Libipa_hbac provides a mechanism to validate FreeIPA HBAC rules as well as evaluate whether they apply to a particular user login attempt. More...

Data Structures
struct	hbac_rule_element
	Component of an HBAC rule. More...
struct	hbac_rule
	HBAC rule object for evaluation. More...
struct	hbac_request_element
	Component of an HBAC request. More...
struct	hbac_eval_req
	Request object for an HBAC rule evaluation. More...
struct	hbac_info
	Extended information. More...
Defines
#define	HBAC_CATEGORY_NULL 0x0000
	No service category specified.
#define	HBAC_CATEGORY_ALL 0x0001
	Rule should apply to all.
#define	HBAC_RULE_ELEMENT_USERS 0x01
	User element.
#define	HBAC_RULE_ELEMENT_SERVICES 0x02
	Service element.
#define	HBAC_RULE_ELEMENT_TARGETHOSTS 0x04
	Target host element.
#define	HBAC_RULE_ELEMENT_SOURCEHOSTS 0x08
	Source host element.
Typedefs
typedef void(*	hbac_debug_fn_t )(const char file, int line, const char function, enum hbac_debug_level, const char *format,...) HBAC_ATTRIBUTE_PRINTF(5
	Function pointer to HBAC external debugging function.
typedef void(*) voi	hbac_enable_debug )(hbac_debug_fn_t external_debug_fn)
	HBAC uses external_debug_fn for logging messages.
Enumerations
enum	hbac_debug_level { , HBAC_DBG_ERROR, HBAC_DBG_WARNING, HBAC_DBG_INFO, HBAC_DBG_TRACE }
	Debug levels for HBAC. More...
enum	hbac_eval_result { HBAC_EVAL_ERROR = -1, HBAC_EVAL_ALLOW, HBAC_EVAL_DENY, HBAC_EVAL_OOM }
	Result of HBAC evaluation. More...
enum	hbac_error_code { HBAC_ERROR_UNKNOWN = -1, HBAC_SUCCESS, HBAC_ERROR_NOT_IMPLEMENTED, HBAC_ERROR_OUT_OF_MEMORY, HBAC_ERROR_UNPARSEABLE_RULE }
	Error code returned by the evaluator. More...
Functions
enum hbac_eval_result	hbac_evaluate (struct hbac_rule *rules, struct hbac_eval_req hbac_req, struct hbac_info **info)
	Evaluate an authorization request against a set of HBAC rules.
const char *	hbac_result_string (enum hbac_eval_result result)
	Display result of hbac evaluation in human-readable form.
const char *	hbac_error_string (enum hbac_error_code code)
	Display error description.
void	hbac_free_info (struct hbac_info *info)
	Function to safely free hbac_info returned by hbac_evaluate.
bool	hbac_rule_is_complete (struct hbac_rule rule, uint32_t missing_attrs)
	Evaluate whether an HBAC rule contains all necessary elements.

Detailed Description

Libipa_hbac provides a mechanism to validate FreeIPA HBAC rules as well as evaluate whether they apply to a particular user login attempt.

Libipa_hbac is case-insensitive and compatible with UTF-8.

Typedef Documentation

typedef void(*) voi hbac_enable_debug)(hbac_debug_fn_t external_debug_fn)

HBAC uses external_debug_fn for logging messages.

Parameters:

[in] external_debug_fn Pointer to external logging function.

Enumeration Type Documentation

enum hbac_debug_level

Debug levels for HBAC.

Enumerator:

HBAC_DBG_ERROR	Fatal failure (not used).
HBAC_DBG_WARNING	Serious failure (out of memory, for example).
HBAC_DBG_INFO	Warnings (not used).
HBAC_DBG_TRACE	HBAC allow/disallow info. Verbose description of rules.

enum hbac_error_code

Error code returned by the evaluator.

Enumerator:

HBAC_ERROR_UNKNOWN	Unexpected error.
HBAC_SUCCESS	Successful evaluation.
HBAC_ERROR_NOT_IMPLEMENTED	Function is not yet implemented.
HBAC_ERROR_OUT_OF_MEMORY	Ran out of memory during processing.
HBAC_ERROR_UNPARSEABLE_RULE	Parse error while evaluating rule.

enum hbac_eval_result

Result of HBAC evaluation.

Enumerator:

HBAC_EVAL_ERROR	An error occurred See the hbac_info for more details.
HBAC_EVAL_ALLOW	Evaluation grants access.
HBAC_EVAL_DENY	Evaluation denies access.
HBAC_EVAL_OOM	Evaluation failed due to lack of memory hbac_info is not available.

Function Documentation

const char* hbac_error_string ( enum hbac_error_code code )

Display error description.

Parameters:

code	Error code returned in hbac_info

Returns:: English string describing the error

enum hbac_eval_result hbac_evaluate	(	struct hbac_rule **	rules,
		struct hbac_eval_req *	hbac_req,
		struct hbac_info **	info
	)

Evaluate an authorization request against a set of HBAC rules.

Parameters:

[in]	rules	A NULL-terminated list of rules to evaluate against
[in]	hbac_req	A user authorization request
[out]	info	Extended information (including the name of the rule that allowed access (or caused a parse error)

Returns:

HBAC_EVAL_ERROR: An error occurred
HBAC_EVAL_ALLOW: Access is granted
HBAC_EVAL_DENY: Access is denied
HBAC_EVAL_OOM: Insufficient memory to complete the evaluation

void hbac_free_info ( struct hbac_info * info )

Function to safely free hbac_info returned by hbac_evaluate.

Parameters:

info	hbac_info returned by hbac_evaluate

const char* hbac_result_string ( enum hbac_eval_result result )

Display result of hbac evaluation in human-readable form.

Parameters:

[in] result Return value of hbac_evaluate

Returns:: English string describing the evaluation result

bool hbac_rule_is_complete	(	struct hbac_rule *	rule,
		uint32_t *	missing_attrs
	)

Evaluate whether an HBAC rule contains all necessary elements.

Parameters:

[in]	rule	An HBAC rule to evaluate
[out]	missing_attrs	A list of attributes missing from the rule This is a bitmask that may contain one or more of HBAC_RULE_ELEMENT_USERS, HBAC_RULE_ELEMENT_SERVICES, HBAC_RULE_ELEMENT_TARGETHOSTS and HBAC_RULE_ELEMENT_SOURCEHOSTS

Returns:: True if the rule contains all mandatory attributes

Note:: This function does not care if the rule is enabled or disabled

Data Structures

Defines

Typedefs

Enumerations

Functions

Detailed Description

Typedef Documentation

Enumeration Type Documentation

Function Documentation