Libipa_hbac provides a mechanism to validate FreeIPA HBAC rules as well as evaluate whether they apply to a particular user login attempt. More...

Data Structures
struct	hbac_rule_element
	Component of an HBAC rule. More...
struct	hbac_rule
	HBAC rule object for evaluation. More...
struct	hbac_request_element
	Component of an HBAC request. More...
struct	hbac_eval_req
	Request object for an HBAC rule evaluation. More...
struct	hbac_info
	Extended information. More...

Macros
#define	HBAC_CATEGORY_NULL 0x0000
	No service category specified.
#define	HBAC_CATEGORY_ALL 0x0001
	Rule should apply to all.
#define	HBAC_RULE_ELEMENT_USERS 0x01
	User element.
#define	HBAC_RULE_ELEMENT_SERVICES 0x02
	Service element.
#define	HBAC_RULE_ELEMENT_TARGETHOSTS 0x04
	Target host element.
#define	HBAC_RULE_ELEMENT_SOURCEHOSTS 0x08
	Source host element.

Typedefs
typedef void(*	hbac_debug_fn_t) (const char file, int line, const char function, enum hbac_debug_level, const char *format,...) HBAC_ATTRIBUTE_PRINTF(5
	Function pointer to HBAC external debugging function.
typedef void void	hbac_enable_debug(hbac_debug_fn_t external_debug_fn)
	HBAC uses external_debug_fn for logging messages.

Enumerations
enum	hbac_debug_level { }
	Debug levels for HBAC. More...
enum	hbac_eval_result { HBAC_EVAL_ERROR = -1 , HBAC_EVAL_ALLOW , HBAC_EVAL_DENY , HBAC_EVAL_OOM }
	Result of HBAC evaluation. More...
enum	hbac_error_code { HBAC_ERROR_UNKNOWN = -1 , HBAC_SUCCESS , HBAC_ERROR_NOT_IMPLEMENTED , HBAC_ERROR_OUT_OF_MEMORY , HBAC_ERROR_UNPARSEABLE_RULE }
	Error code returned by the evaluator. More...

Functions
enum hbac_eval_result	hbac_evaluate (struct hbac_rule *rules, struct hbac_eval_req hbac_req, struct hbac_info **info)
	Evaluate an authorization request against a set of HBAC rules.
const char *	hbac_result_string (enum hbac_eval_result result)
	Display result of hbac evaluation in human-readable form.
const char *	hbac_error_string (enum hbac_error_code code)
	Display error description.
void	hbac_free_info (struct hbac_info *info)
	Function to safely free hbac_info returned by hbac_evaluate.
bool	hbac_rule_is_complete (struct hbac_rule rule, uint32_t missing_attrs)
	Evaluate whether an HBAC rule contains all necessary elements.

Detailed Description

Libipa_hbac provides a mechanism to validate FreeIPA HBAC rules as well as evaluate whether they apply to a particular user login attempt.

Libipa_hbac is case-insensitive and compatible with UTF-8.

Typedef Documentation

◆ hbac_enable_debug

typedef void void hbac_enable_debug(hbac_debug_fn_t external_debug_fn)

HBAC uses external_debug_fn for logging messages.

Parameters

[in] external_debug_fn Pointer to external logging function.

Enumeration Type Documentation

◆ hbac_debug_level

enum hbac_debug_level

Debug levels for HBAC.

Enumerator
HBAC_DBG_ERROR	Fatal failure (not used).
HBAC_DBG_WARNING	Serious failure (out of memory, for example).
HBAC_DBG_INFO	Warnings (not used).
HBAC_DBG_TRACE	HBAC allow/disallow info. Verbose description of rules.

◆ hbac_error_code

enum hbac_error_code

Error code returned by the evaluator.

Enumerator
HBAC_ERROR_UNKNOWN	Unexpected error.
HBAC_SUCCESS	Successful evaluation.
HBAC_ERROR_NOT_IMPLEMENTED	Function is not yet implemented.
HBAC_ERROR_OUT_OF_MEMORY	Ran out of memory during processing.
HBAC_ERROR_UNPARSEABLE_RULE	Parse error while evaluating rule.

◆ hbac_eval_result

enum hbac_eval_result

Result of HBAC evaluation.

Enumerator
HBAC_EVAL_ERROR	An error occurred See the hbac_info for more details.
HBAC_EVAL_ALLOW	Evaluation grants access.
HBAC_EVAL_DENY	Evaluation denies access.
HBAC_EVAL_OOM	Evaluation failed due to lack of memory hbac_info is not available.

Function Documentation

◆ hbac_error_string()

const char * hbac_error_string ( enum hbac_error_code code )

Display error description.

Parameters

code	Error code returned in hbac_info

Returns: English string describing the error

◆ hbac_evaluate()

enum hbac_eval_result hbac_evaluate	(	struct hbac_rule **	rules,
		struct hbac_eval_req *	hbac_req,
		struct hbac_info **	info )

Evaluate an authorization request against a set of HBAC rules.

Parameters

[in]	rules	A NULL-terminated list of rules to evaluate against
[in]	hbac_req	A user authorization request
[out]	info	Extended information (including the name of the rule that allowed access (or caused a parse error)

Returns

HBAC_EVAL_ERROR: An error occurred
HBAC_EVAL_ALLOW: Access is granted
HBAC_EVAL_DENY: Access is denied
HBAC_EVAL_OOM: Insufficient memory to complete the evaluation

◆ hbac_free_info()

void hbac_free_info ( struct hbac_info * info )

Function to safely free hbac_info returned by hbac_evaluate.

Parameters

info	hbac_info returned by hbac_evaluate

◆ hbac_result_string()

const char * hbac_result_string ( enum hbac_eval_result result )

Display result of hbac evaluation in human-readable form.

Parameters

[in] result Return value of hbac_evaluate

Returns: English string describing the evaluation result

◆ hbac_rule_is_complete()

bool hbac_rule_is_complete	(	struct hbac_rule *	rule,
		uint32_t *	missing_attrs )

Evaluate whether an HBAC rule contains all necessary elements.

Parameters

[in]	rule	An HBAC rule to evaluate
[out]	missing_attrs	A list of attributes missing from the rule This is a bitmask that may contain one or more of HBAC_RULE_ELEMENT_USERS, HBAC_RULE_ELEMENT_SERVICES, HBAC_RULE_ELEMENT_TARGETHOSTS and HBAC_RULE_ELEMENT_SOURCEHOSTS

Returns: True if the rule contains all mandatory attributes

Note: This function does not care if the rule is enabled or disabled

Data Structures

Macros

Typedefs

Enumerations

Functions

Detailed Description

Typedef Documentation

◆ hbac_enable_debug

Enumeration Type Documentation

◆ hbac_debug_level

◆ hbac_error_code

◆ hbac_eval_result

Function Documentation

◆ hbac_error_string()

◆ hbac_evaluate()

◆ hbac_free_info()

◆ hbac_result_string()

◆ hbac_rule_is_complete()