/** * @copyright * ==================================================================== * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. * ==================================================================== * @endcopyright * * @file svn_auth.h * @brief Subversion's authentication system */ #ifndef SVN_AUTH_H #define SVN_AUTH_H #include #include #include #include #include "svn_types.h" #include "svn_config.h" #ifdef __cplusplus extern "C" { #endif /* __cplusplus */ /** Overview of the svn authentication system. * * We define an authentication "provider" as a module that is able to * return a specific set of credentials. (e.g. username/password, * certificate, etc.) Each provider implements a vtable that * * - can fetch initial credentials * - can retry the fetch (or try to fetch something different) * - can store the credentials for future use * * For any given type of credentials, there can exist any number of * separate providers -- each provider has a different method of * fetching. (i.e. from a disk store, by prompting the user, etc.) * * The application begins by creating an auth baton object, and * "registers" some number of providers with the auth baton, in a * specific order. (For example, it may first register a * username/password provider that looks in disk store, then register * a username/password provider that prompts the user.) * * Later on, when any svn library is challenged, it asks the auth * baton for the specific credentials. If the initial credentials * fail to authenticate, the caller keeps requesting new credentials. * Under the hood, libsvn_auth effectively "walks" over each provider * (in order of registry), one at a time, until all the providers have * exhausted all their retry options. * * This system allows an application to flexibly define authentication * behaviors (by changing registration order), and very easily write * new authentication providers. * * An auth_baton also contains an internal hashtable of run-time * parameters; any provider or library layer can set these run-time * parameters at any time, so that the provider has access to the * data. (For example, certain run-time data may not be available * until an authentication challenge is made.) Each credential type * must document the run-time parameters that are made available to * its providers. * * @defgroup auth_fns Authentication functions * @{ */ /** The type of a Subversion authentication object */ typedef struct svn_auth_baton_t svn_auth_baton_t; /** The type of a Subversion authentication-iteration object */ typedef struct svn_auth_iterstate_t svn_auth_iterstate_t; /** The main authentication "provider" vtable. */ typedef struct svn_auth_provider_t { /** The kind of credentials this provider knows how to retrieve. */ const char *cred_kind; /** Get an initial set of credentials. * * Set @a *credentials to a set of valid credentials within @a * realmstring, or NULL if no credentials are available. Set @a * *iter_baton to context that allows a subsequent call to @c * next_credentials, in case the first credentials fail to * authenticate. @a provider_baton is general context for the * vtable, @a parameters contains any run-time data that the * provider may need, and @a realmstring comes from the * svn_auth_first_credentials() call. */ svn_error_t * (*first_credentials)(void **credentials, void **iter_baton, void *provider_baton, apr_hash_t *parameters, const char *realmstring, apr_pool_t *pool); /** Get a different set of credentials. * * Set @a *credentials to another set of valid credentials (using @a * iter_baton as the context from previous call to first_credentials * or next_credentials). If no more credentials are available, set * @a *credentials to NULL. If the provider only has one set of * credentials, this function pointer should simply be NULL. @a * provider_baton is general context for the vtable, @a parameters * contains any run-time data that the provider may need, and @a * realmstring comes from the svn_auth_first_credentials() call. */ svn_error_t * (*next_credentials)(void **credentials, void *iter_baton, void *provider_baton, apr_hash_t *parameters, const char *realmstring, apr_pool_t *pool); /** Save credentials. * * Store @a credentials for future use. @a provider_baton is * general context for the vtable, and @a parameters contains any * run-time data the provider may need. Set @a *saved to TRUE if * the save happened, or FALSE if not. The provider is not required * to save; if it refuses or is unable to save for non-fatal * reasons, return FALSE. If the provider never saves data, then * this function pointer should simply be NULL. @a realmstring comes * from the svn_auth_first_credentials() call. */ svn_error_t * (*save_credentials)(svn_boolean_t *saved, void *credentials, void *provider_baton, apr_hash_t *parameters, const char *realmstring, apr_pool_t *pool); } svn_auth_provider_t; /** A provider object, ready to be put into an array and given to svn_auth_open(). */ typedef struct svn_auth_provider_object_t { const svn_auth_provider_t *vtable; void *provider_baton; } svn_auth_provider_object_t; /** The type of function returning authentication provider. */ typedef void (*svn_auth_simple_provider_func_t)( svn_auth_provider_object_t **provider, apr_pool_t *pool);