161698a655a2f275fdf29f32cbfb21153835eecb
[strongswan.git] / src / charon / credentials / auth_info.h
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2007 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup auth_info auth_info
19 * @{ @ingroup ccredentials
20 */
21
22 #ifndef AUTH_INFO_H_
23 #define AUTH_INFO_H_
24
25 #include <utils/enumerator.h>
26
27 typedef struct auth_info_t auth_info_t;
28 typedef enum auth_item_t auth_item_t;
29
30 /**
31 * Authentication/Authorization process helper item.
32 *
33 * For the authentication process, further information may be needed. These
34 * items are defined as auth_item_t and have a AUTHN prefix.
35 * The authentication process returns important data for the authorization
36 * process, these items are defined with a AUTHZ prefix.
37 * Authentication uses AUTHN items and creates AUTHZ items during authentication,
38 * authorization reads AUTHZ values to give out privileges.
39 *
40 * +---+ +---------------------+
41 * | A | | A |
42 * | u | | u +-----------+ |
43 * | t | | t | Required | |
44 * | h | | h | auth_info | |
45 * | e | | o +-----------+ |
46 * | n | | r | |
47 * +-----------+ | t | | i | |
48 * | Provided | | i | | z V |
49 * | auth_info |--| c |-------------| a ----> match? ----|------->
50 * +-----------+ | a | | t |
51 * | t | | i |
52 * | i | | o |
53 * | o | | n |
54 * | n | | |
55 * +---+ +---------------------+
56 */
57 enum auth_item_t {
58
59 /*
60 * items provided to authentication process
61 */
62
63 /** authentication class to use, value is auth_class_t* */
64 AUTHN_AUTH_CLASS,
65 /** EAP method to request from peer, value is eap_type_t* */
66 AUTHN_EAP_TYPE,
67 /** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
68 AUTHN_EAP_VENDOR,
69 /** EAP identity to use within EAP-Identity exchange */
70 AUTHN_EAP_IDENTITY,
71 /** CA certificate to use for authentication, value is certificate_t* */
72 AUTHN_CA_CERT,
73 /** Keyid of a CA certificate to use, value is identification_t* */
74 AUTHN_CA_CERT_KEYID,
75 /** subject DN of a CA certificate to use, value is identification_t* */
76 AUTHN_CA_CERT_NAME,
77 /** intermediate certificate, value is certificate_t* */
78 AUTHN_IM_CERT,
79 /** certificate for trustchain verification, value is certificate_t* */
80 AUTHN_SUBJECT_CERT,
81 /** intermediate certificate supplied as hash and url */
82 AUTHN_IM_HASH_URL,
83 /** end-entity certificate supplied as hash and url */
84 AUTHN_SUBJECT_HASH_URL,
85
86 /*
87 * item provided to authorization process
88 */
89
90 /** subject has been authenticated by public key, value is public_key_t* */
91 AUTHZ_PUBKEY,
92 /** subject has ben authenticated using preshared secrets, value is shared_key_t* */
93 AUTHZ_PSK,
94 /** subject has been authenticated using EAP, value is eap_type_t* */
95 AUTHZ_EAP,
96 /** certificate authority, value is certificate_t* */
97 AUTHZ_CA_CERT,
98 /** subject DN of a certificate authority, value is identification_t* */
99 AUTHZ_CA_CERT_NAME,
100 /** intermediate certificate in trustchain, value is certificate_t* */
101 AUTHZ_IM_CERT,
102 /** subject certificate, value is certificate_t* */
103 AUTHZ_SUBJECT_CERT,
104 /** result of a CRL validation, value is cert_validation_t */
105 AUTHZ_CRL_VALIDATION,
106 /** result of a OCSP validation, value is cert_validation_t */
107 AUTHZ_OCSP_VALIDATION,
108 /** subject is in attribute certificate group, value is identification_t* */
109 AUTHZ_AC_GROUP,
110 };
111
112
113 /**
114 * enum name for auth_item_t.
115 */
116 extern enum_name_t *auth_item_names;
117
118 /**
119 * The auth_info class contains auth_item_t's used for AA.
120 *
121 * A auth_info allows the separation of authentication and authorization.
122 */
123 struct auth_info_t {
124
125 /**
126 * Add an item to the set.
127 *
128 * @param type auth_info type
129 * @param value associated value to auth_info type, if any
130 */
131 void (*add_item)(auth_info_t *this, auth_item_t type, void *value);
132
133 /**
134 * Get an item.
135 *
136 * @param type auth_info type to get
137 * @param value pointer to a pointer receiving item
138 * @return bool if item has been found
139 */
140 bool (*get_item)(auth_info_t *this, auth_item_t type, void **value);
141
142 /**
143 * Replace an item.
144 *
145 * @param type new auth_info type
146 * @param value pointer to the new value
147 */
148 void (*replace_item)(enumerator_t *this, auth_item_t type, void *value);
149
150 /**
151 * Create an enumerator over all items.
152 *
153 * @return enumerator over (auth_item_t type, void *value)
154 */
155 enumerator_t* (*create_item_enumerator)(auth_info_t *this);
156
157 /**
158 * Check if this fulfills a set of required constraints.
159 *
160 * @param constraints required authorization infos
161 * @return TRUE if this complies with constraints
162 */
163 bool (*complies)(auth_info_t *this, auth_info_t *constraints);
164
165 /**
166 * Merge items from other into this.
167 *
168 * Items do not get cloned, but moved from other to this.
169 *
170 * @param other items to read for merge
171 */
172 void (*merge)(auth_info_t *this, auth_info_t *other);
173
174 /**
175 * Purge all items in auth_info.
176 */
177 void (*purge)(auth_info_t *this);
178
179 /**
180 * Check two auth_infos for equality.
181 *
182 * @param other other item to compaire against this
183 * @return TRUE if auth infos identical
184 */
185 bool (*equals)(auth_info_t *this, auth_info_t *other);
186
187 /**
188 * Destroy a auth_info instance with all associated values.
189 */
190 void (*destroy)(auth_info_t *this);
191 };
192
193 /**
194 * Create a auth_info instance.
195 */
196 auth_info_t *auth_info_create();
197
198 #endif /* AUTH_INFO_H_ @}*/