sss_cli.h

/*
   SSSD
 
   Client Interface for NSS and PAM.
 
   Authors:
        Simo Sorce <ssorce@redhat.com>
 
   Copyright (C) Red Hat, Inc 2007
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU Lesser General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
 
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Lesser General Public License for more details.
 
   You should have received a copy of the GNU Lesser General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/
 
#ifndef _SSSCLI_H
#define _SSSCLI_H
 
#include "config.h"
 
#include <nss.h>
#include <pwd.h>
#include <grp.h>
#include <string.h>
#include <stdint.h>
#include <stdbool.h>
#include <limits.h>
 
#include "shared/safealign.h"
 
#ifndef HAVE_ERRNO_T
#define HAVE_ERRNO_T
typedef int errno_t;
#else
#include <errno.h>
#endif
 
#ifndef EOK
#define EOK 0
#endif
 
#ifndef NETDB_INTERNAL
#define NETDB_INTERNAL (-1)
#endif
 
#define SSS_NSS_PROTOCOL_VERSION 1
#define SSS_PAM_PROTOCOL_VERSION 3
#define SSS_SUDO_PROTOCOL_VERSION 1
#define SSS_AUTOFS_PROTOCOL_VERSION 1
#define SSS_SSH_PROTOCOL_VERSION 0
#define SSS_PAC_PROTOCOL_VERSION 1
 
#ifdef LOGIN_NAME_MAX
#define SSS_NAME_MAX LOGIN_NAME_MAX
#else
#define SSS_NAME_MAX 256
#endif


 
enum sss_cli_command {
/* null */
    SSS_CLI_NULL           = 0x0000,
 
/* version */
    SSS_GET_VERSION    = 0x0001,
 
/* passwd */
 
    SSS_NSS_GETPWNAM       = 0x0011,
    SSS_NSS_GETPWUID       = 0x0012,
    SSS_NSS_SETPWENT       = 0x0013,
    SSS_NSS_GETPWENT       = 0x0014,
    SSS_NSS_ENDPWENT       = 0x0015,
 
    SSS_NSS_GETPWNAM_EX    = 0x0019,
    SSS_NSS_GETPWUID_EX    = 0x001A,
 
/* group */
 
    SSS_NSS_GETGRNAM       = 0x0021,
    SSS_NSS_GETGRGID       = 0x0022,
    SSS_NSS_SETGRENT       = 0x0023,
    SSS_NSS_GETGRENT       = 0x0024,
    SSS_NSS_ENDGRENT       = 0x0025,
    SSS_NSS_INITGR         = 0x0026,
 
    SSS_NSS_GETGRNAM_EX    = 0x0029,
    SSS_NSS_GETGRGID_EX    = 0x002A,
    SSS_NSS_INITGR_EX      = 0x002E,
 
#if 0
/* aliases */
 
    SSS_NSS_GETALIASBYNAME = 0x0031,
    SSS_NSS_GETALIASBYPORT = 0x0032,
    SSS_NSS_SETALIASENT    = 0x0033,
    SSS_NSS_GETALIASENT    = 0x0034,
    SSS_NSS_ENDALIASENT    = 0x0035,
 
/* ethers */
 
    SSS_NSS_GETHOSTTON     = 0x0041,
    SSS_NSS_GETNTOHOST     = 0x0042,
    SSS_NSS_SETETHERENT    = 0x0043,
    SSS_NSS_GETETHERENT    = 0x0044,
    SSS_NSS_ENDETHERENT    = 0x0045,
#endif
 
/* hosts */
 
    SSS_NSS_GETHOSTBYNAME  = 0x0051,
    SSS_NSS_GETHOSTBYNAME2 = 0x0052,
    SSS_NSS_GETHOSTBYADDR  = 0x0053,
    SSS_NSS_SETHOSTENT     = 0x0054,
    SSS_NSS_GETHOSTENT     = 0x0055,
    SSS_NSS_ENDHOSTENT     = 0x0056,
 
/* netgroup */
 
    SSS_NSS_SETNETGRENT    = 0x0061,
    SSS_NSS_GETNETGRENT    = 0x0062,
    SSS_NSS_ENDNETGRENT    = 0x0063,
 
/* networks */
 
    SSS_NSS_GETNETBYNAME   = 0x0071,
    SSS_NSS_GETNETBYADDR   = 0x0072,
    SSS_NSS_SETNETENT      = 0x0073,
    SSS_NSS_GETNETENT      = 0x0074,
    SSS_NSS_ENDNETENT      = 0x0075,
 
#if 0
/* protocols */
 
    SSS_NSS_GETPROTOBYNAME = 0x0081,
    SSS_NSS_GETPROTOBYNUM  = 0x0082,
    SSS_NSS_SETPROTOENT    = 0x0083,
    SSS_NSS_GETPROTOENT    = 0x0084,
    SSS_NSS_ENDPROTOENT    = 0x0085,
 
/* rpc */
 
    SSS_NSS_GETRPCBYNAME   = 0x0091,
    SSS_NSS_GETRPCBYNUM    = 0x0092,
    SSS_NSS_SETRPCENT      = 0x0093,
    SSS_NSS_GETRPCENT      = 0x0094,
    SSS_NSS_ENDRPCENT      = 0x0095,
#endif
 
/* services */
 
    SSS_NSS_GETSERVBYNAME  = 0x00A1,
    SSS_NSS_GETSERVBYPORT  = 0x00A2,
    SSS_NSS_SETSERVENT     = 0x00A3,
    SSS_NSS_GETSERVENT     = 0x00A4,
    SSS_NSS_ENDSERVENT     = 0x00A5,
 
#if 0
/* shadow */
 
    SSS_NSS_GETSPNAM       = 0x00B1,
    SSS_NSS_GETSPUID       = 0x00B2,
    SSS_NSS_SETSPENT       = 0x00B3,
    SSS_NSS_GETSPENT       = 0x00B4,
    SSS_NSS_ENDSPENT       = 0x00B5,
#endif
 
/* SUDO */
    SSS_SUDO_GET_SUDORULES = 0x00C1,
    SSS_SUDO_GET_DEFAULTS  = 0x00C2,
 
/* autofs */
    SSS_AUTOFS_SETAUTOMNTENT    = 0x00D1,
    SSS_AUTOFS_GETAUTOMNTENT    = 0x00D2,
    SSS_AUTOFS_GETAUTOMNTBYNAME  = 0x00D3,
    SSS_AUTOFS_ENDAUTOMNTENT    = 0x00D4,
 
/* SSH */
    SSS_SSH_GET_USER_PUBKEYS = 0x00E1,
    SSS_SSH_GET_HOST_PUBKEYS = 0x00E2,
 
/* PAM related calls */
    SSS_PAM_AUTHENTICATE     = 0x00F1, 
    SSS_PAM_SETCRED          = 0x00F2, 
    SSS_PAM_ACCT_MGMT        = 0x00F3, 
    SSS_PAM_OPEN_SESSION     = 0x00F4, 
    SSS_PAM_CLOSE_SESSION    = 0x00F5, 
    SSS_PAM_CHAUTHTOK        = 0x00F6, 
    SSS_PAM_CHAUTHTOK_PRELIM = 0x00F7, 
    SSS_CMD_RENEW            = 0x00F8, 
    SSS_PAM_PREAUTH          = 0x00F9, 
    SSS_GSSAPI_INIT          = 0x00FA, 
    SSS_GSSAPI_SEC_CTX       = 0x00FB, 
 
/* PAC responder calls */
    SSS_PAC_ADD_PAC_USER     = 0x0101,
 
/* ID-SID mapping calls */
SSS_NSS_GETSIDBYNAME = 0x0111, 
SSS_NSS_GETSIDBYID   = 0x0112, 
SSS_NSS_GETNAMEBYSID = 0x0113, 
SSS_NSS_GETIDBYSID   = 0x0114, 
SSS_NSS_GETORIGBYNAME = 0x0115, 
SSS_NSS_GETNAMEBYCERT = 0x0116, 
SSS_NSS_GETLISTBYCERT = 0x0117, 
SSS_NSS_GETSIDBYUID   = 0x0118, 
SSS_NSS_GETSIDBYGID   = 0x0119, 
SSS_NSS_GETORIGBYUSERNAME = 0x011A, 
SSS_NSS_GETORIGBYGROUPNAME = 0x011B, 
SSS_NSS_GETSIDBYUSERNAME = 0x011C, 
SSS_NSS_GETSIDBYGROUPNAME = 0x011D, 
 
 
/* subid */
    SSS_NSS_GET_SUBID_RANGES = 0x0130, 
};
 /* end of group sss_cli_command */
 

 /* end of group sss_pam */


 
enum sss_authtok_type {
    SSS_AUTHTOK_TYPE_EMPTY    =  0x0000, 
    SSS_AUTHTOK_TYPE_PASSWORD =  0x0001, 
    SSS_AUTHTOK_TYPE_CCFILE =    0x0002, 
    SSS_AUTHTOK_TYPE_2FA =       0x0003, 
    SSS_AUTHTOK_TYPE_SC_PIN =    0x0004, 
    SSS_AUTHTOK_TYPE_SC_KEYPAD = 0x0005, 
    SSS_AUTHTOK_TYPE_2FA_SINGLE = 0x0006, 
    SSS_AUTHTOK_TYPE_OAUTH2 =     0x0007, 
    SSS_AUTHTOK_TYPE_PASSKEY =    0x0008, 
    SSS_AUTHTOK_TYPE_PASSKEY_KRB = 0x0009,  
    SSS_AUTHTOK_TYPE_PASSKEY_REPLY = 0x0010, 
    SSS_AUTHTOK_TYPE_PAM_STACKED = 0x0011, 
};
 /* end of group sss_authtok_type */
 
#define SSS_START_OF_PAM_REQUEST 0x4d415049
#define SSS_END_OF_PAM_REQUEST 0x4950414d
 
#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available"
 
enum pam_item_type {
    SSS_PAM_ITEM_EMPTY = 0x0000,
    SSS_PAM_ITEM_USER,
    SSS_PAM_ITEM_SERVICE,
    SSS_PAM_ITEM_TTY,
    SSS_PAM_ITEM_RUSER,
    SSS_PAM_ITEM_RHOST,
    SSS_PAM_ITEM_AUTHTOK,
    SSS_PAM_ITEM_NEWAUTHTOK,
    SSS_PAM_ITEM_CLI_LOCALE,
    SSS_PAM_ITEM_CLI_PID,
    SSS_PAM_ITEM_CHILD_PID,
    SSS_PAM_ITEM_REQUESTED_DOMAINS,
    SSS_PAM_ITEM_FLAGS,
    SSS_PAM_ITEM_JSON_AUTH_INFO,
    SSS_PAM_ITEM_JSON_AUTH_SELECTED,
};
 
#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
#define PAM_CLI_FLAGS_FORWARD_PASS   (1 << 1)
#define PAM_CLI_FLAGS_USE_AUTHTOK    (1 << 2)
#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
#define PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT (1 << 10)
#define PAM_CLI_FLAGS_CHAUTHTOK_PREAUTH (1 << 11)
 
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
struct sss_cli_req_data {
    size_t len;
    const void *data;
};
 
/* this is in milliseconds, wait up to 300 seconds */
#define SSS_CLI_SOCKET_TIMEOUT 300000
 
enum sss_status {
    SSS_STATUS_TRYAGAIN,
    SSS_STATUS_UNAVAIL,
    SSS_STATUS_SUCCESS
};



 
enum response_type {
    SSS_PAM_SYSTEM_INFO = 0x01, 
    SSS_PAM_DOMAIN_NAME, 
    SSS_PAM_ENV_ITEM,    
    SSS_ENV_ITEM,        
    SSS_ALL_ENV_ITEM,    
    SSS_PAM_USER_INFO,   
    SSS_PAM_TEXT_MSG,    
    SSS_PAM_OTP_INFO,    
    SSS_PAM_CERT_INFO,   
    SSS_OTP,             
    SSS_PASSWORD_PROMPTING, 
    SSS_CERT_AUTH_PROMPTING, 
    SSS_PAM_CERT_INFO_WITH_HINT, 
    SSS_PAM_PROMPT_CONFIG, 
    SSS_CHILD_KEEP_ALIVE, 
    SSS_PAM_OAUTH2_INFO,  
    SSS_PAM_PASSKEY_INFO, 
    SSS_PAM_PASSKEY_KRB_INFO, 
    SSS_PAM_JSON_AUTH_INFO, 
};


 
enum user_info_type {
    SSS_PAM_USER_INFO_OFFLINE_AUTH = 0x01, 
    SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED, 
    SSS_PAM_USER_INFO_OFFLINE_CHPASS, 
    SSS_PAM_USER_INFO_OTP_CHPASS,   
    SSS_PAM_USER_INFO_CHPASS_ERROR, 
 
    SSS_PAM_USER_INFO_GRACE_LOGIN, 
    SSS_PAM_USER_INFO_EXPIRE_WARN, 
 
    SSS_PAM_USER_INFO_ACCOUNT_EXPIRED, 
 
    SSS_PAM_USER_INFO_PIN_LOCKED, 
    SSS_PAM_USER_INFO_NO_KRB_TGT, 
};
 /* end of group user_info_type */
 /* end of group response_type */
 /* end of group sss_pam_cli */
 
 
enum prompt_config_type {
    PC_TYPE_INVALID = 0,
    PC_TYPE_PASSWORD,
    PC_TYPE_2FA,
    PC_TYPE_2FA_SINGLE,
    PC_TYPE_PASSKEY,
    PC_TYPE_SMARTCARD,
    PC_TYPE_EIDP,
    PC_TYPE_LAST
};
 
struct prompt_config;
 
enum prompt_config_type pc_get_type(struct prompt_config *pc);
const char *pc_get_password_prompt(struct prompt_config *pc);
const char *pc_get_2fa_1st_prompt(struct prompt_config *pc);
const char *pc_get_2fa_2nd_prompt(struct prompt_config *pc);
const char *pc_get_2fa_single_prompt(struct prompt_config *pc);
const char *pc_get_passkey_inter_prompt(struct prompt_config *pc);
const char *pc_get_passkey_touch_prompt(struct prompt_config *pc);
const char *pc_get_eidp_init_prompt(struct prompt_config *pc);
const char *pc_get_eidp_link_prompt(struct prompt_config *pc);
const char *pc_get_smartcard_init_prompt(struct prompt_config *pc);
const char *pc_get_smartcard_pin_prompt(struct prompt_config *pc);
errno_t pc_list_add_passkey(struct prompt_config ***pc_list,
                            const char *inter_prompt,
                            const char *touch_prompt);
void pc_list_free(struct prompt_config **pc_list);
errno_t pc_list_add_password(struct prompt_config ***pc_list,
                             const char *prompt);
errno_t pc_list_add_2fa(struct prompt_config ***pc_list,
                        const char *prompt_1st, const char *prompt_2nd);
errno_t pc_list_add_2fa_single(struct prompt_config ***pc_list,
                               const char *prompt);
errno_t pc_list_add_eidp(struct prompt_config ***pc_list,
                         const char *prompt_init, const char *prompt_link);
errno_t pc_list_add_smartcard(struct prompt_config ***pc_list,
                              const char *prompt_init, const char *prompt_pin);
errno_t pam_get_response_prompt_config(struct prompt_config **pc_list, int *len,
                                       uint8_t **data);
errno_t pc_list_from_response(int size, uint8_t *buf,
                              struct prompt_config ***pc_list);
 
enum sss_netgr_rep_type {
    SSS_NETGR_REP_TRIPLE = 1,
    SSS_NETGR_REP_GROUP
};
 
enum sss_cli_error_codes {
    ESSS_SSS_CLI_ERROR_START = 0x1000,
    ESSS_BAD_SOCKET,
    ESSS_BAD_CRED_MSG,
    ESSS_SERVER_NOT_TRUSTED,
    ESSS_NO_SOCKET,
    ESSS_SOCKET_STAT_ERROR,
 
    ESS_SSS_CLI_ERROR_MAX
};
 
const char *ssscli_err2string(int err);
 
enum sss_status sss_cli_make_request_with_checks(enum sss_cli_command cmd,
                                                 struct sss_cli_req_data *rd,
                                                 int timeout,
                                                 uint8_t **repbuf, size_t *replen,
                                                 int *errnop,
                                                 const char *socket_name,
                                                 bool check_server_creds,
                                                 bool allow_custom_errors);
 
enum nss_status sss_nss_make_request(enum sss_cli_command cmd,
                                     struct sss_cli_req_data *rd,
                                     uint8_t **repbuf, size_t *replen,
                                     int *errnop);
 
enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd,
                                             struct sss_cli_req_data *rd,
                                             int timeout,
                                             uint8_t **repbuf, size_t *replen,
                                             int *errnop);
 
int sss_pam_make_request(enum sss_cli_command cmd,
                         struct sss_cli_req_data *rd,
                         uint8_t **repbuf, size_t *replen,
                         int *errnop);
 
void sss_cli_close_socket(void);
 
/* Checks access to the PAC responder and opens the socket, if available.
 * Required for processes like krb5_child that need to open the socket
 * before dropping privs.
 */
int sss_pac_check_and_open(void);
 
int sss_pac_make_request(enum sss_cli_command cmd,
                         struct sss_cli_req_data *rd,
                         uint8_t **repbuf, size_t *replen,
                         int *errnop);
 
int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
                                   struct sss_cli_req_data *rd,
                                   uint8_t **repbuf, size_t *replen,
                                   int *errnop);
 
#if 0
 
/* GETSPNAM Request:
 *
 * 0-X: string with name
 *
 * Replies:
 *
 * 0-3: 32bit unsigned number of results
 * 4-7: 32bit unsigned (reserved/padding)
 * For each result:
 *  0-7: 64bit unsigned with Date of last change
 *  8-15: 64bit unsigned with Min #days between changes
 *  16-23: 64bit unsigned with Max #days between changes
 *  24-31: 64bit unsigned with #days before pwd expires
 *  32-39: 64bit unsigned with #days after pwd expires until account is disabled
 *  40-47: 64bit unsigned with expiration date in days since 1970-01-01
 *  48-55: 64bit unsigned (flags/reserved)
 *  56-X: sequence of 2, 0 terminated, strings (name, pwd) 64bit padded
 */
#endif
 
/* Return strlen(str) or maxlen, whichever is shorter
 * Returns EINVAL if str is NULL, EFBIG if str is longer than maxlen
 * _len will return the result
 */
errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len);
 
void sss_nss_lock(void);
void sss_nss_unlock(void);
void sss_pam_lock(void);
void sss_pam_unlock(void);
void sss_nss_mc_lock(void);
void sss_nss_mc_unlock(void);
void sss_pac_lock(void);
void sss_pac_unlock(void);
 
errno_t sss_readrep_copy_string(const char *in,
                                size_t *offset,
                                size_t *slen,
                                size_t *dlen,
                                char **out,
                                size_t *size);
 
enum pam_gssapi_cmd {
    PAM_GSSAPI_GET_NAME,
    PAM_GSSAPI_INIT,
    PAM_GSSAPI_SENTINEL
};
 
#endif /* _SSSCLI_H */