1/*
2 * security_config.h
3 *
4 * Copyright (C) 2014 Aerospike, Inc.
5 *
6 * Portions may be licensed to Aerospike, Inc. under one or more contributor
7 * license agreements.
8 *
9 * This program is free software: you can redistribute it and/or modify it under
10 * the terms of the GNU Affero General Public License as published by the Free
11 * Software Foundation, either version 3 of the License, or (at your option) any
12 * later version.
13 *
14 * This program is distributed in the hope that it will be useful, but WITHOUT
15 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16 * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
17 * details.
18 *
19 * You should have received a copy of the GNU Affero General Public License
20 * along with this program. If not, see http://www.gnu.org/licenses/
21 */
22
23#pragma once
24
25#include <stdbool.h>
26#include <stdint.h>
27
28
29//==========================================================
30// Typedefs & constants.
31//
32
33// Syslog "local" facilities.
34typedef enum {
35 AS_SYSLOG_NONE = -1,
36 AS_SYSLOG_MIN = 0,
37 AS_SYSLOG_MAX = 7,
38
39 // May configure any facility from "local0" to "local7".
40 AS_SYSLOG_LOCAL0 = 0,
41 AS_SYSLOG_LOCAL1 = 1,
42 AS_SYSLOG_LOCAL2 = 2,
43 AS_SYSLOG_LOCAL3 = 3,
44 AS_SYSLOG_LOCAL4 = 4,
45 AS_SYSLOG_LOCAL5 = 5,
46 AS_SYSLOG_LOCAL6 = 6,
47 AS_SYSLOG_LOCAL7 = 7,
48} as_sec_syslog_local;
49
50// Security-related reporting sink bit-field flags.
51#define AS_SEC_SINK_LOG 0x1
52#define AS_SEC_SINK_SYSLOG 0x2
53
54// Security-related reporting sinks as bit-fields.
55typedef struct as_sec_report_s {
56 uint32_t authentication;
57 uint32_t data_op;
58 uint32_t sys_admin;
59 uint32_t user_admin;
60 uint32_t violation;
61} as_sec_report;
62
63// Hopefully nobody really needs this many.
64#define MAX_ROLE_QUERY_PATTERNS 64
65
66// EVP_MD methods for LDAP session token encryption.
67typedef enum {
68 AS_LDAP_EVP_SHA_256, // current default
69 AS_LDAP_EVP_SHA_512,
70
71 AS_LDAP_NUM_EVP_MDS
72} as_sec_ldap_evp_md;
73
74// Security configuration.
75typedef struct as_sec_config_s {
76 bool ldap_enabled;
77 bool security_enabled;
78 uint32_t n_ldap_login_threads;
79 uint32_t privilege_refresh_period; // (seconds)
80 as_sec_report report; // reporting sinks
81 as_sec_syslog_local syslog_local; // syslog local facility
82
83 // LDAP scope configuration.
84 bool ldap_tls_disabled;
85 uint32_t ldap_polling_period; // (seconds)
86 char* ldap_query_base_dn;
87 char* ldap_query_user_dn;
88 char* ldap_query_user_password_file;
89 char* ldap_role_query_base_dn;
90 char* ldap_role_query_patterns[MAX_ROLE_QUERY_PATTERNS + 1];
91 bool ldap_role_query_search_ou;
92 char* ldap_server;
93 uint32_t ldap_session_ttl; // (seconds)
94 char* ldap_tls_ca_file; // set unless tls disabled
95 as_sec_ldap_evp_md ldap_token_hash_method;
96 char* ldap_user_dn_pattern;
97 char* ldap_user_query_pattern;
98
99 // Derived from config.
100 char* ldap_query_user_password;
101} as_sec_config;
102
103#define PRIVILEGE_REFRESH_PERIOD_MIN 10
104#define PRIVILEGE_REFRESH_PERIOD_MAX (60 * 60 * 24)
105#define LDAP_POLLING_PERIOD_MIN 0 // zero means don't poll
106#define LDAP_POLLING_PERIOD_MAX (60 * 60 * 24)
107#define LDAP_SESSION_TTL_MIN 120
108#define LDAP_SESSION_TTL_MAX (60 * 60 * 24 * 10)
109
110
111//==========================================================
112// Public API.
113//
114
115void as_security_config_check();
116void as_security_config_log_scope(uint32_t sink, const char* ns_name,
117 const char* set_name);
118