Grid Community Toolkit  6.2.1705709074 (tag: v6.2.20240202)
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
myproxy_creds.h
1 /*
2  * myproxy_creds.h
3  *
4  * Interface for storing and retrieving proxies.
5  */
6 #ifndef __MYPROXY_CREDS_H
7 #define __MYPROXY_CREDS_H
8 
9 #include <stdio.h>
10 #include <time.h>
11 
12 #define REGULAR_EXP 1
13 #define MATCH_CN_ONLY 0
14 
15 struct myproxy_creds {
16  char *username;
17  char *location;
18 
19  /* the following items are stored in the credential data file */
20  char *passphrase; /* stored crypt()'ed */
21  char *owner_name;
22  int lifetime;
23  char *credname;
24  char *creddesc;
25  char *retrievers;
26  char *renewers;
27  char *keyretrieve;
28  char *trusted_retrievers;
29 
30  /* start_time and end_time are set from the certificates in the cred */
31  time_t start_time;
32  time_t end_time;
33 
34  /* non-NULL lockmsg indicates credential is administratively
35  locked and should not be accessible. lockmsg should be
36  returned on any attempted access. */
37  char *lockmsg;
38 
39  struct myproxy_creds *next;
40 };
41 
42 typedef struct myproxy_creds myproxy_creds_t;
43 
44 /* trusted certificate files */
45 struct myproxy_certs {
46  char *filename;
47  char *contents;
48  size_t size;
49  struct myproxy_certs *next;
50 };
51 
52 typedef struct myproxy_certs myproxy_certs_t;
53 
54 /*
55  * myproxy_creds_store()
56  *
57  * Store the given credentials. The caller should allocate and fill in
58  * the myproxy_creds structure. The passphrase in the myproxy_creds
59  * structure will be crypt()'ed before it is written.
60  *
61  * On success, the credentials will be moved from creds->location to
62  * the repository, so they will no longer exist at creds->location.
63  *
64  * Returns -1 on error, 0 on success.
65  */
66 int myproxy_creds_store(const struct myproxy_creds *creds);
67 
68 /*
69  * myproxy_creds_retrieve()
70  *
71  * Retrieve the credentials associated with the username and
72  * credential name in the given myproxy_creds structure.
73  * Note: No checking on the passphrase or owner name is done.
74  * Note: The passphrase returned in the myproxy_creds structure is crypt()'ed.
75  *
76  * Returns -1 on error, 0 on success.
77  */
78 int myproxy_creds_retrieve(struct myproxy_creds *creds);
79 
80 /*
81  * myproxy_creds_retrieve_all()
82  *
83  * Retrieve all credentials associated with the username, owner
84  * name, and credname (if given) in the given myproxy_creds structure.
85  * If multiple credentials are stored under the given username,
86  * they'll be chained together in a linked-list using the next field
87  * in the given myproxy_creds structure.
88  * The default credential (i.e., with no credname) will be first in
89  * the list, if one exists.
90  * Note: The passphrase returned in the myproxy_creds structure is crypt()'ed.
91  *
92  * Returns -1 on error, 0 on success.
93  */
94 int myproxy_creds_retrieve_all(struct myproxy_creds *creds);
95 
96 /* myproxy_admin_retrieve_all()
97  *
98  * Used by the repository query tool on the server side for admin purposes.
99  *
100  * Retrieve all credentials stored in the credential storage directory
101  * in the given myproxy_creds structure. Credentials are chained together in
102  * a linked-list using the next field in the given myproxy_creds structure
103  * If creds->username is non-NULL, only retrieve credentials for that
104  * username.
105  * If creds->credname is non-NULL, only retrieve credentials for that
106  * credential name. A credname of "" indicates the "default" credential.
107  * If creds->start_time is non-zero, only retrieve credentials with
108  * end_time >= specified time.
109  * If creds->end_time is non-zero, only retrieve credentials with
110  * end_time < specified time.
111  * Note: The passphrase returned in the myproxy_creds structure is crypt()'ed.
112  *
113  * Returns -1 on error, number of credentials on success.
114  */
115 int myproxy_admin_retrieve_all(struct myproxy_creds *creds);
116 
117 /*
118  * myproxy_creds_delete()
119  *
120  * Delete any stored credentials held for the given user as indiciated
121  * by the username and credname fields in the given myproxy_creds structure.
122  *
123  * Returns -1 on error, 0 on success.
124  */
125 int myproxy_creds_delete(const struct myproxy_creds *creds);
126 
127 /*
128  * myproxy_creds_lock()
129  *
130  * Lock credentials indicated by the username and credname fields in
131  * the given myproxy_creds structure, for the specified reason.
132  * Locked credentials can not be retrieved or renewed.
133  *
134  * Returns -1 on error, 0 on success.
135  */
136 int myproxy_creds_lock(const struct myproxy_creds *creds, const char *reason);
137 
138 /*
139  * myproxy_creds_unlock()
140  *
141  * Unlock credentials indicated by the username and credname fields in
142  * the given myproxy_creds structure.
143  *
144  * Returns -1 on error, 0 on success.
145  */
146 int myproxy_creds_unlock(const struct myproxy_creds *creds);
147 
148 /*
149  * myproxy_creds_change_passphrase()
150  *
151  * Change the passphrase of the credential specified by the username
152  * and credential name to new_passphrase.
153  * The current passphrase must be present in the myproxy_creds struct.
154  *
155  * Returns -1 on error, 0 on success
156  */
157 int myproxy_creds_change_passphrase(const struct myproxy_creds *creds,
158  const char *new_passphrase);
159 
160 
161 /*
162  * myproxy_creds_encrypted()
163  *
164  * Returns 1 if credentials are encrypted, 0 if unencrypted, and -1 on
165  * error.
166  */
167 int myproxy_creds_encrypted(const struct myproxy_creds *creds);
168 
169 /*
170  * myproxy_creds_verify_passphrase()
171  *
172  * Verify the given passphrase against the myproxy_creds structure.
173  *
174  * Returns 1 on verify, 0 on failure, and -1 on error.
175  */
176 int myproxy_creds_verify_passphrase(const struct myproxy_creds *creds,
177  const char *new_passphrase);
178 
179 /*
180  * myproxy_creds_exist()
181  *
182  * Check to see if the given user already has credentials stored.
183  *
184  * Returns 1 if the user does, 0 if they do not, -1 on error.
185  */
186 int myproxy_creds_exist(const char *username, const char *credname);
187 
188 /*
189  * myproxy_creds_is_owner()
190  *
191  * Check to see if the given client is the owner of the credentials
192  * referenced by username.
193  *
194  * Returns 1 if the client owns the credentials, 0 if they do not, -1 on error.
195  */
196 int myproxy_creds_is_owner(const char *username, const char *credname,
197  const char *client_name);
198 
199 /*
200  * myproxy_creds_free()
201  *
202  * Free a list of myproxy_creds structures.
203  */
204 void myproxy_creds_free(struct myproxy_creds *certs);
205 
206 /*
207  * myproxy_creds_free_contents()
208  *
209  * Free all the contents of the myproxy_creds structure, but not the
210  * structure itself.
211  */
212 void myproxy_creds_free_contents(struct myproxy_creds *creds);
213 
214 /*
215  * myproxy_certs_free()
216  *
217  * Free a list of myproxy_certs structures.
218  */
219 void myproxy_certs_free(struct myproxy_certs *certs);
220 
221 /*
222  * myproxy_set_storage_dir()
223  *
224  * Change default storage directory.
225  * Returns -1 on error, 0 on success.
226  */
227 int myproxy_set_storage_dir(const char *dir);
228 
229 /*
230  * myproxy_check_storage_dir()
231  *
232  * Make sure the storage directory is OK.
233  * Returns 0 if OK, -1 if not.
234  */
235 int myproxy_check_storage_dir();
236 
237 /*
238  * myproxy_get_storage_dir()
239  *
240  * Returns path to storage directory.
241  * Returns NULL on error.
242  */
243 const char *myproxy_get_storage_dir();
244 
245 
246 /*
247  * myproxy_print_cred_info()
248  *
249  * Print info about creds to out.
250  * Returns 0 if OK, -1 if not.
251  */
252 int myproxy_print_cred_info(myproxy_creds_t *creds, FILE *out);
253 
254 /*
255  * myproxy_check_cert_dir()
256  *
257  * Checks to see if the files in the given trustroots
258  * directory are sane (such as world-readable, etc.).
259  * Returns 1 if sane, 0 otherwise.
260  */
261 int myproxy_check_cert_dir(const char cert_dir[]);
262 
263 /*
264  * myproxy_get_certs()
265  *
266  * Return linked list of trusted CA certificate and related files.
267  * Returns NULL on error.
268  */
269 myproxy_certs_t *myproxy_get_certs(const char cert_dir[]);
270 
271 /*
272 ** Check trusted certificates directory, create if needed.
273 */
274 int myproxy_check_trusted_certs_dir();
275 
276 /*
277  * myproxy_install_trusted_cert_files()
278  *
279  * Install a linked list of files in trusted cert dir.
280  * Returns 0 on success, -1 otherwise.
281  */
282 int myproxy_install_trusted_cert_files(myproxy_certs_t *);
283 
284 /*
285  * myproxy_clean_crls()
286  *
287  * Remove any bad CRLs in the trusted cert dir.
288  * Returns 1 if bad CRL(s) removed, 0 of none found, -1 on error.
289  */
290 int myproxy_clean_crls();
291 
292 /*
293  * myproxy_creds_verify()
294  *
295  * Check the validity of the credentials in the myproxy_creds structure:
296  * - check Not Before and Not After fields against current time
297  * - check signature by trusted CA
298  * - check revocation status (CRL, OCSP)
299  *
300  * The myproxy_creds structure should be filled in by a previous call to
301  * myproxy_creds_retrieve().
302  *
303  * Returns 0 on success, -1 on error (setting verror).
304  */
305 int myproxy_creds_verify(const struct myproxy_creds *);
306 
307 /*
308  * myproxy_creds_path_template()
309  *
310  * Returns a malloc'ed buffer containing a file name template suitable
311  * for passing to mkstemp() for storing credentials.
312  * If a credential storage directory is available for use
313  * (see the myproxy_*_storage_dir methods),
314  * the file will be located in that directory.
315  * Otherwise, it will be in /tmp.
316  * The caller should free() the string.
317  */
318 char *myproxy_creds_path_template();
319 
320 #endif
321