mediation connections should now properly rekey
[strongswan.git] / src / charon / credentials / auth_info.h
1 /*
2 * Copyright (C) 2007 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup auth_info auth_info
18 * @{ @ingroup ccredentials
19 */
20
21 #ifndef AUTH_INFO_H_
22 #define AUTH_INFO_H_
23
24 #include <utils/enumerator.h>
25
26 typedef struct auth_info_t auth_info_t;
27 typedef enum auth_item_t auth_item_t;
28
29 /**
30 * Authentication/Authorization process helper item.
31 *
32 * For the authentication process, further information may be needed. These
33 * items are defined as auth_item_t and have a AUTHN prefix.
34 * The authentication process returns important data for the authorization
35 * process, these items are defined with a AUTHZ prefix.
36 * Authentication uses AUTHN items and creates AUTHZ items during authentication,
37 * authorization reads AUTHZ values to give out privileges.
38 *
39 * +---+ +---------------------+
40 * | A | | A |
41 * | u | | u +-----------+ |
42 * | t | | t | Required | |
43 * | h | | h | auth_info | |
44 * | e | | o +-----------+ |
45 * | n | | r | |
46 * +-----------+ | t | | i | |
47 * | Provided | | i | | z V |
48 * | auth_info |--| c |-------------| a ----> match? ----|------->
49 * +-----------+ | a | | t |
50 * | t | | i |
51 * | i | | o |
52 * | o | | n |
53 * | n | | |
54 * +---+ +---------------------+
55 */
56 enum auth_item_t {
57
58 /*
59 * items provided to authentication process
60 */
61
62 /** CA certificate to use for authentication, value is certificate_t* */
63 AUTHN_CA_CERT,
64 /** Keyid of a CA certificate to use, value is identification_t* */
65 AUTHN_CA_CERT_KEYID,
66 /** subject DN of a CA certificate to use, value is identification_t* */
67 AUTHN_CA_CERT_NAME,
68 /** intermediate certificate, value is certificate_t* */
69 AUTHN_IM_CERT,
70 /** certificate for trustchain verification, value is certificate_t* */
71 AUTHN_SUBJECT_CERT,
72
73 /*
74 * item provided to authorization process
75 */
76
77 /** subject has been authenticated by public key, value is public_key_t* */
78 AUTHZ_PUBKEY,
79 /** subject has ben authenticated using preshared secrets, value is shared_key_t* */
80 AUTHZ_PSK,
81 /** subject has been authenticated using EAP, value is eap_method_t */
82 AUTHZ_EAP,
83 /** certificate authority, value is certificate_t* */
84 AUTHZ_CA_CERT,
85 /** subject DN of a certificate authority, value is identification_t* */
86 AUTHZ_CA_CERT_NAME,
87 /** intermediate certificate in trustchain, value is certificate_t* */
88 AUTHZ_IM_CERT,
89 /** subject certificate, value is certificate_t* */
90 AUTHZ_SUBJECT_CERT,
91 /** result of a CRL validation, value is cert_validation_t */
92 AUTHZ_CRL_VALIDATION,
93 /** result of a OCSP validation, value is cert_validation_t */
94 AUTHZ_OCSP_VALIDATION,
95 /** subject is in attribute certificate group, value is identification_t* */
96 AUTHZ_AC_GROUP,
97 };
98
99
100 /**
101 * enum name for auth_item_t.
102 */
103 extern enum_name_t *auth_item_names;
104
105 /**
106 * The auth_info class contains auth_item_t's used for AA.
107 *
108 * A auth_info allows the separation of authentication and authorization.
109 */
110 struct auth_info_t {
111
112 /**
113 * Add an item to the set.
114 *
115 * @param type auth_info type
116 * @param value associated value to auth_info type, if any
117 */
118 void (*add_item)(auth_info_t *this, auth_item_t type, void *value);
119
120 /**
121 * Get an item.
122 *
123 * @param type auth_info type to get
124 * @param value pointer to a pointer receiving item
125 * @return bool if item has been found
126 */
127 bool (*get_item)(auth_info_t *this, auth_item_t type, void **value);
128
129 /**
130 * Create an enumerator over all items.
131 *
132 * @return enumerator over (auth_item_t type, void *value)
133 */
134 enumerator_t* (*create_item_enumerator)(auth_info_t *this);
135
136 /**
137 * Check if this fulfills a set of required constraints.
138 *
139 * @param constraints required authorization infos
140 * @return TRUE if this complies with constraints
141 */
142 bool (*complies)(auth_info_t *this, auth_info_t *constraints);
143
144 /**
145 * Merge items from other into this.
146 *
147 * Items do not get cloned, but moved from other to this.
148 *
149 * @param other items to read for merge
150 */
151 void (*merge)(auth_info_t *this, auth_info_t *other);
152
153 /**
154 * Check two auth_infos for equality.
155 *
156 * @param other other item to compaire against this
157 * @return TRUE if auth infos identical
158 */
159 bool (*equals)(auth_info_t *this, auth_info_t *other);
160
161 /**
162 * Destroy a auth_info instance with all associated values.
163 */
164 void (*destroy)(auth_info_t *this);
165 };
166
167 /**
168 * Create a auth_info instance.
169 */
170 auth_info_t *auth_info_create();
171
172 #endif /* AUTH_INFO_H_ @}*/