/*****************************************************************************/ /* Auth.h */ /*****************************************************************************/ #ifndef AUTH_H_LOADED #define AUTH_H_LOADED 1 #include "wasd.h" /* some storage maximums */ #define AUTH_MAX_DIGEST_RESPONSE 32 #define AUTH_MAX_PASSWORD_LENGTH 31 #define AUTH_MAX_REALM_GROUP_LENGTH 32 #define AUTH_MAX_REALM_DESCR_LENGTH 127 #define AUTH_MAX_USERNAME_LENGTH 64 /* 12 or so for VMS user name */ /* 47 for X509 fingerprint */ /* 64 for X509 common name */ #define AUTH_MAX_HTA_USERNAME_LENGTH 15 /* MUST remain at 15 */ #define AUTH_MAX_FULLNAME_LENGTH 31 #define AUTH_MAX_EMAIL_LENGTH 127 #define AUTH_MAX_CONTACT_LENGTH 127 #define AUTH_MAX_PATH_PARAM_LENGTH 255 #define AUTH_MAX_REALM_PARAM_LENGTH 255 #define AUTH_MAX_COOKIE_CACHE 32 #define AUTH_SIZE_TOKEN_VALUE 31 #define AUTH_SIZE_TOKEN_PATH 63 #define AUTH_TOKEN_DEFAULT_RECORD_MAX 128 #define AUTH_TOKEN_RECORD_MIN 32 #define AUTH_TOKEN_NAME_DEFAULT "WASDtoken" #define AUTH_TOKEN_MAXAGE_DEFAULT "60" /* seconds (string) */ #define AUTH_TOKEN_MAXAGE_MIN 5 /* seconds (integer) */ /* password minimum (when changing in HTADMIN.C) */ #define AUTH_MIN_PASSWORD 6 /* maximum number of VMS identifiers in array */ #define AUTH_MIN_VMS_IDENTIFIERS 64 #define AUTH_MAX_VMS_IDENTIFIERS 1024 /* size of static storage allocated for sys$create_user_profile() use */ #define AUTH_CREATE_USER_PROFILE_SIZE 2048 /* constants used to identify authorization schemes */ #define AUTH_SCHEME_BASIC 0x00000001 #define AUTH_SCHEME_DIGEST 0x00000002 #define AUTH_SCHEME_X509 0x00000003 #define AUTH_SCHEME_RFC1413 0x00000004 #define AUTH_SCHEME_NO401 0x00000005 #define AUTH_SCHEME_TOKEN 0x00000006 /* constants for bits for flags in HTA database */ #define AUTH_FLAG_GET 0x00000001 #define AUTH_FLAG_HEAD 0x00000002 #define AUTH_FLAG_POST 0x00000004 #define AUTH_FLAG_PUT 0x00000008 #define AUTH_FLAG_DELETE 0x00000010 #define AUTH_FLAG_CONNECT 0x00000020 #define AUTH_FLAG_TRACE 0x00000040 #define AUTH_FLAG_OPTIONS 0x00000080 #define AUTH_FLAG_EXTENSION 0x00000100 #define AUTH_FLAG_EVERYTHING 0x00ffffff #define AUTH_FLAG_HTTPS_ONLY 0x20000000 #define AUTH_FLAG_MANAGER 0x40000000 #define AUTH_FLAG_ENABLED 0x80000000 #define AUTH_READWRITE_ACCESS HTTP_READ_METHODS | \ HTTP_WRITE_METHODS | \ HTTP_WEBDAV_READ_METHODS | \ HTTP_WEBDAV_WRITE_METHODS #define AUTH_READONLY_ACCESS HTTP_READ_METHODS | \ HTTP_WEBDAV_READ_METHODS /* does not include WebDAV methods as write-only WebDAV doesn't make sense! */ #define AUTH_WRITEONLY_ACCESS HTTP_WRITE_METHODS #define AUTH_REALM_ACME "ACME" #define AUTH_REALM_EXTERNAL "EXTERNAL" #define AUTH_REALM_FAIL "-FAIL-" #define AUTH_REALM_NONE "NONE" #define AUTH_REALM_OPAQUE "OPAQUE" #define AUTH_REALM_PROMISCUOUS "PROMISCUOUS" #define AUTH_REALM_RFC1413 "RFC1413" #define AUTH_REALM_SKELKEY "SKELKEY" #define AUTH_REALM_TOKEN "TOKEN" #define AUTH_REALM_VMS "VMS" #define AUTH_REALM_WORLD "WORLD" #define AUTH_REALM_X509 "X509" #define AUTH_SOURCE_FAIL 1 #define AUTH_SOURCE_NONE 2 #define AUTH_SOURCE_WORLD 3 #define AUTH_SOURCE_EXTERNAL 4 #define AUTH_SOURCE_VMS 5 #define AUTH_SOURCE_ID 6 #define AUTH_SOURCE_ACME 7 #define AUTH_SOURCE_LIST 8 #define AUTH_SOURCE_DIR_LIST 9 #define AUTH_SOURCE_HTA 10 #define AUTH_SOURCE_DIR_HTA 11 #define AUTH_SOURCE_WASD_ID 12 #define AUTH_SOURCE_AGENT 13 #define AUTH_SOURCE_AGENT_OPAQUE 14 #define AUTH_SOURCE_X509 15 #define AUTH_SOURCE_RFC1413 16 #define AUTH_SOURCE_OPAQUE 17 #define AUTH_SOURCE_HOST 18 #define AUTH_SOURCE_PROMISCUOUS 19 #define AUTH_SOURCE_SKELKEY 20 #define AUTH_SOURCE_TOKEN 21 #define AUTH_SOURCE_THEREST 22 #define HTA_DIRECTORY "?WASD_AUTH:\0HT_AUTH:\0" #define HTA_FILE_TYPE ".$HTA" #define HTL_FILE_TYPE ".$HTL" #define AUTH_AGENT_PATH "/cgiauth-bin/" /* bogus VMS status codes (errors), these can be passed back and detected */ #define AUTH_DENIED_BY_FAIL 0x0fffff1a #define AUTH_DENIED_BY_GROUP 0x0fffff2a #define AUTH_DENIED_BY_HOSTNAME 0x0fffff3a #define AUTH_DENIED_BY_HOUR 0x0fffff4a #define AUTH_DENIED_BY_LOGIN 0x0fffff5a #define AUTH_DENIED_BY_LOGOUT 0x0fffff6a #define AUTH_DENIED_BY_NOCACHE 0x0fffff7a #define AUTH_DENIED_BY_OTHER 0x0fffff8a #define AUTH_DENIED_BY_PROTOCOL 0x0fffff9a #define AUTH_DENIED_BY_USERNAME 0x0fffffaa #define AUTH_DENIED_BY_REDIRECT 0x0fffffba #define AUTH_PENDING 0x0fffffca /* identifier names controlling SYSUAF authentication with /SYSUAF=ID */ #define AUTH_HTTPS_ONLY_VMS_ID "WASD_HTTPS_ONLY" #define AUTH_NIL_ACCESS_VMS_ID "WASD_NIL_ACCESS" #define AUTH_PASSWORD_CHANGE_VMS_ID "WASD_PASSWORD_CHANGE" #define AUTH_PROXY_ACCESS_VMS_ID "WASD_PROXY_ACCESS" /* identifier names controlling SYSUAF authentication with /SYSUAF=WASD */ #define AUTH_WASD__GROUP_VMS_ID "WASD_VMS__" #define AUTH_WASD_HTTPS_VMS_ID "WASD_VMS_HTTPS" #define AUTH_WASD_PWD_VMS_ID "WASD_VMS_PWD" #define AUTH_WASD_WRITE_VMS_ID "WASD_VMS_RW" #define AUTH_WASD_READ_VMS_ID "WASD_VMS_R" /* these values correspond with ACMEDEF.H ACME$K_NETWORK, etc., values */ #define AUTH_LOGON_TYPE_NETWORK 1 #define AUTH_LOGON_TYPE_BATCH 2 #define AUTH_LOGON_TYPE_LOCAL 3 #define AUTH_LOGON_TYPE_DIALUP 4 #define AUTH_LOGON_TYPE_REMOTE 5 /* when checking for read/write access to the file-system */ #define AUTH_ACCESS_READ 1 #define AUTH_ACCESS_WRITE 2 /* unilaterally enable SYSPRV for access */ #define AUTH_ACCESS_SYSPRV 9 /* has a path setting been made? */ #define AUTH_ACCESS_IS_SET(rq) \ ((rq)->rqPathSet.AccessProfile || (rq)->rqPathSet.AccessRead || \ (rq)->rqPathSet.AccessServer || (rq)->rqPathSet.AccessWrite) /* when formatting can string */ #define AUTH_CAN_FORMAT_SHORT 0 #define AUTH_CAN_FORMAT_LONG 1 #define AUTH_CAN_FORMAT_HTML 2 #define AUTH_HTA_VERSION 0x01 #define AUTH_DIR_NOT_CONFIGURED "DIRECTORY:[NOT.CONFIGURED]!" #define HTTPD_VERIFY "/httpd/-/verify/" #define AUTH_ACCESS_SET(rq) \ (rq->pathSet.AccessProfile || rq->pathSet.AccessRead || \ rq->pathSet.AccessServer || rq->pathSet.AccessWrite) /**************/ /* structures */ /**************/ /* Store these structures naturally-aligned on AXP. Uses a bit more storage but makes access as efficient as possible. */ #pragma member_alignment __save #pragma member_alignment typedef struct AuthHtaRecordStruct AUTH_HTAREC; /* record structure of on-disk HTA database - retain ulong[2]s! */ struct AuthHtaRecordStruct { char UserName [AUTH_MAX_HTA_USERNAME_LENGTH+1]; char FullName [AUTH_MAX_FULLNAME_LENGTH+1]; char Email [AUTH_MAX_EMAIL_LENGTH+1]; int UserNameLength; unsigned long Flags; unsigned long HashedPwd [2]; unsigned char A1DigestLoCase [16]; unsigned char A1DigestUpCase [16]; int ChangeCount; unsigned long LastChangeTime64 [2]; int AccessCount; unsigned long LastAccessTime64 [2]; int FailureCount; unsigned long LastFailureTime64 [2]; unsigned long AddedTime64 [2]; char Contact [AUTH_MAX_CONTACT_LENGTH+1]; char FillTo512Bytes [115]; unsigned char DatabaseVersion; }; typedef struct AuthConfigStruct AUTH_CONFIG_META; struct AuthConfigStruct { BOOL ProxyRuleReset; }; #define AUTH_REALM_RECORD_TYPE 1 typedef struct AuthRealmRecordStruct AUTH_REALM; /* in-memory realm authorization structure */ struct AuthRealmRecordStruct { /* must be the first int in the structure */ int RecordType; BOOL RealmProblem; int GroupReadLength, GroupWriteLength, MetaConNumber, RealmLength, RealmDescriptionLength, RealmParamLength; unsigned long AuthGroupCan, AuthWorldCan, GroupReadVmsIdentifier, GroupWriteVmsIdentifier, RealmVmsIdentifier, SourceRealm, SourceGroupRead, SourceGroupWrite; char *GroupReadPtr, *GroupWritePtr, *RealmPtr, *RealmParamPtr, *RealmAccessPtr, *RealmDescrPtr; /* string data is stored here and pointed to by above pointers */ }; #define AUTH_PATH_RECORD_TYPE 2 typedef struct AuthPathRecordStruct AUTH_PATH; /* in-memory path authorization structure */ struct AuthPathRecordStruct { /* must be the first int in the structure */ int RecordType; BOOL FinalRule, NoCache, PathProblem, VmsUserProfile, VmsUserScriptAs; int GroupRestrictListLength, MetaConNumber, PathLength, PathParameterLength, ProxyStringLength, SourceRealm, WorldRestrictListLength; unsigned long AuthGroupCan, AuthWorldCan; char *GroupRestrictListPtr, *PathPtr, *PathParameterPtr, *ProxyStringPtr, *WorldRestrictListPtr; /* storage for pre-compiled regular expression */ regex_t RegexPregPath; }; #define AUTH_DEFAULT_CACHE_RECORD_MAX 32 #define AUTH_DEFAULT_CACHE_RECORD_SIZE 768 #define AUTH_DEFAULT_CACHE_RECORD_PROFILE_SIZE 1024 typedef struct AuthCacheRecordStruct AUTH_CREC; /* in-memory user authentication cache structure */ struct AuthCacheRecordStruct { BOOL CaseLess, DetailsUpdated, HttpsOnly, NoCache, ProxyStringMapped, SysUafAuthenticated, SysUafCanChangePwd, SysUafNilAccess, VmsUserScriptAs; int AccessCount, AuthRemoteUserLength, AuthUserCan, BasicCount, ConfigDirectoryLength, ConfigDirectoryOffset, DataBaseCount, DigestCount, FailureCount, FindRecordCount, GroupReadLength, GroupReadOffset, GroupReadStatus, GroupWriteLength, GroupWriteOffset, GroupWriteStatus, LastAccessMinutesAgo, LastAccessSecondsAgo, LastAccessTickSecond, PathParameterLength, PathParameterOffset, ProxyUserNameLength, RealmLength, RealmParamLength, RemoteUserLength, StorageNextOffset, SysUafLogonType, UserDetailsLength, UserDetailsOffset, UserNameLength, VmsUserProfileLength, VmsUserProfileOffset; int64 LastAccessTime64; unsigned long SourceRealm, SourceGroupRead, SourceGroupWrite, UaiAccessP, UaiAccessS, UaiPrimeDays; char *ConfigDirectory, *GroupWrite, *GroupRead, *PathParameter, *RealmParam, *UserDetails, *VmsUserProfilePtr; char AuthRemoteUser [AUTH_MAX_USERNAME_LENGTH+1], DigestResponse [AUTH_MAX_DIGEST_RESPONSE+1], Password [AUTH_MAX_PASSWORD_LENGTH+1], ProxyUserName [AUTH_MAX_USERNAME_LENGTH+1], Realm [AUTH_MAX_REALM_GROUP_LENGTH+1], RemoteUser [AUTH_MAX_USERNAME_LENGTH+1], UserName [AUTH_MAX_USERNAME_LENGTH+1]; /* variable length fields are stored from this point onwards */ char Storage []; }; typedef struct AuthGblSecStruct AUTH_GBLSEC; struct AuthGblSecStruct { unsigned long GblSecVersion, GblSecLength; int CacheHitCount, CacheMissCount, CacheRecordCount, CacheReuseCount, CacheTimeoutCount; int64 SinceTime64; /* authentication cache records are stored from this point onwards */ char CacheRecordPool []; }; typedef struct AuthIdentStruct AUTH_IDENT; struct AuthIdentStruct { unsigned short IdentChannel; char ResponseString [128], RequestString [24]; IO_SB ConnectIOsb, ReadIOsb, WriteIOsb; REQUEST_STRUCT *RequestPtr; REQUEST_AST AuthAstFunction; }; typedef struct AuthSysUafStruct AUTH_SYSUAF; struct AuthSysUafStruct { unsigned long UaiFlags, UaiPrimeDays, UaiAccessP, UaiAccessS, UaiUic, UserNameLength; unsigned long UaiPriv [2]; int64 UaiExpTime64, UaiPwdDateTime64, UaiPwd2DateTime64, UaiPwdLifeTime64; uint64 HashedPwd, UaiPwd, UaiPwd2; unsigned short UaiSalt; unsigned char UaiEncrypt; char UaiOwner [1+31+1], UserName [15+1]; /* this should be plenty of space */ VMS_ITEM_LIST3 UaiItemList [32]; }; typedef struct AuthAcmeStruct AUTH_ACME; struct AuthAcmeStruct { int AuthDoiNameLength, MappingAcmeNameLength, MappedVmsUserNameLength, TargetDoiNameLength; char AuthDoiName [32+1], /* ACME$K_MAXCHAR_DOI_NAME */ MappingAcmeName [32+1], /* ACME$K_MAXCHAR_DOI_NAME */ MappedVmsUserName [AUTH_MAX_USERNAME_LENGTH+1], TargetDoiName [32+1]; /* ACME$K_MAXCHAR_DOI_NAME */ /* the SYS$ACM() IO status block is a little different to the norm! */ unsigned long AcmIOsb [4]; /* Want to keep ILE3 definitions out of here for backward compatbility. The equivalent to ILE3 and 16 items is ample for what we need. */ VMS_ITEM_LIST3 AcmItemList [16]; }; typedef struct AuthTokenRecordStruct AUTH_TOKEN_RECORD; struct AuthTokenRecordStruct { char AuthRealm [AUTH_MAX_REALM_GROUP_LENGTH+1], RemoteUser [AUTH_MAX_USERNAME_LENGTH+1], TokenValue [AUTH_SIZE_TOKEN_VALUE+1]; int AuthUserCan, SysUafAuthenticated, VmsUserProfile; unsigned int ExpireSecond, RemoteUserLength; IPADDRESS ClientIpAddr; }; typedef struct AuthTokenGblSecStruct AUTH_TOKEN_GBLSEC; struct AuthTokenGblSecStruct { unsigned long GblSecVersion, GblSecLength; int RecordCount; int64 SinceTime64; /* token records are stored from this point onwards */ char RecordPool []; }; #pragma member_alignment __restore /***********************/ /* function prototypes */ /***********************/ /*** AUTH.C prototypes ***/ void Authorize (REQUEST_STRUCT*, char*, int, char*, int, REQUEST_AST); void AuthorizeRealm (REQUEST_STRUCT*); void AuthorizeRealmCheck (REQUEST_STRUCT*); int AuthorizeWasdId (REQUEST_STRUCT*); void AuthorizeGroupWrite (REQUEST_STRUCT*); void AuthorizeGroupWriteCheck (REQUEST_STRUCT*); void AuthorizeGroupRead (REQUEST_STRUCT*); void AuthorizeGroupReadCheck (REQUEST_STRUCT*); int AuthorizeGuaranteeAccess (REQUEST_STRUCT*, char*); void AuthorizeFinal (REQUEST_STRUCT*); void AuthorizeResponse (REQUEST_STRUCT*); void AuthorizeNoCache (REQUEST_STRUCT*); char* AuthCanString (unsigned long, int); int AuthClientHostGroup (REQUEST_STRUCT*, char*); int AuthDoAuthorization (REQUEST_STRUCT*); int AuthParseAuthorization (REQUEST_STRUCT*); char* AuthSourceString (char*, unsigned long); char* AuthSysUafLogonType (int); int AuthVerifyPassword (REQUEST_STRUCT*); void AuthWatchCheck (REQUEST_STRUCT*, char*, char*, int); /*** AUTHACME.C prototypes ***/ AuthAcmeVerifyUser (REQUEST_STRUCT*); AuthAcmeVerifyUserAst (REQUEST_STRUCT*); AuthAcmeChangePassword (REQUEST_STRUCT*, char*, char*); AuthAcmeChangePasswordAst (REQUEST_STRUCT*); /*** AUTHAGENT.C prototypes ***/ void AuthAgentBegin (REQUEST_STRUCT*, char*, REQUEST_AST); void AuthAgentCallout (REQUEST_STRUCT*); void AuthAgentCalloutResponseError (REQUEST_STRUCT*); /*** AUTHHTA.C prototypes ***/ int AuthReadHtDatabase (REQUEST_STRUCT*, char*, BOOL); int AuthHtDatabaseAccess (REQUEST_STRUCT*, BOOL, char*, char*, AUTH_HTAREC*, AUTH_HTAREC*, AUTH_HTAREC*); /*** AUTHHTL.C prototypes ***/ int AuthReadSimpleList (REQUEST_STRUCT*, char*, BOOL); /*** AUTHCACHE.C prototypes ***/ int AuthUserResetRecord (char*, char*, char*); int AuthCacheAddRecord (AUTH_CREC*, AUTH_CREC**); int AuthCacheEntry (AUTH_CREC*, AUTH_CREC*); int AuthCacheFindRecord (AUTH_CREC*, AUTH_CREC**); int AuthCacheGblSecInit (); int AuthCacheInit (); BOOL AuthCacheNeedsReval (REQUEST_STRUCT*, AUTH_CREC*); int AuthCachePurge (BOOL); int AuthCacheReport (REQUEST_STRUCT*); void AuthCacheRequestRecord (REQUEST_STRUCT*, AUTH_CREC**); int AuthCacheReset (REQUEST_STRUCT*, char*, char*); /*** AUTHACCESS.C prototypes ***/ int AuthAccessCheck (REQUEST_STRUCT*, char*, int, int); #define AuthAccessReadCheck(rq,fn,fl) \ AuthAccessCheck (rq, fn, fl, AUTH_ACCESS_READ) #define AuthAccessWriteCheck(rq,fn,fl) \ AuthAccessCheck (rq, fn, fl, AUTH_ACCESS_WRITE) int AuthAccessEnable (REQUEST_STRUCT*, char*, int); /*** AUTHCONFIG.C prototypes ***/ int AuthConfigInit(); int AuthConfigIdentifier (char*, unsigned long*); AuthConfigAddPath (META_CONFIG*, BOOL, char*, BOOL, BOOL, char*, char*, char*, char*, unsigned long, unsigned long, unsigned long, BOOL, BOOL, BOOL); AuthConfigAddRealm (META_CONFIG*, BOOL, char*, char*, char*, unsigned long, unsigned long, char*, unsigned long, unsigned long, char*, unsigned long, unsigned long, unsigned long, unsigned long); int AuthConfigAddLine (META_CONFIG, char*); int AuthConfigLoad (META_CONFIG**); BOOL AuthConfigLoadCallBack (META_CONFIG*); int AuthConfigOther(); char* AuthConfigParseProtectRule (REQUEST_STRUCT*, char*, int); char* AuthConfigProxy (META_CONFIG*, char*); int AuthConfigProxyMap (REQUEST_STRUCT*, AUTH_CREC*); int AuthConfigRead (AUTH_CONFIG_META*); int AuthConfigReadStatus (AUTH_CONFIG_META*, char*, ...); int AuthConfigReport (REQUEST_STRUCT*, BOOL, char*); int AuthConfigReportNow (REQUEST_STRUCT*, META_CONFIG*, BOOL, char*); int AuthConfigReportRule (REQUEST_STRUCT*, METACON_LINE*, BOOL, char*, int); int AuthConfigSearch (REQUEST_STRUCT*, char*); int AuthConfigUnLoad (META_CONFIG*); AuthConfigUnloadLineData (void*); /*** AUTHIDENT.C prototypes ***/ void AuthIdentBegin (REQUEST_STRUCT*, REQUEST_AST); int AuthIdentCloseSocket (AUTH_IDENT*); int AuthIdentEnd (AUTH_IDENT*); int AuthIdentConnectAst (AUTH_IDENT*); int AuthIdentReadAst (AUTH_IDENT*); int AuthIdentReadTimeoutAst (AUTH_IDENT*); int AuthIdentWriteAst (AUTH_IDENT*); /*** AUTHTOKEN.C prototypes ***/ int AuthTokenInit (); char* AuthTokenFromCookie (REQUEST_STRUCT*, char*); AUTH_TOKEN_RECORD* AuthTokenFind (char*); int AuthTokenGblSecInit (); void AuthTokenProcess (REQUEST_STRUCT*); void AuthTokenGenerate (REQUEST_STRUCT*); /*** AUTHVMS.C prototypes ***/ int AuthVmsGetUai (REQUEST_STRUCT*, char*); AuthVmsChangePassword (REQUEST_STRUCT*, char*); int AuthVmsCheckIdentifier (REQUEST_STRUCT*); int AuthVmsCreateHttpdProfile (); int AuthVmsCreateUserProfile (REQUEST_STRUCT*); int AuthVmsHoldsIdentifier (REQUEST_STRUCT*, char*, unsigned long); int AuthVmsHoldsWasdGroupIdent (REQUEST_STRUCT*, char*); int AuthVmsLoadIdentifiers (REQUEST_STRUCT*, unsigned long); int AuthVmsVerifyUser (REQUEST_STRUCT*); int AuthVmsVerifyPassword (REQUEST_STRUCT*); #endif /* AUTH_H_LOADED */ /*****************************************************************************/