diff options
Diffstat (limited to 'src/include/gnunet_identity_provider_service.h')
-rw-r--r-- | src/include/gnunet_identity_provider_service.h | 332 |
1 files changed, 236 insertions, 96 deletions
diff --git a/src/include/gnunet_identity_provider_service.h b/src/include/gnunet_identity_provider_service.h index e533f6f8c..6bc05d0f4 100644 --- a/src/include/gnunet_identity_provider_service.h +++ b/src/include/gnunet_identity_provider_service.h | |||
@@ -39,7 +39,7 @@ extern "C" | |||
39 | #endif | 39 | #endif |
40 | 40 | ||
41 | #include "gnunet_util_lib.h" | 41 | #include "gnunet_util_lib.h" |
42 | 42 | #include "gnunet_identity_attribute_lib.h" | |
43 | 43 | ||
44 | /** | 44 | /** |
45 | * Version number of GNUnet Identity Provider API. | 45 | * Version number of GNUnet Identity Provider API. |
@@ -57,169 +57,309 @@ struct GNUNET_IDENTITY_PROVIDER_Handle; | |||
57 | struct GNUNET_IDENTITY_PROVIDER_Token; | 57 | struct GNUNET_IDENTITY_PROVIDER_Token; |
58 | 58 | ||
59 | /** | 59 | /** |
60 | * Handle for a ticket | 60 | * The ticket |
61 | */ | 61 | */ |
62 | struct GNUNET_IDENTITY_PROVIDER_Ticket; | 62 | struct GNUNET_IDENTITY_PROVIDER_Ticket |
63 | { | ||
64 | /** | ||
65 | * The ticket issuer | ||
66 | */ | ||
67 | struct GNUNET_CRYPTO_EcdsaPublicKey identity; | ||
68 | |||
69 | /** | ||
70 | * The ticket audience | ||
71 | */ | ||
72 | struct GNUNET_CRYPTO_EcdsaPublicKey audience; | ||
73 | |||
74 | /** | ||
75 | * The ticket random (NBO) | ||
76 | */ | ||
77 | uint64_t rnd; | ||
78 | }; | ||
63 | 79 | ||
64 | /** | 80 | /** |
65 | * Handle for an operation with the identity provider service. | 81 | * Handle for an operation with the identity provider service. |
66 | */ | 82 | */ |
67 | struct GNUNET_IDENTITY_PROVIDER_Operation; | 83 | struct GNUNET_IDENTITY_PROVIDER_Operation; |
68 | 84 | ||
85 | |||
69 | /** | 86 | /** |
70 | * Method called when a token has been exchanged for a ticket. | 87 | * Connect to the identity provider service. |
71 | * On success returns a token | ||
72 | * | 88 | * |
73 | * @param cls closure | 89 | * @param cfg Configuration to contact the identity provider service. |
74 | * @param token the token | 90 | * @return handle to communicate with identity provider service |
75 | */ | 91 | */ |
76 | typedef void | 92 | struct GNUNET_IDENTITY_PROVIDER_Handle * |
77 | (*GNUNET_IDENTITY_PROVIDER_ExchangeCallback)(void *cls, | 93 | GNUNET_IDENTITY_PROVIDER_connect (const struct GNUNET_CONFIGURATION_Handle *cfg); |
78 | const struct GNUNET_IDENTITY_PROVIDER_Token *token, | ||
79 | uint64_t ticket_nonce); | ||
80 | 94 | ||
81 | /** | 95 | /** |
82 | * Method called when a token has been issued. | 96 | * Continuation called to notify client about result of the |
83 | * On success returns a ticket that can be given to the audience to retrive the | 97 | * operation. |
84 | * token | ||
85 | * | 98 | * |
86 | * @param cls closure | 99 | * @param cls closure |
87 | * @param grant the label in GNS pointing to the token | 100 | * @param success #GNUNET_SYSERR on failure (including timeout/queue drop/failure to validate) |
88 | * @param ticket the ticket | 101 | * #GNUNET_NO if content was already there or not found |
89 | * @param token the issued token | 102 | * #GNUNET_YES (or other positive value) on success |
90 | * @param name name assigned by the user for this ego, | 103 | * @param emsg NULL on success, otherwise an error message |
91 | * NULL if the user just deleted the ego and it | ||
92 | * must thus no longer be used | ||
93 | */ | 104 | */ |
94 | typedef void | 105 | typedef void |
95 | (*GNUNET_IDENTITY_PROVIDER_IssueCallback)(void *cls, | 106 | (*GNUNET_IDENTITY_PROVIDER_ContinuationWithStatus) (void *cls, |
96 | const char *grant, | 107 | int32_t success, |
97 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket, | 108 | const char *emsg); |
98 | const struct GNUNET_IDENTITY_PROVIDER_Token *token); | ||
99 | 109 | ||
100 | 110 | ||
101 | /** | 111 | /** |
102 | * Connect to the identity provider service. | 112 | * Store an attribute. If the attribute is already present, |
113 | * it is replaced with the new attribute. | ||
103 | * | 114 | * |
104 | * @param cfg Configuration to contact the identity provider service. | 115 | * @param h handle to the identity provider |
105 | * @return handle to communicate with identity provider service | 116 | * @param pkey private key of the identity |
117 | * @param attr the attribute | ||
118 | * @param cont continuation to call when done | ||
119 | * @param cont_cls closure for @a cont | ||
120 | * @return handle to abort the request | ||
106 | */ | 121 | */ |
107 | struct GNUNET_IDENTITY_PROVIDER_Handle * | 122 | struct GNUNET_IDENTITY_PROVIDER_Operation * |
108 | GNUNET_IDENTITY_PROVIDER_connect (const struct GNUNET_CONFIGURATION_Handle *cfg); | 123 | GNUNET_IDENTITY_PROVIDER_attribute_store (struct GNUNET_IDENTITY_PROVIDER_Handle *h, |
124 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey, | ||
125 | const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr, | ||
126 | GNUNET_IDENTITY_PROVIDER_ContinuationWithStatus cont, | ||
127 | void *cont_cls); | ||
109 | 128 | ||
110 | 129 | ||
111 | /** | 130 | /** |
112 | * Issue a token for a specific audience. | 131 | * Process an attribute that was stored in the idp. |
113 | * | 132 | * |
114 | * @param id identity provider service to use | 133 | * @param cls closure |
115 | * @param iss issuer (identity) | 134 | * @param attr the attribute |
116 | * @param aud audience (identity) | ||
117 | * @param scope the identity attributes requested, comman separated | ||
118 | * @param expiration the token expiration | ||
119 | * @param nonce the nonce that will be included in token and ticket | ||
120 | * @param cb callback to call with result | ||
121 | * @param cb_cls closure | ||
122 | * @return handle to abort the operation | ||
123 | */ | 135 | */ |
124 | struct GNUNET_IDENTITY_PROVIDER_Operation * | 136 | typedef void |
125 | GNUNET_IDENTITY_PROVIDER_issue_token (struct GNUNET_IDENTITY_PROVIDER_Handle *id, | 137 | (*GNUNET_IDENTITY_PROVIDER_AttributeResult) (void *cls, |
126 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *iss_key, | 138 | const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, |
127 | const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | 139 | const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr); |
128 | const char* scope, | 140 | |
129 | struct GNUNET_TIME_Absolute expiration, | ||
130 | uint64_t nonce, | ||
131 | GNUNET_IDENTITY_PROVIDER_IssueCallback cb, | ||
132 | void *cb_cls); | ||
133 | 141 | ||
134 | 142 | ||
135 | /** | 143 | /** |
136 | * Exchange a ticket for a token. Intended to be used by audience that | 144 | * List all attributes for a local identity. |
137 | * received a ticket. | 145 | * This MUST lock the `struct GNUNET_IDENTITY_PROVIDER_Handle` |
146 | * for any other calls than #GNUNET_IDENTITY_PROVIDER_get_attributes_next() and | ||
147 | * #GNUNET_IDENTITY_PROVIDER_get_attributes_stop. @a proc will be called once | ||
148 | * immediately, and then again after | ||
149 | * #GNUNET_IDENTITY_PROVIDER_get_attributes_next() is invoked. | ||
138 | * | 150 | * |
139 | * @param id identity provider service to use | 151 | * On error (disconnect), @a error_cb will be invoked. |
140 | * @param ticket the ticket to exchange | 152 | * On normal completion, @a finish_cb proc will be |
141 | * @param aud_privkey the audience of the ticket | 153 | * invoked. |
142 | * @param cont function to call once the operation finished | 154 | * |
143 | * @param cont_cls closure for @a cont | 155 | * @param h handle to the idp |
144 | * @return handle to abort the operation | 156 | * @param identity identity to access |
157 | * @param error_cb function to call on error (i.e. disconnect), | ||
158 | * the handle is afterwards invalid | ||
159 | * @param error_cb_cls closure for @a error_cb | ||
160 | * @param proc function to call on each attribute; it | ||
161 | * will be called repeatedly with a value (if available) | ||
162 | * @param proc_cls closure for @a proc | ||
163 | * @param finish_cb function to call on completion | ||
164 | * the handle is afterwards invalid | ||
165 | * @param finish_cb_cls closure for @a finish_cb | ||
166 | * @return an iterator handle to use for iteration | ||
145 | */ | 167 | */ |
146 | struct GNUNET_IDENTITY_PROVIDER_Operation * | 168 | struct GNUNET_IDENTITY_PROVIDER_AttributeIterator * |
147 | GNUNET_IDENTITY_PROVIDER_exchange_ticket (struct GNUNET_IDENTITY_PROVIDER_Handle *id, | 169 | GNUNET_IDENTITY_PROVIDER_get_attributes_start (struct GNUNET_IDENTITY_PROVIDER_Handle *h, |
148 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket, | 170 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *identity, |
149 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *aud_privkey, | 171 | GNUNET_SCHEDULER_TaskCallback error_cb, |
150 | GNUNET_IDENTITY_PROVIDER_ExchangeCallback cont, | 172 | void *error_cb_cls, |
151 | void *cont_cls); | 173 | GNUNET_IDENTITY_PROVIDER_AttributeResult proc, |
174 | void *proc_cls, | ||
175 | GNUNET_SCHEDULER_TaskCallback finish_cb, | ||
176 | void *finish_cb_cls); | ||
152 | 177 | ||
153 | 178 | ||
154 | /** | 179 | /** |
155 | * Disconnect from identity provider service. | 180 | * Calls the record processor specified in #GNUNET_IDENTITY_PROVIDER_get_attributes_start |
181 | * for the next record. | ||
156 | * | 182 | * |
157 | * @param h identity provider service to disconnect | 183 | * @param it the iterator |
158 | */ | 184 | */ |
159 | void | 185 | void |
160 | GNUNET_IDENTITY_PROVIDER_disconnect (struct GNUNET_IDENTITY_PROVIDER_Handle *h); | 186 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (struct GNUNET_IDENTITY_PROVIDER_AttributeIterator *it); |
161 | 187 | ||
162 | 188 | ||
163 | /** | 189 | /** |
164 | * Cancel an identity provider operation. Note that the operation MAY still | 190 | * Stops iteration and releases the idp handle for further calls. Must |
165 | * be executed; this merely cancels the continuation; if the request | 191 | * be called on any iteration that has not yet completed prior to calling |
166 | * was already transmitted, the service may still choose to complete | 192 | * #GNUNET_IDENTITY_PROVIDER_disconnect. |
167 | * the operation. | ||
168 | * | 193 | * |
169 | * @param op operation to cancel | 194 | * @param it the iterator |
170 | */ | 195 | */ |
171 | void | 196 | void |
172 | GNUNET_IDENTITY_PROVIDER_cancel (struct GNUNET_IDENTITY_PROVIDER_Operation *op); | 197 | GNUNET_IDENTITY_PROVIDER_get_attributes_stop (struct GNUNET_IDENTITY_PROVIDER_AttributeIterator *it); |
173 | 198 | ||
174 | 199 | ||
175 | /** | 200 | /** |
176 | * Convenience API | 201 | * Method called when a token has been issued. |
202 | * On success returns a ticket that can be given to the audience to retrive the | ||
203 | * token | ||
204 | * | ||
205 | * @param cls closure | ||
206 | * @param ticket the ticket | ||
177 | */ | 207 | */ |
208 | typedef void | ||
209 | (*GNUNET_IDENTITY_PROVIDER_TicketCallback)(void *cls, | ||
210 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket); | ||
178 | 211 | ||
179 | /** | 212 | /** |
180 | * Destroy token | 213 | * Issues a ticket to another identity. The identity may use |
214 | * @GNUNET_IDENTITY_PROVIDER_authorization_ticket_consume to consume the ticket | ||
215 | * and retrieve the attributes specified in the AttributeList. | ||
181 | * | 216 | * |
182 | * @param token the token | 217 | * @param id the identity provider to use |
218 | * @param iss the issuing identity | ||
219 | * @param rp the subject of the ticket (the relying party) | ||
220 | * @param attr the attributes that the relying party is given access to | ||
221 | * @param cb the callback | ||
222 | * @param cb_cls the callback closure | ||
223 | * @return handle to abort the operation | ||
183 | */ | 224 | */ |
184 | void | 225 | struct GNUNET_IDENTITY_PROVIDER_Operation * |
185 | GNUNET_IDENTITY_PROVIDER_token_destroy(struct GNUNET_IDENTITY_PROVIDER_Token *token); | 226 | GNUNET_IDENTITY_PROVIDER_ticket_issue (struct GNUNET_IDENTITY_PROVIDER_Handle *id, |
227 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *iss, | ||
228 | const struct GNUNET_CRYPTO_EcdsaPublicKey *rp, | ||
229 | const struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs, | ||
230 | GNUNET_IDENTITY_PROVIDER_TicketCallback cb, | ||
231 | void *cb_cls); | ||
186 | 232 | ||
187 | /** | 233 | /** |
188 | * Returns string representation of token. A JSON-Web-Token. | 234 | * Revoked an issued ticket. The relying party will be unable to retrieve |
235 | * updated attributes. | ||
189 | * | 236 | * |
190 | * @param token the token | 237 | * @param id the identity provider to use |
191 | * @return The JWT (must be freed) | 238 | * @param identity the issuing identity |
239 | * @param ticket the ticket to revoke | ||
240 | * @param cb the callback | ||
241 | * @param cb_cls the callback closure | ||
242 | * @return handle to abort the operation | ||
192 | */ | 243 | */ |
193 | char * | 244 | struct GNUNET_IDENTITY_PROVIDER_Operation * |
194 | GNUNET_IDENTITY_PROVIDER_token_to_string (const struct GNUNET_IDENTITY_PROVIDER_Token *token); | 245 | GNUNET_IDENTITY_PROVIDER_ticket_revoke (struct GNUNET_IDENTITY_PROVIDER_Handle *id, |
246 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *identity, | ||
247 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket, | ||
248 | GNUNET_IDENTITY_PROVIDER_ContinuationWithStatus cb, | ||
249 | void *cb_cls); | ||
250 | |||
251 | |||
195 | 252 | ||
196 | /** | 253 | /** |
197 | * Returns string representation of ticket. Base64-Encoded | 254 | * Consumes an issued ticket. The ticket is persisted |
255 | * and used to retrieve identity information from the issuer | ||
198 | * | 256 | * |
199 | * @param ticket the ticket | 257 | * @param id the identity provider to use |
200 | * @return the Base64-Encoded ticket | 258 | * @param identity the identity that is the subject of the issued ticket (the audience) |
259 | * @param ticket the issued ticket to consume | ||
260 | * @param cb the callback to call | ||
261 | * @param cb_cls the callback closure | ||
262 | * @return handle to abort the operation | ||
263 | */ | ||
264 | struct GNUNET_IDENTITY_PROVIDER_Operation * | ||
265 | GNUNET_IDENTITY_PROVIDER_ticket_consume (struct GNUNET_IDENTITY_PROVIDER_Handle *id, | ||
266 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *identity, | ||
267 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket, | ||
268 | GNUNET_IDENTITY_PROVIDER_AttributeResult cb, | ||
269 | void *cb_cls); | ||
270 | |||
271 | /** | ||
272 | * Lists all tickets that have been issued to remote | ||
273 | * identites (relying parties) | ||
274 | * | ||
275 | * @param h the identity provider to use | ||
276 | * @param identity the issuing identity | ||
277 | * @param error_cb function to call on error (i.e. disconnect), | ||
278 | * the handle is afterwards invalid | ||
279 | * @param error_cb_cls closure for @a error_cb | ||
280 | * @param proc function to call on each ticket; it | ||
281 | * will be called repeatedly with a value (if available) | ||
282 | * @param proc_cls closure for @a proc | ||
283 | * @param finish_cb function to call on completion | ||
284 | * the handle is afterwards invalid | ||
285 | * @param finish_cb_cls closure for @a finish_cb | ||
286 | * @return an iterator handle to use for iteration | ||
287 | */ | ||
288 | struct GNUNET_IDENTITY_PROVIDER_TicketIterator * | ||
289 | GNUNET_IDENTITY_PROVIDER_ticket_iteration_start (struct GNUNET_IDENTITY_PROVIDER_Handle *h, | ||
290 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *identity, | ||
291 | GNUNET_SCHEDULER_TaskCallback error_cb, | ||
292 | void *error_cb_cls, | ||
293 | GNUNET_IDENTITY_PROVIDER_TicketCallback proc, | ||
294 | void *proc_cls, | ||
295 | GNUNET_SCHEDULER_TaskCallback finish_cb, | ||
296 | void *finish_cb_cls); | ||
297 | |||
298 | /** | ||
299 | * Lists all tickets that have been issued to remote | ||
300 | * identites (relying parties) | ||
301 | * | ||
302 | * @param id the identity provider to use | ||
303 | * @param identity the issuing identity | ||
304 | * @param error_cb function to call on error (i.e. disconnect), | ||
305 | * the handle is afterwards invalid | ||
306 | * @param error_cb_cls closure for @a error_cb | ||
307 | * @param proc function to call on each ticket; it | ||
308 | * will be called repeatedly with a value (if available) | ||
309 | * @param proc_cls closure for @a proc | ||
310 | * @param finish_cb function to call on completion | ||
311 | * the handle is afterwards invalid | ||
312 | * @param finish_cb_cls closure for @a finish_cb | ||
313 | * @return an iterator handle to use for iteration | ||
201 | */ | 314 | */ |
202 | char * | 315 | struct GNUNET_IDENTITY_PROVIDER_TicketIterator * |
203 | GNUNET_IDENTITY_PROVIDER_ticket_to_string (const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket); | 316 | GNUNET_IDENTITY_PROVIDER_ticket_iteration_start_rp (struct GNUNET_IDENTITY_PROVIDER_Handle *h, |
317 | const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, | ||
318 | GNUNET_SCHEDULER_TaskCallback error_cb, | ||
319 | void *error_cb_cls, | ||
320 | GNUNET_IDENTITY_PROVIDER_TicketCallback proc, | ||
321 | void *proc_cls, | ||
322 | GNUNET_SCHEDULER_TaskCallback finish_cb, | ||
323 | void *finish_cb_cls); | ||
204 | 324 | ||
205 | /** | 325 | /** |
206 | * Created a ticket from a string (Base64 encoded ticket) | 326 | * Calls the record processor specified in #GNUNET_IDENTITY_PROVIDER_ticket_iteration_start |
327 | * for the next record. | ||
207 | * | 328 | * |
208 | * @param input Base64 encoded ticket | 329 | * @param it the iterator |
209 | * @param ticket pointer where the ticket is stored | ||
210 | * @return GNUNET_OK | ||
211 | */ | 330 | */ |
212 | int | 331 | void |
213 | GNUNET_IDENTITY_PROVIDER_string_to_ticket (const char* input, | 332 | GNUNET_IDENTITY_PROVIDER_ticket_iteration_next (struct GNUNET_IDENTITY_PROVIDER_TicketIterator *it); |
214 | struct GNUNET_IDENTITY_PROVIDER_Ticket **ticket); | ||
215 | 333 | ||
216 | /** | 334 | /** |
217 | * Destroys a ticket | 335 | * Stops iteration and releases the idp handle for further calls. Must |
336 | * be called on any iteration that has not yet completed prior to calling | ||
337 | * #GNUNET_IDENTITY_PROVIDER_disconnect. | ||
218 | * | 338 | * |
219 | * @param ticket the ticket to destroy | 339 | * @param it the iterator |
220 | */ | 340 | */ |
221 | void | 341 | void |
222 | GNUNET_IDENTITY_PROVIDER_ticket_destroy(struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket); | 342 | GNUNET_IDENTITY_PROVIDER_ticket_iteration_stop (struct GNUNET_IDENTITY_PROVIDER_TicketIterator *it); |
343 | |||
344 | /** | ||
345 | * Disconnect from identity provider service. | ||
346 | * | ||
347 | * @param h identity provider service to disconnect | ||
348 | */ | ||
349 | void | ||
350 | GNUNET_IDENTITY_PROVIDER_disconnect (struct GNUNET_IDENTITY_PROVIDER_Handle *h); | ||
351 | |||
352 | |||
353 | /** | ||
354 | * Cancel an identity provider operation. Note that the operation MAY still | ||
355 | * be executed; this merely cancels the continuation; if the request | ||
356 | * was already transmitted, the service may still choose to complete | ||
357 | * the operation. | ||
358 | * | ||
359 | * @param op operation to cancel | ||
360 | */ | ||
361 | void | ||
362 | GNUNET_IDENTITY_PROVIDER_cancel (struct GNUNET_IDENTITY_PROVIDER_Operation *op); | ||
223 | 363 | ||
224 | #if 0 /* keep Emacsens' auto-indent happy */ | 364 | #if 0 /* keep Emacsens' auto-indent happy */ |
225 | { | 365 | { |