in one directory. Say `zxcot -dirs' (or `make dir') to create 47 * the directory with proper layout. If you change it here, also edit Makefile. */ 48 #ifndef ZXID_PATH 49 #ifdef MINGW 50 #define ZXID_PATH "c:/var/zxid/" 51 #else 52 #define ZXID_PATH "/var/zxid/" 53 #endif 54 #endif 55 56 #ifndef ZXID_CONF_FILE 57 #define ZXID_CONF_FILE "zxid.conf" 58 #endif 59 60 #ifndef ZXID_CONF_PATH 61 #define ZXID_CONF_PATH ZXID_PATH ZXID_CONF_FILE 62 #endif 63 64 #ifndef ZXID_PATH_OPT 65 #define ZXID_PATH_OPT "ZXPATH" 66 #endif 67 68 #ifndef ZXID_ENV_PREFIX 69 #define ZXID_ENV_PREFIX "ZXID_" 70 #endif 71 72 #include <zx/zx.h> 73 74 /* ZXID_DECL allows all API functions to be qualified with a declatation, such 75 * as relating to the calling convention (e.g. c-decl). Such qualification 76 * is very important in the Windows environment. In such environment ZXID_DECL 77 * will be defined in Makefile to cause the desired effect. */ 78 79 #ifndef ZXID_DECL 80 #define ZXID_DECL 81 #endif 82 83 #ifdef __cplusplus 84 extern "C" { 85 #endif 86 87 #ifdef ZXID_FULL_HEADERS 88 #include "c/zx-data.h" /* Generated. If missing, run `make dep ENA_GEN=1' */ 89 #else 90 /* Since we only need pointers to these generated structures, we do not 91 * really need to include (or ship) c/zx-data.h. Just forward declare 92 * them here. */ 93 struct zx_root_s; 94 struct zx_e_Envelope_s; 95 struct zx_e_Header_s; 96 struct zx_e_Body_s; 97 struct zx_e_Fault_s; 98 struct zx_tas3_Status_s; 99 struct zx_a_EndpointReference_s; 100 struct zx_sa_EncryptedAssertion_s; 101 struct zx_sa_Assertion_s; 102 struct zx_sa_NameID_s; 103 struct zx_sa_EncryptedID_s; 104 struct zx_sa_Issuer_s; 105 struct zx_sa_Attribute_s; 106 struct zx_sec_Token_s; 107 struct zx_lu_Status_s; 108 struct zx_sp_Status_s; 109 struct zx_sp_NewEncryptedID_s; 110 struct zx_sa11_Assertion_s; 111 struct zx_sa11_Assertion_s; 112 struct zx_ff12_Assertion_s; 113 struct zx_ff12_Assertion_s; 114 struct zx_ds_Signature_s; 115 struct zx_ds_Reference_s; 116 struct zx_ds_KeyInfo_s; 117 struct zx_xenc_EncryptedData_s; 118 struct zx_xenc_EncryptedKey_s; 119 #endif 120 121 #define ZXID_CONF_MAGIC 0x900dc07f 122 #define ZXID_CGI_MAGIC 0x900d0c91 123 #define ZXID_SES_MAGIC 0x900d05e5 124 125 /*(s) Entity or Provider, as identified by an Entity ID or Provider ID. */ 126 127 struct zxid_entity_s { 128 struct zxid_entity_s* n; 129 struct zxid_entity_s* n_cdc; /* *** not thread safe */ 130 char* eid; /* Entity ID. Always nul terminated. */ 131 char* dpy_name; /* OrganizationDisplayName. Always nul terminated. */ 132 char* button_url; /* OrganizationURL. Used for branding buttons in IdP sel screen, etc. */ 133 char sha1_name[28]; /* 27 chars (+1 that is overwritten with nul) */ 134 struct zx_md_EntityDescriptor_s* ed; /* Metadata */ 135 struct zxid_map* aamap; /* Optional. Read from /var/zxid/idpuid/.all/sp_name_buf/.cf */ 136 #ifdef USE_OPENSSL 137 X509* tls_cert; 138 X509* sign_cert; 139 X509* enc_cert; 140 #endif 141 }; 142 143 typedef struct zxid_entity_s zxid_entity; 144 typedef struct zx_sa_NameID_s zxid_nid; 145 typedef struct zx_sa_Assertion_s zxid_a7n; 146 typedef struct zx_sec_Token_s zxid_tok; 147 typedef struct zx_a_EndpointReference_s zxid_epr; /* Nice name for EPR. May eventually evolve to struct */ 148 typedef struct zx_tas3_Status_s zxid_tas3_status; /* Nice name for TAS3 status */ 149 typedef struct zx_e_Fault_s zxid_fault; /* Nice name for SOAP faults */ 150 typedef struct zxid_conf zxid_conf; 151 typedef struct zxid_cgi zxid_cgi; 152 typedef struct zxid_ses zxid_ses; 153 154 /*(s) The zxid_conf structure is passed, as cf argument, to nearly every 155 * function in zxid API. It is effectively used as "global" storage 156 * for ZXID, facilitating thread safe operation. In particular, it 157 * contains the ZX context that is used for thread safe memory 158 * allocation. However, ZXID itself does not perform any locking 159 * around zxid_conf. If you write multithreaded program and your 160 * design allows same configuration to be accessed from multiple 161 * threads (sometimes you can design your program so that this simply 162 * does not happen - each one has its own configuration), 163 * then you must perform locking. Often this would 164 * mean bracketing every call to zxid API function with lock-unlock. 165 * 166 * zxid_conf also contains "cache" of the entity's own certificates 167 * and private keys. If your program handles multiple entities, you 168 * should have one zxid_conf object for each entity. 169 * 170 * Most of the other fields of zxid_conf are simply configuration 171 * options. See <<see: zxidconf.h>> for their documentation. */ 172 173 struct zxid_conf { 174 unsigned int magic; 175 struct zx_ctx* ctx; /* ZX parsing context. Usually used for memory allocation. */ 176 zxid_entity* cot; /* Linked list of metadata for CoT partners (in-memory CoT cache) */ 177 int cpath_supplied; /* FLAG: If config variable PATH is supplied, it may trigger reading config file from the supplied location. */ 178 int cpath_len; 179 char* cpath; /* Config PATH */ 180 char* burl; /* Base URL */ 181 char* non_standard_entityid; 182 char* redirect_hack_imposed_url; 183 char* redirect_hack_zxid_url; 184 char* redirect_hack_zxid_qs; 185 char* cdc_url; 186 char* md_authority; 187 188 char cdc_choice; 189 char md_fetch; /* Auto-CoT */ 190 char md_populate_cache; 191 char md_cache_first; 192 char md_cache_last; 193 char auto_cert; 194 char idp_ena; 195 char imps_ena; 196 197 char as_ena; 198 char pdp_ena; 199 char authn_req_sign; 200 char want_authn_req_signed; 201 char want_sso_a7n_signed; 202 char sso_soap_sign; 203 char sso_soap_resp_sign; 204 char sso_sign; /* Which components should be signed in SSO Response and Assertion */ 205 206 char wsc_sign; /* Which parts of a web service request to sign */ 207 char wsp_sign; /* Which parts of a web service response to sig */ 208 char nameid_enc; /* Should NameID be encrypted in SLO and MNI requests. */ 209 char post_a7n_enc; 210 char di_allow_create; 211 char di_nid_fmt; 212 char di_a7n_enc; 213 char show_conf; 214 215 char sig_fatal; 216 char nosig_fatal; 217 char msg_sig_ok; 218 char timeout_fatal; 219 char audience_fatal; 220 char dup_a7n_fatal; 221 char dup_msg_fatal; 222 char relto_fatal; 223 224 char wsp_nosig_fatal; 225 char notimestamp_fatal; 226 char canon_inopt; 227 char enc_tail_opt; 228 char enckey_opt; 229 char idpatopt; 230 char idp_list_meth; 231 char cpn_ena; 232 233 char* affiliation; 234 char* nice_name; /* Human readable "nice" name. Used in AuthnReq->ProviderName */ 235 char* button_url; /* OrganizationURL. Used for branding buttons. */ 236 char* pref_button_size; /* Preferred branding button size (thers are ignored). */ 237 char* org_name; 238 /*char* org_url; renamed as button_url and given new semantics */ 239 char* locality; /* Used for CSR locality (L) field. */ 240 char* state; /* Used for CSR state (ST) field. */ 241 char* country; /* Used for CSR country (C) field. */ 242 char* contact_org; 243 char* contact_name; 244 char* contact_email; 245 char* contact_tel; 246 char* fedusername_suffix; /* Default is computed from url domain name part when url is set. */ 247 char* ses_arch_dir; /* Place where dead sessions go. 0=rm */ 248 char* ses_cookie_name; 249 char* ptm_cookie_name; 250 char* ipport; /* Source IP and port for logging, e.g: "1.2.3.4:5" */ 251 252 char* load_cot_cache; 253 char* wspcgicmd; 254 char* anon_ok; 255 char* optional_login_pat; 256 char** required_authnctx; /* Array of acceptable authentication context class refs */ 257 struct zxid_cstr_list* issue_authnctx; /* What authentication context IdP issues for for different authentication methods. */ 258 char* idp_pref_acs_binding; 259 char* mandatory_attr; 260 int before_slop; 261 int after_slop; 262 int timeskew; 263 int a7nttl; 264 char* pdp_url; /* If non-NULL, the inline PEP is enabled and PDP at URL is called. */ 265 char* pdp_call_url; /* PDP URL for zxid_az() API */ 266 char* xasp_vers; 267 char* trustpdp_url; 268 char* defaultqs; 269 char* wsp_pat; 270 char* uma_pat; 271 char* sso_pat; 272 char* mod_saml_attr_prefix; /* Prefix for req variables in mod_auth_saml */ 273 char* wsc_to_hdr; 274 char* wsc_replyto_hdr; 275 char* wsc_action_hdr; 276 char* soap_action_hdr; 277 char* wsc_soap_content_type; 278 279 struct zxid_need* need; 280 struct zxid_need* want; 281 struct zxid_atsrc* attrsrc; 282 struct zxid_map* aamap; /* Read from /var/zxid/idpuid/.all/.bs/.cf */ 283 struct zxid_map* inmap; 284 struct zxid_map* outmap; 285 struct zxid_map* pepmap; 286 struct zxid_map* pepmap_rqout; 287 struct zxid_map* pepmap_rqin; 288 struct zxid_map* pepmap_rsout; 289 struct zxid_map* pepmap_rsin; 290 291 struct zxid_cstr_list* localpdp_role_permit; 292 struct zxid_cstr_list* localpdp_role_deny; 293 struct zxid_cstr_list* localpdp_idpnid_permit; 294 struct zxid_cstr_list* localpdp_idpnid_deny; 295 296 char* wsc_localpdp_obl_pledge; 297 struct zxid_obl_list* wsp_localpdp_obl_req; 298 char* wsp_localpdp_obl_emit; 299 struct zxid_obl_list* wsc_localpdp_obl_accept; 300 301 struct zxid_map* unix_grp_az_map; 302 303 int bootstrap_level; /* How many layers of bootstraps are generated. */ 304 int max_soap_retry; /* How many times a ID-WSF SOAP call can be retried (update EPR) */ 305 306 char* idp_sel_start; /* HTML headers, start of page, side bars */ 307 char* idp_sel_new_idp; /* Auto-CoT fields */ 308 char* idp_sel_our_eid; /* Our EID advice */ 309 char* idp_sel_tech_user; /* Technical options user might choose */ 310 char* idp_sel_tech_site; /* Technical options site admin sets (hidden) */ 311 char* idp_sel_footer; /* End of page stuff, after form */ 312 char* idp_sel_end; /* End of page, after version string */ 313 char* idp_sel_page; /* URL for IdP selection Page. */ 314 char* idp_sel_templ_file; /* Path to template, e.g. idp-sel.html */ 315 char* idp_sel_templ; /* Default template used in case template at path can not be found. */ 316 317 char* an_page; /* URL for Authentication Page. */ 318 char* an_templ_file; /* Path to template, e.g. an-main.html */ 319 char* an_templ; /* Default template used in case template at path can not be found. */ 320 321 char* post_templ_file; /* Path to template, e.g. post.html */ 322 char* post_templ; /* Default template used in case template at path can not be found. */ 323 324 char* err_page; /* URL for Error Message Page. */ 325 char* err_templ_file; /* Path to template, e.g. err.html */ 326 char* err_templ; /* Default template used in case template at path can not be found. */ 327 328 char* new_user_page; /* URL to redirect to for new user creation */ 329 char* recover_passwd; 330 char* atsel_page; 331 332 char* mgmt_start; /* HTML headers, start of page, side bars */ 333 char* mgmt_logout; /* Logout buttons */ 334 char* mgmt_defed; /* Defederation buttons */ 335 char* mgmt_footer; /* End of page stuff, after form */ 336 char* mgmt_end; /* End of page, after version string */ 337 338 char* dbg; /* Debug message that may be shown. */ 339 char* wd; /* Forced working directory. */ 340 341 struct zxid_bus_url* bus_url; /* Audit bus URLs to contact. */ 342 char* bus_pw; /* Audit bus password if not using ClientTLS */ 343 344 char log_err; /* Log enables and signing and encryption flags (if USE_OPENSSL) */ 345 char log_act; 346 char log_issue_a7n; 347 char log_issue_msg; 348 char log_rely_a7n; 349 char log_rely_msg; 350 char log_err_in_act; /* Log errors to action log flag (may also log to error log) */ 351 char log_act_in_err; /* Log actions to error log flag (may also log to action log) */ 352 353 char log_sigfail_is_err; /* Log signature failures to error log */ 354 char log_level; /* act log level: 0=audit, 1=audit+extio, 2=audit+extio+events */ 355 char user_local; /* Whether local user accounts should be maintained. */ 356 char redir_to_content; /* Should explicit redirect to content be used (vs. internal redir) */ 357 char remote_user_ena; 358 char show_tech; 359 char bare_url_entityid; 360 char loguser; 361 362 char az_opt; /* Kludgy options for AZ debugging and to work-around bugs of others */ 363 char valid_opt; /* Kludgy options for AZ debugging and to work-around bugs of others */ 364 char idp_pxy_ena; 365 char oaz_jwt_sigenc_alg; /* What signature and encryption to apply to issued JWT (OAUTH2) */ 366 char bus_rcpt; /* Audit Bus receipt enable and signing flags */ 367 char az_fail_mode; /* What to do when authorization can not be done */ 368 char md_authority_ena; 369 char backwards_compat_ena; /* Enable CBC (instead of GCM) and PKCS#1 v1.5 padding, both of which are vulnearable and can compromise modern crypto through Backwards Compatibility Attacks. */ 370 371 char* xmldsig_sig_meth; 372 char* xmldsig_digest_algo; 373 char* samlsig_digest_algo; 374 char* blobsig_digest_algo; 375 376 #ifdef USE_CURL 377 CURL* curl; 378 #endif 379 #ifdef USE_PTHREAD 380 struct zx_lock mx; 381 struct zx_lock curl_mx; /* Avoid holding the main lock for duration of HTTP request */ 382 #endif 383 #ifdef USE_OPENSSL 384 EVP_PKEY* sign_pkey; 385 X509* sign_cert; 386 EVP_PKEY* enc_pkey; 387 X509* enc_cert; 388 389 char psobj_symkey[20]; /* sha1 hash of key data */ 390 char log_symkey[20]; /* sha1 hash of key data */ 391 char hmac_key[20]; /* sha1 hash of key data */ 392 EVP_PKEY* log_sign_pkey; 393 X509* log_enc_cert; 394 SSL_CTX* ssl_ctx; 395 #endif 396 }; 397 398 /*(s) Query string, or post, is parsed into the following structure. If a variable 399 * is not present, it will be left as NULL. Note that this structure 400 * mixes fields from all forms that ZXID might display or process. ZXID ignores 401 * any field that is not explicitly foreseen here and in zxidcgi.c, i.e. 402 * there is no generic hash structure. */ 403 404 struct zxid_cgi { 405 unsigned int magic; 406 char op; /* o= What should be done now. */ 407 char pr_ix; /* i= Index to protocol profile (typically for login) */ 408 char allow_create; /* fc= Is federation permitted (allow creation of new federation) */ 409 char ispassive; /* fp= Whether IdP is allowed to seize user interface (e.g. ask password) */ 410 char force_authn; /* ff= Whether IdP SHOULD authenticate the user anew. */ 411 char enc_hint; /* Hint: Should NID be encrypted in SLO and MNI, see also cf->nameid_enc */ 412 char atselafter; /* at= Attribute selection requested checkbox. */ 413 char mob; /* Mobile device flag, detected from HTTP_USER_AGENT */ 414 char* sid; /* If session is already active, the session ID. */ 415 char* nid; /* NameID of the user. */ 416 char* uid; /* au= Form field for user. */ 417 char* pw; /* ap= Form field for password. */ 418 char* pin; /* aq= Form field for pin code (second password, used in 2 factor Yubikey. */ 419 char* ssoreq; /* ar= Used for conveying original AuthnReq through authn phase. */ 420 char* cdc; /* c= Common Domain Cookie, returned by the CDC reader, also succinctID */ 421 char* eid; /* e=, d= Entity ID of an IdP (typically for login) */ 422 char* nid_fmt; /* fn= Name ID format */ 423 char* affil; /* fq= SP NameQualifier (such as in affiliation of SPs) */ 424 char* consent; /* fy= Whether user consented to the operation and how. */ 425 char* matching_rule; /* fm= How authn_ctx is to be matched by IdP. */ 426 char* authn_ctx; /* fa= What kind of authentication the IdP should assert towards SP. */ 427 char* pxy_count; /* ProxyCount for triggering IdP proxying */ 428 char* get_complete; /* GetComplete URL for IdP proxying */ 429 char* idppxylist; /* IDPList for IdP proxying */ 430 char* rs; /* RelayState in redirect profile. mod_auth_saml, SSO servlet: def-sb64 armored uri to access after SSO */ 431 char* newnym; /* New NameID for MNI/nireg. Empty for federation termination. */ 432 char* saml_art; /* SAMLart=... artifact, as in artifact consumer URL. */ 433 char* saml_resp; /* SAMLResponse=... in redirect profile */ 434 char* saml_req; /* SAMLRequest=... in redirect profile */ 435 char* sigalg; /* SigAlg=... in redirect profile */ 436 char* sig; /* Signature=... in redirect profile */ 437 char* sigval; /* Signature validation code (as logged, VVV in zxid-log.pd, section "Log Line Format") */ 438 char* sigmsg; /* Signature validation message */ 439 char* err; /* When rendering screens: used to put error message to screen. */ 440 char* msg; /* When rendering screens: used to put info message to screen. */ 441 char* dbg; /* When rendering screens: used to put debug message to screen. */ 442 char* zxapp; /* Deployment specific application parameter passed in some querystrings. */ 443 char* zxrfr; /* ZX Referer. Indicates to some external pages why user was redirected. */ 444 char* redirafter; /* On IdP, if local login is desired, the next page */ 445 char* ok; /* Ok button in some forms */ 446 char* templ; /* Template name in some forms (used to implement tabs, e.g. in idpsel) */ 447 char* sp_eid; /* IdP An for to generate page */ 448 char* sp_dpy_name; 449 char* sp_button_url; 450 char* rest; /* OAUTH2 Resource Set Registration: RESTful part of the URI */ 451 char* response_type; /* OAuth2 / OpenID-Connect (OIDC1), used to detect An/Az req */ 452 char* client_id; /* OAuth2 */ 453 char* scope; /* OAuth2 */ 454 char* redirect_uri; /* OAuth2, also decoded RelayState in SAML */ 455 char* nonce; /* OAuth2 */ 456 char* state; /* OAuth2 (like SAML RelayState) */ 457 char* display; /* OAuth2 */ 458 char* prompt; /* OAuth2 */ 459 char* access_token; /* OAuth2 */ 460 char* refresh_token; /* OAuth2 */ 461 char* token_type; /* OAuth2 */ 462 char* grant_type; /* OAuth2 */ 463 char* code; /* OAuth2 */ 464 char* id_token; /* OAuth2 */ 465 int expires_in; /* OAuth2 */ 466 char* iss; /* OAuth2 */ 467 char* user_id; /* OAuth2 */ 468 char* aud; /* OAuth2 */ 469 char* exp; /* OAuth2 */ 470 char* iso29115; /* OAuth2 */ 471 char* schema; /* OAuth2 */ 472 char* id; /* OAuth2 */ 473 #if 0 474 char* name; /* OAuth2 */ 475 char* given_name; /* OAuth2 */ 476 char* family_name; /* OAuth2 */ 477 char* middle_name; /* OAuth2 */ 478 char* nickname; /* OAuth2 */ 479 char* profile; /* OAuth2 */ 480 char* picture; /* OAuth2 */ 481 char* website; /* OAuth2 */ 482 char* email; /* OAuth2 */ 483 char* verified; /* OAuth2 */ 484 char* gender; /* OAuth2 */ 485 char* birthday; /* OAuth2 */ 486 char* zoneinfo; /* OAuth2 */ 487 char* locale; /* OAuth2 */ 488 char* phone_number; /* OAuth2 */ 489 char* address; /* OAuth2 */ 490 char* updated_time; /* OAuth2 */ 491 #endif 492 char* inv; /* Invitation ID */ 493 char* pcode; /* Mobile pairing code */ 494 char* skin; 495 char* action_url; /* <form action=URL> in some forms, such as post.html */ 496 char* uri_path; /* SCRIPT_NAME or other URI path */ 497 char* qs; /* QUERY_STRING */ 498 char* post; /* Unparsed body of a POST */ 499 zxid_entity* idp_list; /* IdPs from CDC */ 500 }; 501 502 /*(s) Session is parsed into following structure. */ 503 504 struct zxid_ses { 505 unsigned int magic; 506 char* sid; /* Session ID. Same as in cookie, same as file name */ 507 char* uid; /* Local uid (only if local login, like in IdP) */ 508 char* nid; /* String representation of Subject NameID. See also nameid. */ 509 char* tgt; /* String representation of Target NameID. See also nameid. */ 510 char* sesix; /* SessionIndex */ 511 char* ipport; /* Source IP and port for logging, e.g: "1.2.3.4:5" */ 512 char* wsc_msgid; /* Request MessageID, to facilitate Response RelatesTo validation at WSC. */ 513 struct zx_str* wsp_msgid; /* Request MessageID, to facilitate Response RelatesTo generation at WSP. */ 514 char* an_ctx; /* Authentication Context (esp in IdP. On SP look inside a7n). */ 515 char nidfmt; /* Subject nameid format: 0=tmp NameID, 1=persistent */ 516 char tgtfmt; /* Target nameid format: 0=tmp NameID, 1=persistent */ 517 char sigres; /* Signature validation code */ 518 char ssores; /* Overall success of SSO 0==OK */ 519 char* sso_a7n_path; /* Reference to the SSO assertion (needed for SLO) */ 520 char* tgt_a7n_path; /* Reference to target identity assertion */ 521 char* setcookie; /* If set, the content rendering should include set-cookie header. */ 522 char* setptmcookie; /* For PTM related set-cookie header. */ 523 char* cookie; /* Cookie seen by downstream internal requests after SSO. */ 524 char* rs; /* RelayState at SSO. mod_auth_saml uses this as URI after SSO. */ 525 char* rcvd_usagedir; /* Received Usage Directives. Populated by zxid_wsc_validate_resp_env() */ 526 long an_instant; /* IdP: Unix seconds when authentication was performed. Used in an_stmt */ 527 zxid_nid* nameid; /* From a7n or EncryptedID */ 528 zxid_nid* tgtnameid; /* From a7n or EncryptedID */ 529 zxid_a7n* a7n; /* SAML 2.0 for Subject */ 530 zxid_a7n* tgta7n; /* SAML 2.0 for Target */ 531 char* jwt; /* Javascript Web Token for Subject */ 532 char* tgtjwt; /* Javascript Web Token for Target */ 533 struct zx_sa11_Assertion_s* a7n11; 534 struct zx_sa11_Assertion_s* tgta7n11; 535 struct zx_ff12_Assertion_s* a7n12; 536 struct zx_ff12_Assertion_s* tgta7n12; 537 zxid_tok* call_invoktok; /* If set, see zxid_map_identity_token(), use as wsse */ 538 zxid_tok* call_tgttok; /* If set, use as TargetIdentity token */ 539 zxid_epr* deleg_di_epr; /* If set, see zxid_set_delegated_discovery_epr(), used for disco. */ 540 zxid_fault* curflt; /* SOAP fault, if any, reported by zxid_wsp_validate() */ 541 zxid_tas3_status* curstatus; /* TAS3 status header, if any. */ 542 struct zx_str* issuer; /* WSP processing: the content of Sender header of request */ 543 struct timeval srcts; /* WSP processing: the timestamp of the request */ 544 char* sesbuf; 545 char* sso_a7n_buf; 546 struct zxid_attr* at; /* Attributes extracted from a7n and translated using inmap. Linked list */ 547 char* access_token; /* OAuth2 */ 548 char* refresh_token; /* OAuth2 */ 549 char* token_type; /* OAuth2 */ 550 char* id_token; /* OAuth2 */ 551 int expires_in; /* OAuth2 */ 552 char* client_id; /* OAuth2 */ 553 char* client_secret; /* OAuth2 */ 554 char* rpt; /* UMA */ 555 #ifdef USE_PTHREAD 556 struct zx_lock mx; 557 #endif 558 }; 559 560 /*(s) Attribute node */ 561 562 struct zxid_attr { 563 struct zxid_attr* n; /* Next attribute */ 564 struct zxid_attr* nv; /* Next value, if multivalued */ 565 char* name; 566 char* val; 567 struct zx_str* map_val; /* Value after outmap (cached from length compute to render) */ 568 struct zx_sa_Attribute_s* orig; /* Pointer to original attribute, if any */ 569 struct zx_str* issuer; /* Issuer EntityID, if any */ 570 }; 571 572 /*(s) The need nodes are used for storing parsed NEED and WANT directives. */ 573 574 struct zxid_need { 575 struct zxid_need* n; 576 struct zxid_attr* at; /* List of needed/wanted attributes (with value fields empty) */ 577 char* usage; /* How do we promise to use attribute */ 578 char* retent; /* How long will we retain it */ 579 char* oblig; /* Obligations we are willing or able to honour */ 580 char* ext; 581 }; 582 583 /*(s) Attribute mapping used in INMAP, PEPMAP, and OUTMAP directives. */ 584 585 struct zxid_map { 586 struct zxid_map* n; 587 int rule; 588 char* ns; /* Namespace of the source attribute */ 589 char* src; /* Source attribute */ 590 char* dst; /* Destination attribute */ 591 char* ext; 592 }; 593 594 /*(s) Used for maintaining whitelists and blacklists as well as obligation values */ 595 596 struct zxid_cstr_list { 597 struct zxid_cstr_list* n; 598 char* s; 599 }; 600 601 /*(s) Obligations list with multiple values per obligation. */ 602 603 struct zxid_obl_list { 604 struct zxid_obl_list* n; 605 char* name; 606 struct zxid_cstr_list* vals; 607 }; 608 609 #define ZXID_MAP_RULE_RENAME 0x00 610 #define ZXID_MAP_RULE_DEL 0x01 /* Filter attribute out */ 611 #define ZXID_MAP_RULE_RESET 0x02 /* Reset the map, dropping previous config. */ 612 #define ZXID_MAP_RULE_FEIDEDEC 0x03 /* Norway */ 613 #define ZXID_MAP_RULE_FEIDEENC 0x04 /* Norway */ 614 #define ZXID_MAP_RULE_UNSB64_INF 0x05 /* Decode safebase64-inflate ([RFC3548], [RFC1951]) */ 615 #define ZXID_MAP_RULE_DEF_SB64 0x06 /* Encode deflate-safebase64 ([RFC1951], [RFC3548]) */ 616 #define ZXID_MAP_RULE_UNSB64 0x07 /* NZ: Decode safebase64 ([RFC3548]) */ 617 #define ZXID_MAP_RULE_SB64 0x08 /* NZ: Encode safebase64 ([RFC3548]) */ 618 #define ZXID_MAP_RULE_ENC_MASK 0x0f 619 #define ZXID_MAP_RULE_WRAP_A7N 0x10 /* Wrap the attribute in SAML2 assertion */ 620 #define ZXID_MAP_RULE_WRAP_X509 0x20 /* Wrap the attribute in X509 attribute certificate */ 621 #define ZXID_MAP_RULE_WRAP_FILE 0x30 /* Get attribute value from file specified in ext */ 622 #define ZXID_MAP_RULE_WRAP_MASK 0x30 623 624 /*(s) Parsed STOMP 1.1 headers */ 625 626 struct stomp_hdr { 627 int len; /* Populated from content-length header, if one is supplied. */ 628 char* body; /* Body of the message */ 629 char* host; /* also receipt and receipt_id */ 630 char* vers; /* version, also accept-version, tx_id */ 631 char* login; /* also session, subs_id, subsc */ 632 char* pw; /* also server, ack, msg_id */ 633 char* dest; /* destination, also heart_bt */ 634 char* end_of_pdu; /* One past end of frame data. Helps in cleaning buffer for next PDU. */ 635 }; 636 637 /*(s) Used for maintaining audit bus URL and connections */ 638 639 struct zxid_bus_url { 640 struct zxid_bus_url* n; 641 char* s; /* The config URL */ 642 char* eid; /* EntityID of the auditbus node (for metadata and zx-rcpt-sig validate) */ 643 fdtype fd; /* Remember already open connection to zxbusd instance. */ 644 char* m; /* I/O buffer */ 645 char* ap; /* How far the buffer is filled */ 646 int cur_rcpt; /* Rolling receipt ID */ 647 char scalingpart; /* Scaling partition number. */ 648 char pad1,pad2,pad3; 649 #ifdef USE_OPENSSL 650 SSL* ssl; 651 #endif 652 }; 653 654 /*(s) Attribute source definition */ 655 656 struct zxid_atsrc { 657 struct zxid_atsrc* n; 658 struct zxid_attr* at; /* List of available attributes (with value fields empty) */ 659 char* ns; /* Namespace, typically Entity ID of the source. */ 660 char* weight; 661 char* url; /* URL or other access parameters */ 662 char* aapml; 663 char* otherlim; 664 char* ext; 665 }; 666 667 /*(s) Permission object (for PS and DI) */ 668 669 struct zxid_perm { 670 struct zxid_perm* n; 671 struct zx_str* eid; 672 struct zx_str* qs; 673 }; 674 675 /*(s) People Service Object */ 676 677 struct zxid_psobj { 678 struct zx_str* psobj; /* ObjectID */ 679 char* uid; /* uid of the owner of the object */ 680 struct zx_str* idpnid; /* NameID of the buddy */ 681 struct zx_str* dispname; 682 struct zx_str* tags; 683 struct zx_str* invids; 684 struct zxid_perm* perms; /* List of permissions associated with the buddy */ 685 struct zxid_psobj* child; /* In case of colletion, the members of the group, e.g. ObjectRefs. */ 686 int nodetype; /* 0=buddy, 1=collection */ 687 int create_secs; 688 int mod_secs; 689 }; 690 691 #define ZXID_PSOBJ_BUDDY 0 692 #define ZXID_PSOBJ_COLLECTION 1 693 694 /*(s) Invitation object */ 695 696 struct zxid_invite { 697 struct zx_str* invid; 698 char* uid; /* Invitation by */ 699 struct zx_str* desc; 700 struct zx_str* psobj; 701 struct zx_str* ps2spredir; 702 struct zxid_psobj* obj; 703 struct zxid_perm* perms; /* List of permissions associated with the invitation */ 704 int maxusage; 705 int usage; 706 int starts; /* Unix seconds since epoch */ 707 int expires; /* Unix seconds since epoch */ 708 }; 709 710 #define ZXID_SES_DIR "ses/" 711 #define ZXID_USER_DIR "user/" 712 #define ZXID_UID_DIR "uid/" 713 #define ZXID_NID_DIR "nid/" 714 #define ZXID_PEM_DIR "pem/" 715 #define ZXID_COT_DIR "cot/" 716 #define ZXID_DIMD_DIR "dimd/" 717 #define ZXID_INV_DIR "inv/" 718 #define ZXID_LOG_DIR "log/" 719 #define ZXID_PCODE_DIR "pcode/" /* Mobile pairing codes */ 720 #define ZXID_DCR_DIR "dcr/" /* OAUTH2 Dynamic Client Registrations */ 721 #define ZXID_RSR_DIR "rsr/" /* OAUTH2 Resource Set Registrations */ 722 #define ZXID_MAX_USER (256) /* Maximum size of .mni or user file */ 723 #define ZXID_INIT_MD_BUF (8*1024-1) /* Initial size, will automatically reallocate. */ 724 #define ZXID_INIT_SOAP_BUF (8*1024-1) /* Initial size, will automatically reallocate. */ 725 #define ZXID_MAX_CURL_BUF (10*1024*1024-1) /* Buffer reallocation will not grow beyond this. */ 726 #define ZXID_MAX_EID (1024) 727 #define ZXID_MAX_DIR (4*1024) 728 #define ZXID_MAX_SP_NAME_BUF (1024) 729 730 /* --------------- zxid_simple() API (see zxidsimp.c) --------------- */ 731 732 #define ZXID_AUTO_EXIT 0x01 /* Do not call exit(2), return "n" instead */ 733 #define ZXID_AUTO_REDIR 0x02 /* Autoredirs, assume CGI, calls exit(2) */ 734 #define ZXID_AUTO_SOAPC 0x04 /* SOAP resp content */ 735 #define ZXID_AUTO_SOAPH 0x08 /* SOAP resp headers */ 736 #define ZXID_AUTO_METAC 0x10 /* metadata content */ 737 #define ZXID_AUTO_METAH 0x20 /* metadata headers*/ 738 #define ZXID_AUTO_LOGINC 0x40 /* login page content */ 739 #define ZXID_AUTO_LOGINH 0x80 /* login page headers */ 740 #define ZXID_AUTO_MGMTC 0x100 /* mgmt page content */ 741 #define ZXID_AUTO_MGMTH 0x200 /* mgmt page headers */ 742 #define ZXID_AUTO_FORMF 0x400 /* Wrap the output in <form> tag. Full page HTML. */ 743 #define ZXID_AUTO_FORMT 0x800 /* Wrap the output in <form> tag. */ 744 #define ZXID_AUTO_ALL 0xfff /* Enable all automatic behaviour. (4095) */ 745 #define ZXID_AUTO_DEBUG 0x1000 /* Enable debugging output to stderr. */ 746 #define ZXID_AUTO_FMTQ 0x2000 /* Output Format Query String */ 747 #define ZXID_AUTO_FMTJ 0x4000 /* Output Format JSON */ 748 749 ZXID_DECL char* zxid_simple(char* conf, char* qs, int auto_flags); 750 ZXID_DECL char* zxid_idp_list(char* conf, int auto_flags); 751 ZXID_DECL char* zxid_idp_select(char* conf, int auto_flags); 752 ZXID_DECL char* zxid_fed_mgmt(char* conf, char* sid, int auto_flags); 753 754 ZXID_DECL zxid_conf* zxid_new_conf_to_cf(const char* conf); 755 ZXID_DECL char* zxid_simple_cf(zxid_conf* cf, int qs_len, char* qs, int* res_len, int auto_flags); 756 ZXID_DECL char* zxid_idp_list_cf(zxid_conf* cf, int* res_len, int auto_flags); 757 ZXID_DECL char* zxid_idp_select_cf(zxid_conf* cf, int* res_len, int auto_flags); 758 ZXID_DECL char* zxid_fed_mgmt_cf(zxid_conf* cf, int* res_len, int sid_len, char* sid, int auto_flags); 759 760 ZXID_DECL int zxid_conf_to_cf_len(zxid_conf* cf, int conf_len, const char* conf); 761 ZXID_DECL char* zxid_simple_len(int conf_len, char* conf, int qs_len, char* qs, int* res_len, int auto_flags); 762 ZXID_DECL char* zxid_simple_show_idp_sel(zxid_conf* cf, zxid_cgi* cgi, int* res_len, int auto_flags); 763 ZXID_DECL char* zxid_idp_list_len(int conf_len, char* conf, int* res_len, int auto_flags); 764 ZXID_DECL char* zxid_idp_list_cf_cgi(zxid_conf* cf, zxid_cgi* cgi, int* res_len, int auto_flags); 765 ZXID_DECL char* zxid_idp_select_len(int conf_len, char* conf, int* res_len, int auto_flags); 766 ZXID_DECL char* zxid_fed_mgmt_len(int conf_len, char* conf, int* res_len, char* sid, int auto_flags); 767 ZXID_DECL struct zx_str* zxid_idp_select_zxstr_cf(zxid_conf* cf, int auto_flags); 768 769 ZXID_DECL char* zxid_simple_show_err(zxid_conf* cf, zxid_cgi* cgi, int* res_len, int auto_flags); 770 771 ZXID_DECL char* zxid_simple_ses_active_cf(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, int* res_len, int auto_flags); 772 ZXID_DECL char* zxid_simple_no_ses_cf(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, int* res_len, int auto_flags); 773 ZXID_DECL char* zxid_simple_cf_ses(zxid_conf* cf, int qs_len, char* qs, zxid_ses* ses, int* res_len, int auto_flags); 774 ZXID_DECL struct zx_str* zxid_template_page_cf(zxid_conf* cf, zxid_cgi* cgi, const char* templ_path, const char* default_templ, int size_hint, int auto_flags); 775 776 /* --------------- Full API --------------- */ 777 778 /* Signatures */ 779 780 #define ZXID_SSO_SIGN_A7N 0x01 781 #define ZXID_SSO_SIGN_RESP 0x02 782 #define ZXID_SSO_SIGN_A7N_SIMPLE 0x04 /* N.B. Usually not as Simple Sig message sig is enough. */ 783 784 #define ZXID_SIGN_HDR 0x01 /* Sign ID-WSF relevant SOAP Headers */ 785 #define ZXID_SIGN_BDY 0x02 /* Sign SOAP Body */ 786 787 struct zxsig_ref { 788 struct zx_ds_Reference_s* sref; /* Reference for validation */ 789 struct zx_elem_s* blob; /* XML data structure for validation */ 790 struct zx_str* id; /* ID attribute of element to sign */ 791 struct zx_str* canon; /* String representing canonicalization for signing */ 792 struct zx_ns_s* pop_seen; /* Namespaces from outer layers for inc_ns processing */ 793 }; 794 795 #define ZXSIG_OK 0 796 #define ZXSIG_BAD_DALGO 1 /* A Unsupported digest algorithm. */ 797 #define ZXSIG_DIGEST_LEN 2 /* G Wrong digest length. */ 798 #define ZXSIG_BAD_DIGEST 3 /* G Digest value does not match. */ 799 #define ZXSIG_BAD_SALGO 4 /* A Unsupported signature algorithm. */ 800 #define ZXSIG_BAD_CERT 5 /* I Extraction of public key from certificate failed. */ 801 #define ZXSIG_VFY_FAIL 6 /* R Verification of signature failed. */ 802 #define ZXSIG_NO_SIG 7 /* N No signature found. */ 803 #define ZXSIG_TIMEOUT 8 /* V Validity time has expired. */ 804 #define ZXSIG_AUDIENCE 9 /* V Assertion has wrong audience. */ 805 806 #ifdef USE_OPENSSL 807 ZXID_DECL struct zx_ds_Signature_s* zxsig_sign(struct zx_ctx* c, int n, struct zxsig_ref* sref, X509* cert, EVP_PKEY* priv_key, const char* sig_meth_spec, const char* digest_spec); 808 ZXID_DECL int zxsig_validate(struct zx_ctx* c, X509* cert, struct zx_ds_Signature_s* sig, int n, struct zxsig_ref* refs); 809 ZXID_DECL int zxsig_data(struct zx_ctx* c, int len, const char* d, char** sig, EVP_PKEY* priv_key, const char* lk, const char* md_alg); 810 ZXID_DECL int zxsig_verify_data(int len, char* data, int siglen, char* sig, X509* cert, const char* lk, const char* mdalg); 811 ZXID_DECL struct zx_xenc_EncryptedData_s* zxenc_pubkey_enc(zxid_conf* cf, struct zx_str* data, struct zx_xenc_EncryptedKey_s** ekp, X509* cert, char* idsuffix, zxid_entity* meta); 812 #endif 813 ZXID_DECL struct zx_str* zxenc_privkey_dec(zxid_conf* cf, struct zx_xenc_EncryptedData_s* ed, struct zx_xenc_EncryptedKey_s* ek); 814 ZXID_DECL struct zx_xenc_EncryptedData_s* zxenc_symkey_enc(zxid_conf* cf, struct zx_str* data, struct zx_str* ed_id, struct zx_str* symkey, struct zx_xenc_EncryptedKey_s* ek); 815 ZXID_DECL struct zx_str* zxenc_symkey_dec(zxid_conf* cf, struct zx_xenc_EncryptedData_s* ed, struct zx_str* symkey); 816 817 /* zxlog (see logging chapter in README.zxid) */ 818 819 /* /var/zxid/log/rely/ISSUER-SHA1-NAME/a7n/A7N-ID-AS-SHA1 */ 820 #define ZXBUS_CH_DIR "ch/" 821 #define ZXLOG_RELY_DIR "rely/" 822 #define ZXLOG_ISSUE_DIR "issue/" 823 #define ZXLOG_A7N_KIND "/a7n/" 824 #define ZXLOG_JWT_KIND "/jwt/" 825 #define ZXLOG_AZC_KIND "/azc/" 826 #define ZXLOG_MSG_KIND "/msg/" 827 #define ZXLOG_WIR_KIND "/wir/" 828 829 ZXID_DECL void zxlog_write_line(zxid_conf* cf, char* c_path, int encflags, int n, const char* logbuf); 830 ZXID_DECL int zxlog_dup_check(zxid_conf* cf, struct zx_str* path, const char* logkey); 831 ZXID_DECL int zxlog_blob(zxid_conf* cf, int logflag, struct zx_str* path, struct zx_str* blob, const char* lk); 832 ZXID_DECL int zxlog(zxid_conf* cf, struct timeval* ourts, struct timeval* srcts, const char* ipport, struct zx_str* entid, struct zx_str* msgid, struct zx_str* a7nid, struct zx_str* nid, const char* sigval, const char* res, const char* op, const char* arg, const char* fmt, ...); 833 ZXID_DECL int zxlogwsp(zxid_conf* cf, zxid_ses* ses, const char* res, const char* op, const char* arg, const char* fmt, ...); 834 ZXID_DECL int zxlogusr(zxid_conf* cf, const char* uid, struct timeval* ourts, struct timeval* srcts, const char* ipport, struct zx_str* entid, struct zx_str* msgid, struct zx_str* a7nid, struct zx_str* nid, const char* sigval, const char* res, const char* op, const char* arg, const char* fmt, ...); 835 ZXID_DECL void errmac_debug_xml_blob(zxid_conf* cf, const char* file, int line, const char* func, const char* lk, int len, const char* xml); 836 ZXID_DECL char* zxbus_mint_receipt(zxid_conf* cf, int sigbuf_len, char* sigbuf, int mid_len, const char* mid, int dest_len, const char* dest, int eid_len, const char* eid, int body_len, const char* body); 837 ZXID_DECL int zxbus_verify_receipt(zxid_conf* cf, const char* eid, int sigbuf_len, char* sigbuf, int mid_len, const char* mid, int dest_len, const char* dest, int deid_len, const char* deid, int body_len, const char* body); 838 ZXID_DECL int zxbus_persist_msg(zxid_conf* cf, int c_path_len, char* c_path, int dest_len, const char* dest, int data_len, const char* data); 839 840 /* zxbusprod */ 841 842 ZXID_DECL int zxbus_open_bus_url(zxid_conf* cf, struct zxid_bus_url* bu); 843 ZXID_DECL int zxbus_close(zxid_conf* cf, struct zxid_bus_url* bu); 844 ZXID_DECL void zxbus_close_all(zxid_conf* cf); 845 ZXID_DECL int zxbus_send_cmdf(zxid_conf* cf, struct zxid_bus_url* bu, int body_len, const char* body, const char* fmt, ...); 846 ZXID_DECL int zxbus_send_cmd(zxid_conf* cf, const char* cmd, const char* dest, int body_len, const char* body); 847 ZXID_DECL int zxbus_send(zxid_conf* cf, const char* dest, int body_len, const char* body); 848 ZXID_DECL int zxbus_read_stomp(zxid_conf* cf, struct zxid_bus_url* bu, struct stomp_hdr* stomp); 849 ZXID_DECL int zxbus_ack_msg(zxid_conf* cf, struct zxid_bus_url* bu, struct stomp_hdr* stompp); 850 ZXID_DECL char* zxbus_listen_msg(zxid_conf* cf, struct zxid_bus_url* bu); 851 852 /* zxidmeta */ 853 854 ZXID_DECL zxid_entity* zxid_get_ent_file(zxid_conf* cf, const char* sha1_name, const char* logkey); 855 ZXID_DECL zxid_entity* zxid_get_ent_cache(zxid_conf* cf, struct zx_str* eid); 856 ZXID_DECL int zxid_write_ent_to_cache(zxid_conf* cf, zxid_entity* ent); 857 ZXID_DECL zxid_entity* zxid_parse_meta(zxid_conf* cf, char** md, char* lim); 858 ZXID_DECL zxid_entity* zxid_get_meta_ss(zxid_conf* cf, struct zx_str* url); 859 ZXID_DECL zxid_entity* zxid_get_meta(zxid_conf* cf, const char* url); 860 ZXID_DECL zxid_entity* zxid_get_ent_ss(zxid_conf* cf, struct zx_str* eid); 861 ZXID_DECL zxid_entity* zxid_get_ent(zxid_conf* cf, const char* eid); 862 ZXID_DECL zxid_entity* zxid_get_ent_by_succinct_id(zxid_conf* cf, char* raw_succinct_id); 863 ZXID_DECL zxid_entity* zxid_get_ent_by_sha1_name(zxid_conf* cf, char* sha1_name); 864 ZXID_DECL zxid_entity* zxid_load_cot_cache(zxid_conf* cf); 865 866 ZXID_DECL struct zx_str* zxid_sp_meta(zxid_conf* cf, zxid_cgi* cgi); 867 ZXID_DECL int zxid_send_sp_meta(zxid_conf* cf, zxid_cgi* cgi); 868 ZXID_DECL struct zx_str* zxid_sp_carml(zxid_conf* cf); 869 ZXID_DECL struct zx_str* zxid_my_ent_id(zxid_conf* cf); 870 ZXID_DECL char* zxid_my_ent_id_cstr(zxid_conf* cf); 871 ZXID_DECL struct zx_attr_s* zxid_my_ent_id_attr(zxid_conf* cf, struct zx_elem_s* father, int tok); 872 ZXID_DECL struct zx_str* zxid_my_cdc_url(zxid_conf* cf); 873 ZXID_DECL struct zx_sa_Issuer_s* zxid_my_issuer(zxid_conf* cf, struct zx_elem_s* father); 874 ZXID_DECL struct zx_sa_Issuer_s* zxid_issuer(zxid_conf* cf, struct zx_elem_s* father, struct zx_str* nameid, char* affiliation); 875 876 /* zxidconf */ 877 878 #ifdef USE_OPENSSL 879 ZXID_DECL X509* zxid_extract_cert(char* buf, char* name); 880 ZXID_DECL EVP_PKEY* zxid_extract_private_key(char* buf, char* name); 881 ZXID_DECL X509* zxid_read_cert(zxid_conf* cf, char* name); 882 ZXID_DECL EVP_PKEY* zxid_read_private_key(zxid_conf* cf, char* name); 883 ZXID_DECL int zxid_lazy_load_sign_cert_and_pkey(zxid_conf* cf, X509** cert, EVP_PKEY** pkey, const char* logkey); 884 ZXID_DECL const char* zxid_get_cert_signature_algo(X509* cert); 885 ZXID_DECL const char* zxsig_choose_xmldsig_sig_meth_url(EVP_PKEY* priv_key, const char* dig_alg); 886 ZXID_DECL const char* zxsig_choose_xmldsig_sig_meth_urlenc(EVP_PKEY* priv_key, const char* dig_alg); 887 //ZXID_DECL const char* zxid_get_cert_signature_algo_url(X509* cert); 888 //ZXID_DECL const char* zxid_get_cert_signature_algo_urlenc(X509* cert); 889 //ZXID_DECL const char* zxid_get_cert_digest_url(X509* cert); 890 #endif 891 ZXID_DECL int zxid_set_opt(zxid_conf* cf, int which, int val); 892 ZXID_DECL char* zxid_set_opt_cstr(zxid_conf* cf, int which, char* val); 893 ZXID_DECL void zxid_url_set(zxid_conf* cf, const char* url); 894 ZXID_DECL int zxid_init_conf(zxid_conf* cf, const char* conf_dir); 895 ZXID_DECL void zxid_free_conf(zxid_conf *cf); 896 ZXID_DECL zxid_conf* zxid_init_conf_ctx(zxid_conf* cf, const char* zxid_path); 897 ZXID_DECL zxid_conf* zxid_new_conf(const char* zxid_path); 898 ZXID_DECL int zxid_parse_conf_raw(zxid_conf* cf, int qs_len, char* qs); 899 ZXID_DECL int zxid_parse_conf(zxid_conf* cf, char* qs); 900 ZXID_DECL int zxid_mk_self_sig_cert(zxid_conf* cf, int buflen, char* buf, const char* lk, const char* name); 901 ZXID_DECL int zxid_mk_at_cert(zxid_conf* cf, int buflen, char* buf, const char* lk, zxid_nid* nameid, const char* name, struct zx_str* val); 902 ZXID_DECL struct zx_str* zxid_show_conf(zxid_conf* cf); 903 904 /* zxidcgi */ 905 906 ZXID_DECL int zxid_parse_cgi(zxid_conf* cf, zxid_cgi* cgi, char* qs); 907 ZXID_DECL zxid_cgi* zxid_new_cgi(zxid_conf* cf, char* qs); 908 ZXID_DECL void zxid_get_sid_from_cookie(zxid_conf* cf, zxid_cgi* cgi, const char* cookie); 909 910 /* zxidses */ 911 912 ZXID_DECL zxid_ses* zxid_alloc_ses(zxid_conf* cf); 913 ZXID_DECL zxid_ses* zxid_fetch_ses(zxid_conf* cf, const char* sid); 914 ZXID_DECL int zxid_get_ses(zxid_conf* cf, zxid_ses* ses, const char* sid); 915 ZXID_DECL int zxid_put_ses(zxid_conf* cf, zxid_ses* ses); 916 ZXID_DECL int zxid_del_ses(zxid_conf* cf, zxid_ses* ses); 917 ZXID_DECL int zxid_get_ses_sso_a7n(zxid_conf* cf, zxid_ses* ses); 918 ZXID_DECL zxid_entity* zxid_get_ses_idp(zxid_conf* cf, zxid_ses* ses); 919 ZXID_DECL int zxid_find_ses(zxid_conf* cf, zxid_ses* ses, struct zx_str* ses_ix, struct zx_str* nid); 920 921 /* zxidpool */ 922 923 ZXID_DECL struct zx_str* zxid_ses_to_ldif(zxid_conf* cf, zxid_ses* ses); 924 ZXID_DECL struct zx_str* zxid_ses_to_json(zxid_conf* cf, zxid_ses* ses); 925 ZXID_DECL struct zx_str* zxid_ses_to_qs(zxid_conf* cf, zxid_ses* ses); 926 ZXID_DECL void zxid_ses_to_pool(zxid_conf* cf, zxid_ses* ses); 927 ZXID_DECL void zxid_add_attr_to_ses(zxid_conf* cf, zxid_ses* ses, char* at_name, struct zx_str* val); 928 ZXID_DECL int zxid_add_qs2ses(zxid_conf* cf, zxid_ses* ses, char* qs, int apply_map); 929 930 /* zxiduser */ 931 932 ZXID_DECL void zxid_user_sha1_name(zxid_conf* cf, struct zx_str* qualif, struct zx_str* nid, char* sha1_name); 933 ZXID_DECL int zxid_put_user(zxid_conf* cf, struct zx_str* nidfmt, struct zx_str* idpent, struct zx_str* spqual, struct zx_str* idpnid, char* mniptr); 934 ZXID_DECL zxid_nid* zxid_get_user_nameid(zxid_conf* cf, zxid_nid* oldnid); 935 ZXID_DECL void zxid_user_change_nameid(zxid_conf* cf, zxid_nid* oldnid, struct zx_str* newnym); 936 ZXID_DECL int zxid_pw_authn(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses); 937 938 /* zxidcurl */ 939 940 ZXID_DECL struct zx_str* zxid_http_cli(zxid_conf* cf, int url_len, const char* url, int len, const char* data, const char* content_type, const char* headers, int flags); 941 ZXID_DECL struct zx_root_s* zxid_soap_call_raw(zxid_conf* cf, struct zx_str* url, struct zx_e_Envelope_s* env, char** ret_enve); 942 ZXID_DECL struct zx_root_s* zxid_soap_call_hdr_body(zxid_conf* cf, struct zx_str* url, struct zx_e_Header_s* hdr, struct zx_e_Body_s* body); 943 ZXID_DECL int zxid_soap_cgi_resp_body(zxid_conf* cf, zxid_ses* ses, struct zx_e_Body_s* body); 944 ZXID_DECL const char* zxid_get_last_content_type(zxid_conf* cf); 945 946 /* zxidlib */ 947 948 ZXID_DECL int zxid_version(); 949 ZXID_DECL const char* zxid_version_str(); 950 951 ZXID_DECL struct zx_str* zx_easy_enc_elem_opt(zxid_conf* cf, struct zx_elem_s* x); 952 ZXID_DECL struct zx_str* zx_easy_enc_elem_sig(zxid_conf* cf, struct zx_elem_s* x); 953 954 ZXID_DECL struct zx_str* zxid_date_time(zxid_conf* cf, time_t secs); 955 ZXID_DECL struct zx_str* zxid_mk_id(zxid_conf* cf, char* prefix, int bits); /* pseudo random ident. */ 956 957 ZXID_DECL struct zx_attr_s* zxid_date_time_attr(zxid_conf* cf, struct zx_elem_s* father, int tok, time_t secs); 958 ZXID_DECL struct zx_attr_s* zxid_mk_id_attr(zxid_conf* cf, struct zx_elem_s* father, int tok, char* prefix, int bits); 959 960 ZXID_DECL struct zx_str* zxid_saml2_post_enc(zxid_conf* cf, char* field, struct zx_str* payload, char* relay_state, int sign, struct zx_str* action_url); 961 ZXID_DECL struct zx_str* zxid_saml2_redir_enc(zxid_conf* cf, char* cgivar, struct zx_str* pay_load, char* relay_state); 962 ZXID_DECL struct zx_str* zxid_saml2_redir_url(zxid_conf* cf, struct zx_str* loc, struct zx_str* pay_load, char* relay_state); 963 ZXID_DECL struct zx_str* zxid_saml2_redir(zxid_conf* cf, struct zx_str* loc, struct zx_str* pay_load, char* relay_state); 964 ZXID_DECL struct zx_str* zxid_saml2_resp_redir(zxid_conf* cf, struct zx_str* loc, struct zx_str* pay_load, char* relay_state); 965 966 ZXID_DECL int zxid_saml_ok(zxid_conf* cf, zxid_cgi* cgi, struct zx_sp_Status_s* st, char* what); 967 ZXID_DECL zxid_nid* zxid_decrypt_nameid(zxid_conf* cf, zxid_nid* nid, struct zx_sa_EncryptedID_s* encid); 968 ZXID_DECL struct zx_str* zxid_decrypt_newnym(zxid_conf* cf, struct zx_str* newnym, struct zx_sp_NewEncryptedID_s* encid); 969 970 ZXID_DECL char* zxid_extract_body(zxid_conf* cf, char* enve); 971 972 ZXID_DECL char* zx_get_symkey(zxid_conf* cf, const char* keyname, char* symkey); 973 974 /* zxidloc */ 975 976 ZXID_DECL struct zx_root_s* zxid_idp_soap(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, zxid_entity* idp_meta, int svc_type, struct zx_e_Body_s* body); 977 978 ZXID_DECL struct zx_root_s* zxid_sp_soap(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, zxid_entity* sp_meta, int svc_type, struct zx_e_Body_s* body); 979 980 /* zxiddec */ 981 982 ZXID_DECL struct zx_sa_Issuer_s* zxid_extract_issuer(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_root_s* r); 983 ZXID_DECL struct zx_root_s* zxid_decode_redir_or_post(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, int chk_dup); 984 985 /* zxidspx */ 986 987 ZXID_DECL zxid_a7n* zxid_dec_a7n(zxid_conf* cf, zxid_a7n* a7n, struct zx_sa_EncryptedAssertion_s* enca7n); 988 989 /* zxidsso - SP side of SSO: consuming A7N */ 990 991 ZXID_DECL int zxid_sp_deref_art(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses); 992 ZXID_DECL int zxid_as_call_ses(zxid_conf* cf, zxid_entity* idp_meta, zxid_cgi* cgi, zxid_ses* ses); 993 ZXID_DECL zxid_ses* zxid_as_call(zxid_conf* cf, zxid_entity* idp_meta, const char* user, const char* pw); 994 ZXID_DECL struct zx_str* zxid_start_sso_url(zxid_conf* cf, zxid_cgi* cgi); 995 996 /* zxidslo */ 997 998 ZXID_DECL int zxid_sp_slo_soap(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses); 999 ZXID_DECL struct zx_str* zxid_sp_slo_redir(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses); 1000 1001 /* zxidmni */ 1002 1003 ZXID_DECL int zxid_sp_mni_soap(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_str* new_nym); 1004 ZXID_DECL struct zx_str* zxid_sp_mni_redir(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, struct zx_str* new_nym); 1005 1006 /* zxidpep */ 1007 1008 ZXID_DECL char* zxid_az_cf_ses(zxid_conf* cf, const char* qs, zxid_ses* ses); 1009 ZXID_DECL char* zxid_az_cf(zxid_conf* cf, const char* qs, const char* sid); 1010 ZXID_DECL char* zxid_az(const char* conf, const char* qs, const char* sid); 1011 1012 ZXID_DECL char* zxid_az_base_cf_ses(zxid_conf* cf, const char* qs, zxid_ses* ses); 1013 ZXID_DECL char* zxid_az_base_cf(zxid_conf* cf, const char* qs, const char* sid); 1014 ZXID_DECL char* zxid_az_base(const char* conf, const char* qs, const char* sid); 1015 1016 /* zxida7n */ 1017 1018 ZXID_DECL struct zx_sa_Attribute_s* zxid_find_attribute(zxid_a7n* a7n, int nfmt_len, char* nfmt, int name_len, char* name, int friendly_len, char* friendly, int n); 1019 1020 /* zxidmk */ 1021 1022 ZXID_DECL struct zx_sp_Status_s* zxid_mk_Status(zxid_conf* cf, struct zx_elem_s* father, const char* sc1, const char* sc2, const char* msg); 1023 ZXID_DECL struct zx_sp_Status_s* zxid_OK(zxid_conf* cf, struct zx_elem_s* father); 1024 1025 /* zxidoauth */ 1026 1027 ZXID_DECL struct zx_str* zxid_mk_oauth_az_req(zxid_conf* cf, zxid_cgi* cgi, struct zx_str* loc, char* relay_state); 1028 ZXID_DECL char* zxid_mk_jwks(zxid_conf* cf); 1029 ZXID_DECL char* zxid_mk_oauth2_dyn_cli_reg_req(zxid_conf* cf); 1030 ZXID_DECL char* zxid_mk_oauth2_dyn_cli_reg_res(zxid_conf* cf, zxid_cgi* cgi); 1031 ZXID_DECL char* zxid_mk_oauth2_rsrc_reg_req(zxid_conf* cf, const char* rsrc_name, const char* rsrc_icon_uri, const char* rsrc_scope_url, const char* rsrc_type); 1032 ZXID_DECL char* zxid_mk_oauth2_rsrc_reg_res(zxid_conf* cf, zxid_cgi* cgi, char* rev); 1033 ZXID_DECL char* zxid_oauth_get_well_known_item(zxid_conf* cf, const char* base_uri, const char* key); 1034 ZXID_DECL struct zx_str* zxid_oauth_dynclireg_client(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, const char* as_uri); 1035 ZXID_DECL void zxid_oauth_rsrcreg_client(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, const char* as_uri, const char* rsrc_name, const char* rsrc_icon_uri, const char* rsrc_scope_url, const char* rsrc_type); 1036 ZXID_DECL char* zxid_oauth_call_rpt_endpoint(zxid_conf* cf, zxid_ses* ses, const char* host_id, const char* as_uri); 1037 ZXID_DECL char* zxid_oauth_call_az_endpoint(zxid_conf* cf, zxid_ses* ses, const char* host_id, const char* as_uri, const char* ticket); 1038 ZXID_DECL int zxid_oidc_as_call(zxid_conf* cf, zxid_ses* ses, zxid_entity* idp_meta, const char* _uma_authn); 1039 1040 /* zxidmkwsf */ 1041 1042 ZXID_DECL struct zx_lu_Status_s* zxid_mk_lu_Status(zxid_conf* cf, struct zx_elem_s* father, const char* sc1, const char* sc2, const char* msg, const char* ref); 1043 ZXID_DECL zxid_tas3_status* zxid_mk_tas3_status(zxid_conf* cf, struct zx_elem_s* father, const char* ctlpt, const char* sc1, const char* sc2, const char* msg, const char* ref); 1044 ZXID_DECL zxid_fault* zxid_mk_fault(zxid_conf* cf, struct zx_elem_s* father, const char* fa, const char* fc, const char* fs, const char* sc1, const char* sc2, const char* msg, const char* ref); 1045 ZXID_DECL zxid_fault* zxid_mk_fault_zx_str(zxid_conf* cf, struct zx_elem_s* father, struct zx_str* fa, struct zx_str* fc, struct zx_str* fs); 1046 1047 ZXID_DECL void zxid_set_fault(zxid_conf* cf, zxid_ses* ses, zxid_fault* flt); 1048 ZXID_DECL zxid_fault* zxid_get_fault(zxid_conf* cf, zxid_ses* ses); 1049 1050 ZXID_DECL char* zxid_get_tas3_fault_sc1(zxid_conf* cf, zxid_fault* flt); 1051 ZXID_DECL char* zxid_get_tas3_fault_sc2(zxid_conf* cf, zxid_fault* flt); 1052 ZXID_DECL char* zxid_get_tas3_fault_comment(zxid_conf* cf, zxid_fault* flt); 1053 ZXID_DECL char* zxid_get_tas3_fault_ref(zxid_conf* cf, zxid_fault* flt); 1054 ZXID_DECL char* zxid_get_tas3_fault_actor(zxid_conf* cf, zxid_fault* flt); 1055 1056 ZXID_DECL zxid_tas3_status* zxid_get_fault_status(zxid_conf* cf, zxid_fault* flt); 1057 1058 ZXID_DECL void zxid_set_tas3_status(zxid_conf* cf, zxid_ses* ses, zxid_tas3_status* status); 1059 ZXID_DECL zxid_tas3_status* zxid_get_tas3_status(zxid_conf* cf, zxid_ses* ses); 1060 1061 ZXID_DECL char* zxid_get_tas3_status_sc1(zxid_conf* cf, zxid_tas3_status* st); 1062 ZXID_DECL char* zxid_get_tas3_status_sc2(zxid_conf* cf, zxid_tas3_status* st); 1063 ZXID_DECL char* zxid_get_tas3_status_comment(zxid_conf* cf, zxid_tas3_status* st); 1064 ZXID_DECL char* zxid_get_tas3_status_ref(zxid_conf* cf, zxid_tas3_status* st); 1065 ZXID_DECL char* zxid_get_tas3_status_ctlpt(zxid_conf* cf, zxid_tas3_status* st); 1066 1067 /* zxidwsp */ 1068 1069 ZXID_DECL char* zxid_wsp_validate_env(zxid_conf* cf, zxid_ses* ses, const char* az_cred, struct zx_e_Envelope_s* env); 1070 ZXID_DECL char* zxid_wsp_validate(zxid_conf* cf, zxid_ses* ses, const char* az_cred, const char* enve); 1071 ZXID_DECL struct zx_str* zxid_wsp_decorate(zxid_conf* cf, zxid_ses* ses, const char* az_cred, const char* enve); 1072 ZXID_DECL struct zx_str* zxid_wsp_decoratef(zxid_conf* cf, zxid_ses* ses, const char* az_cred, const char* env_f, ...); 1073 ZXID_DECL int zxid_wsf_decor(zxid_conf* cf, zxid_ses* ses, struct zx_e_Envelope_s* env, int is_resp, zxid_epr* epri); 1074 1075 /* zxidwsc */ 1076 1077 ZXID_DECL struct zx_str* zxid_call(zxid_conf* cf, zxid_ses* ses, const char* svctype, const char* url, const char* di_opt, const char* az_cred, const char* enve); 1078 ZXID_DECL struct zx_str* zxid_callf(zxid_conf* cf, zxid_ses* ses, const char* svctype, const char* url, const char* di_opt, const char* az_cred, const char* env_f, ...); 1079 ZXID_DECL struct zx_str* zxid_call_epr(zxid_conf* cf, zxid_ses* ses, zxid_epr* epr, const char* az_cred, const char* enve); 1080 ZXID_DECL struct zx_str* zxid_callf_epr(zxid_conf* cf, zxid_ses* ses, zxid_epr* epr, const char* az_cred, const char* env_f, ...); 1081 ZXID_DECL struct zx_str* zxid_wsc_prepare_call(zxid_conf* cf, zxid_ses* ses, zxid_epr* epr, const char* az_cred, const char* enve); 1082 ZXID_DECL struct zx_str* zxid_wsc_prepare_callf(zxid_conf* cf, zxid_ses* ses, zxid_epr* epr, const char* az_cred, const char* env_f, ...); 1083 ZXID_DECL int zxid_wsc_valid_resp(zxid_conf* cf, zxid_ses* ses, const char* az_cred, const char* enve); 1084 1085 #define ZXID_RESP_ENV(cf, tag, status_code, status_comment) zxid_new_envf((cf), "<%s><lu:Status code=\"%s\" comment=\"%s\"></lu:Status></%s>", (tag), (status_code), (status_comment), (tag)) 1086 1087 /*() Most SOAP messages (at least in Liberty based web services) have 1088 * the status field in same place, but they all have different data 1089 * types. Given the similarity it is desireable to have common 1090 * "function" for checking status, but due to the type problem it has 1091 * to be done with a macro (dynamically typed language would make this easy). */ 1092 1093 #define ZXID_CHK_STATUS(env, field, abort_action) MB struct zx_str* ss; if (!(env)) abort_action; \ 1094 if (!env->Body->field) { ERR("Body is missing " #field " element. %p", env); abort_action; } \ 1095 if (!env->Body->field->Status) { ERR( #field " is missing Status. %p", env); abort_action; } \ 1096 if (!env->Body->field->Status->code) { ERR( #field "->Status is missing code. %p", env); abort_action; } \ 1097 if (!env->Body->field->Status->code->s) { ERR( #field "->Status->code empty. %p", env); abort_action; } \ 1098 if (!memcmp(env->Body->field->Status->code->s, "OK", 2)) { \ 1099 ss = env->Body->field->Status->comment; \ 1100 D(#field ": Status OK (%.*s)", ss?ss->len:0, ss?ss->s:""); \ 1101 } else { \ 1102 ss = env->Body->field->Status->comment; \ 1103 ERR("FAIL: " #field ": Status %.*s (%.*s)", \ 1104 env->Body->field->Status->code->len, env->Body->field->Status->code->s, \ 1105 ss?ss->len:0, ss?ss->s:""); \ 1106 abort_action; \ 1107 } \ 1108 ME 1109 1110 /* zxidepr */ 1111 1112 ZXID_DECL zxid_epr* zxid_get_epr(zxid_conf* cf, zxid_ses* ses, const char* svc, const char* url, const char* di_opt, const char* action, int n); 1113 ZXID_DECL zxid_epr* zxid_find_epr(zxid_conf* cf, zxid_ses* ses, const char* svc, const char* url, const char* di_opt, const char* action, int n); 1114 1115 ZXID_DECL struct zx_str* zxid_get_epr_address(zxid_conf* cf, zxid_epr* epr); 1116 ZXID_DECL struct zx_str* zxid_get_epr_entid(zxid_conf* cf, zxid_epr* epr); 1117 ZXID_DECL struct zx_str* zxid_get_epr_desc(zxid_conf* cf, zxid_epr* epr); 1118 ZXID_DECL struct zx_str* zxid_get_epr_tas3_trust(zxid_conf* cf, zxid_epr* epr); 1119 ZXID_DECL struct zx_str* zxid_get_epr_secmech(zxid_conf* cf, zxid_epr* epr); 1120 1121 ZXID_DECL void zxid_set_epr_secmech(zxid_conf* cf, zxid_epr* epr, const char* secmec); 1122 ZXID_DECL zxid_tok* zxid_get_epr_token(zxid_conf* cf, zxid_epr* epr); 1123 ZXID_DECL void zxid_set_epr_token(zxid_conf* cf, zxid_epr* epr, zxid_tok* tok); 1124 ZXID_DECL zxid_epr* zxid_new_epr(zxid_conf* cf, char* address, char* desc, char* entid, char* svctype); 1125 1126 ZXID_DECL zxid_epr* zxid_get_delegated_discovery_epr(zxid_conf* cf, zxid_ses* ses); 1127 ZXID_DECL void zxid_set_delegated_discovery_epr(zxid_conf* cf, zxid_ses* ses, zxid_epr* epr); 1128 1129 ZXID_DECL zxid_tok* zxid_get_call_invoktok(zxid_conf* cf, zxid_ses* ses); 1130 ZXID_DECL void zxid_set_call_invoktok(zxid_conf* cf, zxid_ses* ses, zxid_tok* tok); 1131 ZXID_DECL zxid_tok* zxid_get_call_tgttok(zxid_conf* cf, zxid_ses* ses); 1132 ZXID_DECL void zxid_set_call_tgttok(zxid_conf* cf, zxid_ses* ses, zxid_tok* tok); 1133 1134 ZXID_DECL struct zx_str* zxid_epr2str(zxid_conf* cf, zxid_epr* epr); 1135 ZXID_DECL struct zx_str* zxid_token2str(zxid_conf* cf, zxid_tok* tok); 1136 ZXID_DECL zxid_tok* zxid_str2token(zxid_conf* cf, struct zx_str* ss); 1137 ZXID_DECL struct zx_str* zxid_a7n2str(zxid_conf* cf, zxid_a7n* a7n); 1138 ZXID_DECL zxid_a7n* zxid_str2a7n(zxid_conf* cf, struct zx_str* ss); 1139 ZXID_DECL struct zx_str* zxid_nid2str(zxid_conf* cf, zxid_nid* nid); 1140 ZXID_DECL zxid_nid* zxid_str2nid(zxid_conf* cf, struct zx_str* ss); 1141 1142 ZXID_DECL zxid_nid* zxid_get_nameid(zxid_conf* cf, zxid_ses* ses); 1143 ZXID_DECL void zxid_set_nameid(zxid_conf* cf, zxid_ses* ses, zxid_nid* nid); 1144 ZXID_DECL zxid_nid* zxid_get_tgtnameid(zxid_conf* cf, zxid_ses* ses); 1145 ZXID_DECL void zxid_set_tgtnameid(zxid_conf* cf, zxid_ses* ses, zxid_nid* nid); 1146 1147 ZXID_DECL zxid_a7n* zxid_get_a7n(zxid_conf* cf, zxid_ses* ses); 1148 ZXID_DECL void zxid_set_a7n(zxid_conf* cf, zxid_ses* ses, zxid_a7n* a7n); 1149 ZXID_DECL zxid_a7n* zxid_get_tgta7n(zxid_conf* cf, zxid_ses* ses); 1150 ZXID_DECL void zxid_set_tgta7n(zxid_conf* cf, zxid_ses* ses, zxid_a7n* a7n); 1151 1152 /* zxidim - Identity Mapping Service, Single Sign-On Service (SSOS) */ 1153 1154 ZXID_DECL zxid_tok* zxid_map_identity_token(zxid_conf* cf, zxid_ses* ses, const char* at_eid, int how); 1155 1156 ZXID_DECL zxid_tok* zxid_nidmap_identity_token(zxid_conf* cf, zxid_ses* ses, const char* at_eid, int how); 1157 1158 /* zxidps - People Service (and delegation) */ 1159 1160 ZXID_DECL char* zxid_ps_accept_invite(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, int* res_len, int auto_flags); 1161 ZXID_DECL char* zxid_ps_finalize_invite(zxid_conf* cf, zxid_cgi* cgi, zxid_ses* ses, int* res_len, int auto_flags); 1162 1163 /* zxidpsso */ 1164 1165 ZXID_DECL char* zxid_get_idpnid_at_eid(zxid_conf* cf, const char* uid, const char* eid, int allow_create); 1166 1167 /* DAP scope constants are same as for LDAP, see RFC2251 */ 1168 1169 #define ZXID_DAP_SCOPE_BASE 0 /* Only what is pointed to by DN, e.g. one entry. The default. */ 1170 #define ZXID_DAP_SCOPE_SINGLE 1 /* Single level of directory right under DN. */ 1171 #define ZXID_DAP_SCOPE_SUBTREE 2 /* Full subtree search under the DN. */ 1172 1173 /* If CDC is not present, the user interface is always offered. */ 1174 1175 #define ZXID_CDC_CHOICE_ALWAYS_FIRST 1 /* Do not offer UI, always pick first on CDC list. */ 1176 #define ZXID_CDC_CHOICE_ALWAYS_LAST 2 /* Do not offer UI, always pick last on CDC list. */ 1177 #define ZXID_CDC_CHOICE_ALWAYS_ONLY 3 /* If CDC has only one IdP, always pick it. */ 1178 #define ZXID_CDC_CHOICE_UI_PREF 4 /* Offer UI with the CDC designated IdPs first. */ 1179 #define ZXID_CDC_CHOICE_UI_NOPREF 5 /* Offer UI. Do not give preference to CDC IdPs. */ 1180 #define ZXID_CDC_CHOICE_UI_ONLY_CDC 6 /* Offer UI. If CDC was set, only show IdPs from CDC. Otherwise show all IdPs. */ 1181 1182 /* index values for selecting different bindings. These appear as index XML 1183 * attribute in metadata and also in Web GUI formfield names, e.g. "l1" means 1184 * HTTP-Artifact and "l6" means OpenID-Connect 1.0 (OIDC1). 1185 * See also: zxid_pick_sso_profile(), cgi->pr_ix */ 1186 1187 #define ZXID_DEFAULT_PR_IX 0 1188 #define ZXID_SAML2_ART 1 1189 #define ZXID_SAML2_POST 2 1190 #define ZXID_SAML2_SOAP 3 1191 #define ZXID_SAML2_PAOS 4 1192 #define ZXID_SAML2_POST_SIMPLE_SIGN 5 1193 #define ZXID_SAML2_REDIR 6 1194 #define ZXID_SAML2_URI 7 1195 #define ZXID_OIDC1_CODE 8 1196 #define ZXID_OIDC1_ID_TOK_TOK 9 1197 1198 /* Service enumerators */ 1199 1200 #define ZXID_SLO_SVC 1 1201 #define ZXID_MNI_SVC 2 1202 #define ZXID_ACS_SVC 3 1203 1204 /* Broad categories of secmechs. Specific secmechs are mapped to these to abstract similarity. */ 1205 1206 #define ZXID_SEC_MECH_NULL 1 1207 #define ZXID_SEC_MECH_BEARER 2 1208 #define ZXID_SEC_MECH_SAML 3 1209 #define ZXID_SEC_MECH_X509 4 1210 #define ZXID_SEC_MECH_PEERS 5 1211 1212 /* Common status codes: usually tested without comparison to constant, i.e. 1213 * return value of functions (which can only fail or succeed) is directly 1214 * used in conditional test. You will see base 0's and 1's in code. 1215 * Usually 1 means event was fully handled and no fall thru behaviour 1216 * is desired. 0 usually means the fall thru default should happen. */ 1217 #define ZXID_FAIL 0 /* Fall thru to default behaviour. */ 1218 #define ZXID_OK 1 /* Don't fall thru, event fully handled. */ 1219 #define ZXID_REDIR_OK 2 /* Don't fall thru, event fully handled. */ 1220 #define ZXID_SSO_OK 3 /* Special case for SSO completed situation. Use as switch case. */ 1221 #define ZXID_IDP_REQ 4 /* Used by SP dispatch to punt the message to IdP processing. */ 1222 1223 #define COPYVAL(to,what,lim) MB (to) = ZX_ALLOC(cf->ctx, (lim)-(what)+1); memcpy((to), (what), (lim)-(what)); (to)[(lim)-(what)] = 0; ME 1224 1225 ZXID_DECL char* sha1_safe_base64(char* out_buf, int len, const char* data); 1226 ZXID_DECL char* zx_url_encode(struct zx_ctx* c, int in_len, const char* in, int* out_len); 1227 1228 #ifdef __cplusplus 1229 } // extern "C" 1230 #endif 1231 1232 #endif 1233