1 /** 2 * @copyright 3 * ==================================================================== 4 * Licensed to the Apache Software Foundation (ASF) under one 5 * or more contributor license agreements. See the NOTICE file 6 * distributed with this work for additional information 7 * regarding copyright ownership. The ASF licenses this file 8 * to you under the Apache License, Version 2.0 (the 9 * "License"); you may not use this file except in compliance 10 * with the License. You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 * KIND, either express or implied. See the License for the 18 * specific language governing permissions and limitations 19 * under the License. 20 * ==================================================================== 21 * @endcopyright 22 * 23 * @file svn_auth.h 24 * @brief Subversion's authentication system 25 */ 26 27 #ifndef SVN_AUTH_H 28 #define SVN_AUTH_H 29 30 #include <apr.h> 31 #include <apr_pools.h> 32 #include <apr_hash.h> 33 #include <apr_tables.h> 34 35 #include "svn_types.h" 36 #include "svn_config.h" 37 38 #ifdef __cplusplus 39 extern "C" { 40 #endif /* __cplusplus */ 41 42 /** Overview of the svn authentication system. 43 * 44 * We define an authentication "provider" as a module that is able to 45 * return a specific set of credentials. (e.g. username/password, 46 * certificate, etc.) Each provider implements a vtable that 47 * 48 * - can fetch initial credentials 49 * - can retry the fetch (or try to fetch something different) 50 * - can store the credentials for future use 51 * 52 * For any given type of credentials, there can exist any number of 53 * separate providers -- each provider has a different method of 54 * fetching. (i.e. from a disk store, by prompting the user, etc.) 55 * 56 * The application begins by creating an auth baton object, and 57 * "registers" some number of providers with the auth baton, in a 58 * specific order. (For example, it may first register a 59 * username/password provider that looks in disk store, then register 60 * a username/password provider that prompts the user.) 61 * 62 * Later on, when any svn library is challenged, it asks the auth 63 * baton for the specific credentials. If the initial credentials 64 * fail to authenticate, the caller keeps requesting new credentials. 65 * Under the hood, libsvn_auth effectively "walks" over each provider 66 * (in order of registry), one at a time, until all the providers have 67 * exhausted all their retry options. 68 * 69 * This system allows an application to flexibly define authentication 70 * behaviors (by changing registration order), and very easily write 71 * new authentication providers. 72 * 73 * An auth_baton also contains an internal hashtable of run-time 74 * parameters; any provider or library layer can set these run-time 75 * parameters at any time, so that the provider has access to the 76 * data. (For example, certain run-time data may not be available 77 * until an authentication challenge is made.) Each credential type 78 * must document the run-time parameters that are made available to 79 * its providers. 80 * 81 * @defgroup auth_fns Authentication functions 82 * @{ 83 */ 84 85 86 /** The type of a Subversion authentication object */ 87 typedef struct svn_auth_baton_t svn_auth_baton_t; 88 89 /** The type of a Subversion authentication-iteration object */ 90 typedef struct svn_auth_iterstate_t svn_auth_iterstate_t; 91 92 93 /** The main authentication "provider" vtable. */ 94 typedef struct svn_auth_provider_t 95 { 96 /** The kind of credentials this provider knows how to retrieve. */ 97 const char *cred_kind; 98 99 /** Get an initial set of credentials. 100 * 101 * Set @a *credentials to a set of valid credentials within @a 102 * realmstring, or NULL if no credentials are available. Set @a 103 * *iter_baton to context that allows a subsequent call to @c 104 * next_credentials, in case the first credentials fail to 105 * authenticate. @a provider_baton is general context for the 106 * vtable, @a parameters contains any run-time data that the 107 * provider may need, and @a realmstring comes from the 108 * svn_auth_first_credentials() call. 109 */ 110 svn_error_t * (*first_credentials)(void **credentials, 111 void **iter_baton, 112 void *provider_baton, 113 apr_hash_t *parameters, 114 const char *realmstring, 115 apr_pool_t *pool); 116 117 /** Get a different set of credentials. 118 * 119 * Set @a *credentials to another set of valid credentials (using @a 120 * iter_baton as the context from previous call to first_credentials 121 * or next_credentials). If no more credentials are available, set 122 * @a *credentials to NULL. If the provider only has one set of 123 * credentials, this function pointer should simply be NULL. @a 124 * provider_baton is general context for the vtable, @a parameters 125 * contains any run-time data that the provider may need, and @a 126 * realmstring comes from the svn_auth_first_credentials() call. 127 */ 128 svn_error_t * (*next_credentials)(void **credentials, 129 void *iter_baton, 130 void *provider_baton, 131 apr_hash_t *parameters, 132 const char *realmstring, 133 apr_pool_t *pool); 134 135 /** Save credentials. 136 * 137 * Store @a credentials for future use. @a provider_baton is 138 * general context for the vtable, and @a parameters contains any 139 * run-time data the provider may need. Set @a *saved to TRUE if 140 * the save happened, or FALSE if not. The provider is not required 141 * to save; if it refuses or is unable to save for non-fatal 142 * reasons, return FALSE. If the provider never saves data, then 143 * this function pointer should simply be NULL. @a realmstring comes 144 * from the svn_auth_first_credentials() call. 145 */ 146 svn_error_t * (*save_credentials)(svn_boolean_t *saved, 147 void *credentials, 148 void *provider_baton, 149 apr_hash_t *parameters, 150 const char *realmstring, 151 apr_pool_t *pool); 152 153 } svn_auth_provider_t; 154 155 156 /** A provider object, ready to be put into an array and given to 157 svn_auth_open(). */ 158 typedef struct svn_auth_provider_object_t 159 { 160 const svn_auth_provider_t *vtable; 161 void *provider_baton; 162 163 } svn_auth_provider_object_t; 164 165 /** The type of function returning authentication provider. */ 166 typedef void (*svn_auth_simple_provider_func_t)( 167 svn_auth_provider_object_t **provider, 168 apr_pool_t *pool); 169 170 171 /** Specific types of credentials **/ 172 173 /** Simple username/password pair credential kind. 174 * 175 * The following auth parameters are available to the providers: 176 * 177 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_CONFIG (@c svn_config_t*) 178 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 179 * 180 * The following auth parameters may be available to the providers: 181 * 182 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 183 * - @c SVN_AUTH_PARAM_DEFAULT_USERNAME (@c char*) 184 * - @c SVN_AUTH_PARAM_DEFAULT_PASSWORD (@c char*) 185 */ 186 #define SVN_AUTH_CRED_SIMPLE "svn.simple" 187 188 /** @c SVN_AUTH_CRED_SIMPLE credentials. */ 189 typedef struct svn_auth_cred_simple_t 190 { 191 /** Username */ 192 const char *username; 193 /** Password */ 194 const char *password; 195 /** Indicates if the credentials may be saved (to disk). For example, a 196 * GUI prompt implementation with a remember password checkbox shall set 197 * @a may_save to TRUE if the checkbox is checked. 198 */ 199 svn_boolean_t may_save; 200 } svn_auth_cred_simple_t; 201 202 203 /** Username credential kind. 204 * 205 * The following optional auth parameters are relevant to the providers: 206 * 207 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 208 * - @c SVN_AUTH_PARAM_DEFAULT_USERNAME (@c char*) 209 */ 210 #define SVN_AUTH_CRED_USERNAME "svn.username" 211 212 /** @c SVN_AUTH_CRED_USERNAME credentials. */ 213 typedef struct svn_auth_cred_username_t 214 { 215 /** Username */ 216 const char *username; 217 /** Indicates if the credentials may be saved (to disk). For example, a 218 * GUI prompt implementation with a remember username checkbox shall set 219 * @a may_save to TRUE if the checkbox is checked. 220 */ 221 svn_boolean_t may_save; 222 } svn_auth_cred_username_t; 223 224 225 /** SSL client certificate credential type. 226 * 227 * The following auth parameters are available to the providers: 228 * 229 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 230 * - @c SVN_AUTH_PARAM_SERVER_GROUP (@c char*) 231 * 232 * The following optional auth parameters are relevant to the providers: 233 * 234 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 235 */ 236 #define SVN_AUTH_CRED_SSL_CLIENT_CERT "svn.ssl.client-cert" 237 238 /** @c SVN_AUTH_CRED_SSL_CLIENT_CERT credentials. */ 239 typedef struct svn_auth_cred_ssl_client_cert_t 240 { 241 /** Absolute path to the certificate file */ 242 const char *cert_file; 243 /** Indicates if the credentials may be saved (to disk). For example, a 244 * GUI prompt implementation with a remember certificate checkbox shall 245 * set @a may_save to TRUE if the checkbox is checked. 246 */ 247 svn_boolean_t may_save; 248 } svn_auth_cred_ssl_client_cert_t; 249 250 251 /** A function returning an SSL client certificate passphrase provider. */ 252 typedef void (*svn_auth_ssl_client_cert_pw_provider_func_t)( 253 svn_auth_provider_object_t **provider, 254 apr_pool_t *pool); 255 256 /** SSL client certificate passphrase credential type. 257 * 258 * @note The realmstring used with this credential type must be a name that 259 * makes it possible for the user to identify the certificate. 260 * 261 * The following auth parameters are available to the providers: 262 * 263 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_CONFIG (@c svn_config_t*) 264 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 265 * - @c SVN_AUTH_PARAM_SERVER_GROUP (@c char*) 266 * 267 * The following optional auth parameters are relevant to the providers: 268 * 269 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 270 */ 271 #define SVN_AUTH_CRED_SSL_CLIENT_CERT_PW "svn.ssl.client-passphrase" 272 273 /** @c SVN_AUTH_CRED_SSL_CLIENT_CERT_PW credentials. */ 274 typedef struct svn_auth_cred_ssl_client_cert_pw_t 275 { 276 /** Certificate password */ 277 const char *password; 278 /** Indicates if the credentials may be saved (to disk). For example, a 279 * GUI prompt implementation with a remember password checkbox shall set 280 * @a may_save to TRUE if the checkbox is checked. 281 */ 282 svn_boolean_t may_save; 283 } svn_auth_cred_ssl_client_cert_pw_t; 284 285 286 /** SSL server verification credential type. 287 * 288 * The following auth parameters are available to the providers: 289 * 290 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 291 * - @c SVN_AUTH_PARAM_SERVER_GROUP (@c char*) 292 * - @c SVN_AUTH_PARAM_SSL_SERVER_FAILURES (@c apr_uint32_t*) 293 * - @c SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO 294 * (@c svn_auth_ssl_server_cert_info_t*) 295 * 296 * The following optional auth parameters are relevant to the providers: 297 * 298 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 299 */ 300 #define SVN_AUTH_CRED_SSL_SERVER_TRUST "svn.ssl.server" 301 302 /** SSL server certificate information used by @c 303 * SVN_AUTH_CRED_SSL_SERVER_TRUST providers. 304 */ 305 typedef struct svn_auth_ssl_server_cert_info_t 306 { 307 /** Primary CN */ 308 const char *hostname; 309 /** ASCII fingerprint */ 310 const char *fingerprint; 311 /** ASCII date from which the certificate is valid */ 312 const char *valid_from; 313 /** ASCII date until which the certificate is valid */ 314 const char *valid_until; 315 /** DN of the certificate issuer */ 316 const char *issuer_dname; 317 /** Base-64 encoded DER certificate representation */ 318 const char *ascii_cert; 319 } svn_auth_ssl_server_cert_info_t; 320 321 /** 322 * Return a deep copy of @a info, allocated in @a pool. 323 * 324 * @since New in 1.3. 325 */ 326 svn_auth_ssl_server_cert_info_t * 327 svn_auth_ssl_server_cert_info_dup(const svn_auth_ssl_server_cert_info_t *info, 328 apr_pool_t *pool); 329 330 /** @c SVN_AUTH_CRED_SSL_SERVER_TRUST credentials. */ 331 typedef struct svn_auth_cred_ssl_server_trust_t 332 { 333 /** Indicates if the credentials may be saved (to disk). For example, a 334 * GUI prompt implementation with a checkbox to accept the certificate 335 * permanently shall set @a may_save to TRUE if the checkbox is checked. 336 */ 337 svn_boolean_t may_save; 338 /** Bit mask of the accepted failures */ 339 apr_uint32_t accepted_failures; 340 } svn_auth_cred_ssl_server_trust_t; 341 342 343 344 /** Credential-constructing prompt functions. **/ 345 346 /** These exist so that different client applications can use 347 * different prompt mechanisms to supply the same credentials. For 348 * example, if authentication requires a username and password, a 349 * command-line client's prompting function might prompt first for the 350 * username and then for the password, whereas a GUI client's would 351 * present a single dialog box asking for both, and a telepathic 352 * client's would read all the information directly from the user's 353 * mind. All these prompting functions return the same type of 354 * credential, but the information used to construct the credential is 355 * gathered in an interface-specific way in each case. 356 */ 357 358 /** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 359 * @a baton is an implementation-specific closure. 360 * 361 * If @a realm is non-NULL, maybe use it in the prompt string. 362 * 363 * If @a username is non-NULL, then the user might be prompted only 364 * for a password, but @a *cred would still be filled with both 365 * username and password. For example, a typical usage would be to 366 * pass @a username on the first call, but then leave it NULL for 367 * subsequent calls, on the theory that if credentials failed, it's 368 * as likely to be due to incorrect username as incorrect password. 369 * 370 * If @a may_save is FALSE, the auth system does not allow the credentials 371 * to be saved (to disk). A prompt function shall not ask the user if the 372 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 373 * client with a remember password checkbox would grey out the checkbox if 374 * @a may_save is FALSE. 375 */ 376 typedef svn_error_t *(*svn_auth_simple_prompt_func_t)( 377 svn_auth_cred_simple_t **cred, 378 void *baton, 379 const char *realm, 380 const char *username, 381 svn_boolean_t may_save, 382 apr_pool_t *pool); 383 384 385 /** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 386 * @a baton is an implementation-specific closure. 387 * 388 * If @a realm is non-NULL, maybe use it in the prompt string. 389 * 390 * If @a may_save is FALSE, the auth system does not allow the credentials 391 * to be saved (to disk). A prompt function shall not ask the user if the 392 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 393 * client with a remember username checkbox would grey out the checkbox if 394 * @a may_save is FALSE. 395 */ 396 typedef svn_error_t *(*svn_auth_username_prompt_func_t)( 397 svn_auth_cred_username_t **cred, 398 void *baton, 399 const char *realm, 400 svn_boolean_t may_save, 401 apr_pool_t *pool); 402 403 404 /** @name SSL server certificate failure bits 405 * 406 * @note These values are stored in the on disk auth cache by the SSL 407 * server certificate auth provider, so the meaning of these bits must 408 * not be changed. 409 * @{ 410 */ 411 /** Certificate is not yet valid. */ 412 #define SVN_AUTH_SSL_NOTYETVALID 0x00000001 413 /** Certificate has expired. */ 414 #define SVN_AUTH_SSL_EXPIRED 0x00000002 415 /** Certificate's CN (hostname) does not match the remote hostname. */ 416 #define SVN_AUTH_SSL_CNMISMATCH 0x00000004 417 /** @brief Certificate authority is unknown (i.e. not trusted) */ 418 #define SVN_AUTH_SSL_UNKNOWNCA 0x00000008 419 /** @brief Other failure. This can happen if an unknown failure occurs 420 * that we do not handle yet. */ 421 #define SVN_AUTH_SSL_OTHER 0x40000000 422 /** @} */ 423 424 /** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 425 * @a baton is an implementation-specific closure. 426 * 427 * @a cert_info is a structure describing the server cert that was 428 * presented to the client, and @a failures is a bitmask that 429 * describes exactly why the cert could not be automatically validated, 430 * composed from the constants SVN_AUTH_SSL_* (@c SVN_AUTH_SSL_NOTYETVALID 431 * etc.). @a realm is a string that can be used in the prompt string. 432 * 433 * If @a may_save is FALSE, the auth system does not allow the credentials 434 * to be saved (to disk). A prompt function shall not ask the user if the 435 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 436 * client with a trust permanently checkbox would grey out the checkbox if 437 * @a may_save is FALSE. 438 */ 439 typedef svn_error_t *(*svn_auth_ssl_server_trust_prompt_func_t)( 440 svn_auth_cred_ssl_server_trust_t **cred, 441 void *baton, 442 const char *realm, 443 apr_uint32_t failures, 444 const svn_auth_ssl_server_cert_info_t *cert_info, 445 svn_boolean_t may_save, 446 apr_pool_t *pool); 447 448 449 /** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 450 * @a baton is an implementation-specific closure. @a realm is a string 451 * that can be used in the prompt string. 452 * 453 * If @a may_save is FALSE, the auth system does not allow the credentials 454 * to be saved (to disk). A prompt function shall not ask the user if the 455 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 456 * client with a remember certificate checkbox would grey out the checkbox 457 * if @a may_save is FALSE. 458 */ 459 typedef svn_error_t *(*svn_auth_ssl_client_cert_prompt_func_t)( 460 svn_auth_cred_ssl_client_cert_t **cred, 461 void *baton, 462 const char *realm, 463 svn_boolean_t may_save, 464 apr_pool_t *pool); 465 466 467 /** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 468 * @a baton is an implementation-specific closure. @a realm is a string 469 * identifying the certificate, and can be used in the prompt string. 470 * 471 * If @a may_save is FALSE, the auth system does not allow the credentials 472 * to be saved (to disk). A prompt function shall not ask the user if the 473 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 474 * client with a remember password checkbox would grey out the checkbox if 475 * @a may_save is FALSE. 476 */ 477 typedef svn_error_t *(*svn_auth_ssl_client_cert_pw_prompt_func_t)( 478 svn_auth_cred_ssl_client_cert_pw_t **cred, 479 void *baton, 480 const char *realm, 481 svn_boolean_t may_save, 482 apr_pool_t *pool); 483 484 /** A type of callback function for asking whether storing a password to 485 * disk in plaintext is allowed. 486 * 487 * In this callback, the client should ask the user whether storing 488 * a password for the realm identified by @a realmstring to disk 489 * in plaintext is allowed. 490 * 491 * The answer is returned in @a *may_save_plaintext. 492 * @a baton is an implementation-specific closure. 493 * All allocations should be done in @a pool. 494 * 495 * @since New in 1.6 496 */ 497 typedef svn_error_t *(*svn_auth_plaintext_prompt_func_t)( 498 svn_boolean_t *may_save_plaintext, 499 const char *realmstring, 500 void *baton, 501 apr_pool_t *pool); 502 503 /** A type of callback function for asking whether storing a passphrase to 504 * disk in plaintext is allowed. 505 * 506 * In this callback, the client should ask the user whether storing 507 * a passphrase for the realm identified by @a realmstring to disk 508 * in plaintext is allowed. 509 * 510 * The answer is returned in @a *may_save_plaintext. 511 * @a baton is an implementation-specific closure. 512 * All allocations should be done in @a pool. 513 * 514 * @since New in 1.6 515 */ 516 typedef svn_error_t *(*svn_auth_plaintext_passphrase_prompt_func_t)( 517 svn_boolean_t *may_save_plaintext, 518 const char *realmstring, 519 void *baton, 520 apr_pool_t *pool); 521 522 523 /** Initialize an authentication system. 524 * 525 * Return an authentication object in @a *auth_baton (allocated in @a 526 * pool) that represents a particular instance of the svn 527 * authentication system. @a providers is an array of @c 528 * svn_auth_provider_object_t pointers, already allocated in @a pool 529 * and intentionally ordered. These pointers will be stored within @a 530 * *auth_baton, grouped by credential type, and searched in this exact 531 * order. 532 */ 533 void 534 svn_auth_open(svn_auth_baton_t **auth_baton, 535 const apr_array_header_t *providers, 536 apr_pool_t *pool); 537 538 /** Set an authentication run-time parameter. 539 * 540 * Store @a name / @a value pair as a run-time parameter in @a 541 * auth_baton, making the data accessible to all providers. @a name 542 * and @a value will NOT be duplicated into the auth_baton's pool. 543 * To delete a run-time parameter, pass NULL for @a value. 544 */ 545 void 546 svn_auth_set_parameter(svn_auth_baton_t *auth_baton, 547 const char *name, 548 const void *value); 549 550 /** Get an authentication run-time parameter. 551 * 552 * Return a value for run-time parameter @a name from @a auth_baton. 553 * Return NULL if the parameter doesn't exist. 554 */ 555 const void * 556 svn_auth_get_parameter(svn_auth_baton_t *auth_baton, 557 const char *name); 558 559 /** Universal run-time parameters, made available to all providers. 560 561 If you are writing a new provider, then to be a "good citizen", 562 you should notice these global parameters! Note that these 563 run-time params should be treated as read-only by providers; the 564 application is responsible for placing them into the auth_baton 565 hash. */ 566 567 /** The auth-hash prefix indicating that the parameter is global. */ 568 #define SVN_AUTH_PARAM_PREFIX "svn:auth:" 569 570 /** 571 * @name Default credentials defines 572 * Property values are const char *. 573 * @{ */ 574 /** Default username provided by the application itself (e.g. --username) */ 575 #define SVN_AUTH_PARAM_DEFAULT_USERNAME SVN_AUTH_PARAM_PREFIX "username" 576 /** Default password provided by the application itself (e.g. --password) */ 577 #define SVN_AUTH_PARAM_DEFAULT_PASSWORD SVN_AUTH_PARAM_PREFIX "password" 578 /** @} */ 579 580 /** @brief The application doesn't want any providers to prompt 581 * users. Property value is irrelevant; only property's existence 582 * matters. */ 583 #define SVN_AUTH_PARAM_NON_INTERACTIVE SVN_AUTH_PARAM_PREFIX "non-interactive" 584 585 /** @brief The application doesn't want any providers to save passwords 586 * to disk. Property value is irrelevant; only property's existence 587 * matters. */ 588 #define SVN_AUTH_PARAM_DONT_STORE_PASSWORDS SVN_AUTH_PARAM_PREFIX \ 589 "dont-store-passwords" 590 591 /** @brief Indicates whether providers may save passwords to disk in 592 * plaintext. Property value can be either SVN_CONFIG_TRUE, 593 * SVN_CONFIG_FALSE, or SVN_CONFIG_ASK. 594 * @since New in 1.6. 595 */ 596 #define SVN_AUTH_PARAM_STORE_PLAINTEXT_PASSWORDS SVN_AUTH_PARAM_PREFIX \ 597 "store-plaintext-passwords" 598 599 /** @brief The application doesn't want any providers to save passphrase 600 * to disk. Property value is irrelevant; only property's existence 601 * matters. 602 * @since New in 1.6. 603 */ 604 #define SVN_AUTH_PARAM_DONT_STORE_SSL_CLIENT_CERT_PP \ 605 SVN_AUTH_PARAM_PREFIX "dont-store-ssl-client-cert-pp" 606 607 /** @brief Indicates whether providers may save passphrase to disk in 608 * plaintext. Property value can be either SVN_CONFIG_TRUE, 609 * SVN_CONFIG_FALSE, or SVN_CONFIG_ASK. 610 * @since New in 1.6. 611 */ 612 #define SVN_AUTH_PARAM_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT \ 613 SVN_AUTH_PARAM_PREFIX "store-ssl-client-cert-pp-plaintext" 614 615 /** @brief The application doesn't want any providers to save credentials 616 * to disk. Property value is irrelevant; only property's existence 617 * matters. */ 618 #define SVN_AUTH_PARAM_NO_AUTH_CACHE SVN_AUTH_PARAM_PREFIX "no-auth-cache" 619 620 /** @brief The following property is for SSL server cert providers. This 621 * provides a pointer to an @c apr_uint32_t containing the failures 622 * detected by the certificate validator. */ 623 #define SVN_AUTH_PARAM_SSL_SERVER_FAILURES SVN_AUTH_PARAM_PREFIX \ 624 "ssl:failures" 625 626 /** @brief The following property is for SSL server cert providers. This 627 * provides the cert info (svn_auth_ssl_server_cert_info_t). */ 628 #define SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO SVN_AUTH_PARAM_PREFIX \ 629 "ssl:cert-info" 630 631 /** This provides a pointer to a @c svn_config_t containting the config 632 * category. */ 633 #define SVN_AUTH_PARAM_CONFIG_CATEGORY_CONFIG SVN_AUTH_PARAM_PREFIX \ 634 "config-category-config" 635 636 /** This provides a pointer to a @c svn_config_t containting the servers 637 * category. */ 638 #define SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS SVN_AUTH_PARAM_PREFIX \ 639 "config-category-servers" 640 641 /** @deprecated Provided for backward compatibility with the 1.5 API. */ 642 #define SVN_AUTH_PARAM_CONFIG SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS 643 644 /** The current server group. */ 645 #define SVN_AUTH_PARAM_SERVER_GROUP SVN_AUTH_PARAM_PREFIX "server-group" 646 647 /** @brief A configuration directory that overrides the default 648 * ~/.subversion. */ 649 #define SVN_AUTH_PARAM_CONFIG_DIR SVN_AUTH_PARAM_PREFIX "config-dir" 650 651 /** Get an initial set of credentials. 652 * 653 * Ask @a auth_baton to set @a *credentials to a set of credentials 654 * defined by @a cred_kind and valid within @a realmstring, or NULL if 655 * no credentials are available. Otherwise, return an iteration state 656 * in @a *state, so that the caller can call 657 * svn_auth_next_credentials(), in case the first set of credentials 658 * fails to authenticate. 659 * 660 * Use @a pool to allocate @a *state, and for temporary allocation. 661 * Note that @a *credentials will be allocated in @a auth_baton's pool. 662 */ 663 svn_error_t * 664 svn_auth_first_credentials(void **credentials, 665 svn_auth_iterstate_t **state, 666 const char *cred_kind, 667 const char *realmstring, 668 svn_auth_baton_t *auth_baton, 669 apr_pool_t *pool); 670 671 /** Get another set of credentials, assuming previous ones failed to 672 * authenticate. 673 * 674 * Use @a state to fetch a different set of @a *credentials, as a 675 * follow-up to svn_auth_first_credentials() or 676 * svn_auth_next_credentials(). If no more credentials are available, 677 * set @a *credentials to NULL. 678 * 679 * Note that @a *credentials will be allocated in @c auth_baton's pool. 680 */ 681 svn_error_t * 682 svn_auth_next_credentials(void **credentials, 683 svn_auth_iterstate_t *state, 684 apr_pool_t *pool); 685 686 /** Save a set of credentials. 687 * 688 * Ask @a state to store the most recently returned credentials, 689 * presumably because they successfully authenticated. 690 * All allocations should be done in @a pool. 691 * 692 * If no credentials were ever returned, do nothing. 693 */ 694 svn_error_t * 695 svn_auth_save_credentials(svn_auth_iterstate_t *state, 696 apr_pool_t *pool); 697 698 /** Forget a set (or all) memory-cached credentials. 699 * 700 * Remove references (if any) in @a auth_baton to credentials cached 701 * therein. If @a cred_kind and @a realmstring are non-NULL, forget 702 * only the credentials associated with those credential types and 703 * realm. Otherwise @a cred_kind and @a realmstring must both be 704 * NULL, and this function will forget all credentials cached within 705 * @a auth_baton. 706 * 707 * @note This function does not affect persisted authentication 708 * credential storage at all. It is merely a way to cause Subversion 709 * to forget about credentials already fetched from a provider, 710 * forcing them to be fetched again later should they be required. 711 * 712 * @since New in 1.8. 713 */ 714 svn_error_t * 715 svn_auth_forget_credentials(svn_auth_baton_t *auth_baton, 716 const char *cred_kind, 717 const char *realmstring, 718 apr_pool_t *pool); 719 720 /** @} */ 721 722 /** Set @a *provider to an authentication provider of type 723 * svn_auth_cred_simple_t that gets information by prompting the user 724 * with @a prompt_func and @a prompt_baton. Allocate @a *provider in 725 * @a pool. 726 * 727 * If both @c SVN_AUTH_PARAM_DEFAULT_USERNAME and 728 * @c SVN_AUTH_PARAM_DEFAULT_PASSWORD are defined as runtime 729 * parameters in the @c auth_baton, then @a *provider will return the 730 * default arguments when svn_auth_first_credentials() is called. If 731 * svn_auth_first_credentials() fails, then @a *provider will 732 * re-prompt @a retry_limit times (via svn_auth_next_credentials()). 733 * For infinite retries, set @a retry_limit to value less than 0. 734 * 735 * @since New in 1.4. 736 */ 737 void 738 svn_auth_get_simple_prompt_provider(svn_auth_provider_object_t **provider, 739 svn_auth_simple_prompt_func_t prompt_func, 740 void *prompt_baton, 741 int retry_limit, 742 apr_pool_t *pool); 743 744 745 /** Set @a *provider to an authentication provider of type @c 746 * svn_auth_cred_username_t that gets information by prompting the 747 * user with @a prompt_func and @a prompt_baton. Allocate @a *provider 748 * in @a pool. 749 * 750 * If @c SVN_AUTH_PARAM_DEFAULT_USERNAME is defined as a runtime 751 * parameter in the @c auth_baton, then @a *provider will return the 752 * default argument when svn_auth_first_credentials() is called. If 753 * svn_auth_first_credentials() fails, then @a *provider will 754 * re-prompt @a retry_limit times (via svn_auth_next_credentials()). 755 * For infinite retries, set @a retry_limit to value less than 0. 756 * 757 * @since New in 1.4. 758 */ 759 void 760 svn_auth_get_username_prompt_provider( 761 svn_auth_provider_object_t **provider, 762 svn_auth_username_prompt_func_t prompt_func, 763 void *prompt_baton, 764 int retry_limit, 765 apr_pool_t *pool); 766 767 768 /** Set @a *provider to an authentication provider of type @c 769 * svn_auth_cred_simple_t that gets/sets information from the user's 770 * ~/.subversion configuration directory. 771 * 772 * If the provider is going to save the password unencrypted, it calls @a 773 * plaintext_prompt_func, passing @a prompt_baton, before saving the 774 * password. 775 * 776 * If @a plaintext_prompt_func is NULL it is not called and the answer is 777 * assumed to be TRUE. This matches the deprecated behaviour of storing 778 * unencrypted passwords by default, and is only done this way for backward 779 * compatibility reasons. 780 * Client developers are highly encouraged to provide this callback 781 * to ensure their users are made aware of the fact that their password 782 * is going to be stored unencrypted. In the future, providers may 783 * default to not storing the password unencrypted if this callback is NULL. 784 * 785 * Clients can however set the callback to NULL and set 786 * SVN_AUTH_PARAM_STORE_PLAINTEXT_PASSWORDS to SVN_CONFIG_FALSE or 787 * SVN_CONFIG_TRUE to enforce a certain behaviour. 788 * 789 * Allocate @a *provider in @a pool. 790 * 791 * If a default username or password is available, @a *provider will 792 * honor them as well, and return them when 793 * svn_auth_first_credentials() is called. (see @c 794 * SVN_AUTH_PARAM_DEFAULT_USERNAME and @c 795 * SVN_AUTH_PARAM_DEFAULT_PASSWORD). 796 * 797 * @since New in 1.6. 798 */ 799 void 800 svn_auth_get_simple_provider2( 801 svn_auth_provider_object_t **provider, 802 svn_auth_plaintext_prompt_func_t plaintext_prompt_func, 803 void *prompt_baton, 804 apr_pool_t *pool); 805 806 /** Like svn_auth_get_simple_provider2, but without the ability to 807 * call the svn_auth_plaintext_prompt_func_t callback, and the provider 808 * always assumes that it is allowed to store the password in plaintext. 809 * 810 * @deprecated Provided for backwards compatibility with the 1.5 API. 811 * @since New in 1.4. 812 */ 813 SVN_DEPRECATED 814 void 815 svn_auth_get_simple_provider(svn_auth_provider_object_t **provider, 816 apr_pool_t *pool); 817 818 /** Set @a *provider to an authentication provider of type @c 819 * svn_auth_provider_object_t, or return @c NULL if the provider is not 820 * available for the requested platform or the requested provider is unknown. 821 * 822 * Valid @a provider_name values are: "gnome_keyring", "keychain", "kwallet", 823 * "gpg_agent", and "windows". 824 * 825 * Valid @a provider_type values are: "simple", "ssl_client_cert_pw" and 826 * "ssl_server_trust". 827 * 828 * Allocate @a *provider in @a pool. 829 * 830 * What actually happens is we invoke the appropriate provider function to 831 * supply the @a provider, like so: 832 * 833 * svn_auth_get_<name>_<type>_provider(@a provider, @a pool); 834 * 835 * @since New in 1.6. 836 */ 837 svn_error_t * 838 svn_auth_get_platform_specific_provider( 839 svn_auth_provider_object_t **provider, 840 const char *provider_name, 841 const char *provider_type, 842 apr_pool_t *pool); 843 844 /** Set @a *providers to an array of <tt>svn_auth_provider_object_t *</tt> 845 * objects. 846 * Only client authentication providers available for the current platform are 847 * returned. Order of the platform-specific authentication providers is 848 * determined by the 'password-stores' configuration option which is retrieved 849 * from @a config. @a config can be NULL. 850 * 851 * Create and allocate @a *providers in @a pool. 852 * 853 * Default order of the platform-specific authentication providers: 854 * 1. gnome-keyring 855 * 2. kwallet 856 * 3. keychain 857 * 4. gpg-agent 858 * 5. windows-cryptoapi 859 * 860 * @since New in 1.6. 861 */ 862 svn_error_t * 863 svn_auth_get_platform_specific_client_providers( 864 apr_array_header_t **providers, 865 svn_config_t *config, 866 apr_pool_t *pool); 867 868 #if (defined(WIN32) && !defined(__MINGW32__)) || defined(DOXYGEN) 869 /** 870 * Set @a *provider to an authentication provider of type @c 871 * svn_auth_cred_simple_t that gets/sets information from the user's 872 * ~/.subversion configuration directory. Allocate @a *provider in 873 * @a pool. 874 * 875 * This is like svn_auth_get_simple_provider(), except that, when 876 * running on Window 2000 or newer (or any other Windows version that 877 * includes the CryptoAPI), the provider encrypts the password before 878 * storing it to disk. On earlier versions of Windows, the provider 879 * does nothing. 880 * 881 * @since New in 1.4. 882 * @note This function is only available on Windows. 883 * 884 * @note An administrative password reset may invalidate the account's 885 * secret key. This function will detect that situation and behave as 886 * if the password were not cached at all. 887 * @deprecated Provided for backwards compatibility with the 1.8 API. Use 888 * svn_auth_get_platform_specific_provider with provider_name of "windows" 889 * and provider_type of "simple". 890 */ 891 SVN_DEPRECATED 892 void 893 svn_auth_get_windows_simple_provider(svn_auth_provider_object_t **provider, 894 apr_pool_t *pool); 895 896 /** 897 * Set @a *provider to an authentication provider of type @c 898 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 899 * user's ~/.subversion configuration directory. Allocate @a *provider in 900 * @a pool. 901 * 902 * This is like svn_auth_get_ssl_client_cert_pw_file_provider(), except that 903 * when running on Window 2000 or newer, the provider encrypts the password 904 * before storing it to disk. On earlier versions of Windows, the provider 905 * does nothing. 906 * 907 * @since New in 1.6 908 * @note This function is only available on Windows. 909 * 910 * @note An administrative password reset may invalidate the account's 911 * secret key. This function will detect that situation and behave as 912 * if the password were not cached at all. 913 * @deprecated Provided for backwards compatibility with the 1.8 API. 914 * Use svn_auth_get_platform_specific_provider with provider_name 915 * of "windows" and provider_type of "ssl_client_cert_pw". 916 */ 917 SVN_DEPRECATED 918 void 919 svn_auth_get_windows_ssl_client_cert_pw_provider( 920 svn_auth_provider_object_t **provider, 921 apr_pool_t *pool); 922 923 /** 924 * Set @a *provider to an authentication provider of type @c 925 * svn_auth_cred_ssl_server_trust_t, allocated in @a pool. 926 * 927 * This provider automatically validates ssl server certificates with 928 * the CryptoApi, like Internet Explorer and the Windows network API do. 929 * This allows the rollout of root certificates via Windows Domain 930 * policies, instead of Subversion specific configuration. 931 * 932 * @since New in 1.5. 933 * @note This function is only available on Windows. 934 * @deprecated Provided for backwards compatibility with the 1.8 API. 935 * Use svn_auth_get_platform_specific_provider with provider_name 936 * of "windows" and provider_type of "ssl_server_trust". 937 */ 938 SVN_DEPRECATED 939 void 940 svn_auth_get_windows_ssl_server_trust_provider( 941 svn_auth_provider_object_t **provider, 942 apr_pool_t *pool); 943 944 #endif /* WIN32 && !__MINGW32__ || DOXYGEN */ 945 946 #if defined(DARWIN) || defined(DOXYGEN) 947 /** 948 * Set @a *provider to an authentication provider of type @c 949 * svn_auth_cred_simple_t that gets/sets information from the user's 950 * ~/.subversion configuration directory. Allocate @a *provider in 951 * @a pool. 952 * 953 * This is like svn_auth_get_simple_provider(), except that the 954 * password is stored in the Mac OS KeyChain. 955 * 956 * @since New in 1.4 957 * @note This function is only available on Mac OS 10.2 and higher. 958 * @deprecated Provided for backwards compatibility with the 1.8 API. 959 * Use svn_auth_get_platform_specific_provider with provider_name 960 * of "keychain" and provider_type of "simple". 961 */ 962 SVN_DEPRECATED 963 void 964 svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t **provider, 965 apr_pool_t *pool); 966 967 /** 968 * Set @a *provider to an authentication provider of type @c 969 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 970 * user's ~/.subversion configuration directory. Allocate @a *provider in 971 * @a pool. 972 * 973 * This is like svn_auth_get_ssl_client_cert_pw_file_provider(), except 974 * that the password is stored in the Mac OS KeyChain. 975 * 976 * @since New in 1.6 977 * @note This function is only available on Mac OS 10.2 and higher. 978 * @deprecated Provided for backwards compatibility with the 1.8 API. 979 * Use svn_auth_get_platform_specific_provider with provider_name 980 * of "keychain" and provider_type of "ssl_client_cert_pw". 981 */ 982 SVN_DEPRECATED 983 void 984 svn_auth_get_keychain_ssl_client_cert_pw_provider( 985 svn_auth_provider_object_t **provider, 986 apr_pool_t *pool); 987 #endif /* DARWIN || DOXYGEN */ 988 989 /* Note that the gnome keyring unlock prompt related items below must be 990 * declared for all platforms in order to allow SWIG interfaces to be 991 * used regardless of the platform. */ 992 993 /** A type of callback function for obtaining the GNOME Keyring password. 994 * 995 * In this callback, the client should ask the user for default keyring 996 * @a keyring_name password. 997 * 998 * The answer is returned in @a *keyring_password. 999 * @a baton is an implementation-specific closure. 1000 * All allocations should be done in @a pool. 1001 * 1002 * @since New in 1.6 1003 */ 1004 typedef svn_error_t *(*svn_auth_gnome_keyring_unlock_prompt_func_t)( 1005 char **keyring_password, 1006 const char *keyring_name, 1007 void *baton, 1008 apr_pool_t *pool); 1009 1010 1011 /** libsvn_auth_gnome_keyring-specific run-time parameters. */ 1012 1013 /** @brief The pointer to function which prompts user for GNOME Keyring 1014 * password. 1015 * The type of this pointer should be svn_auth_gnome_keyring_unlock_prompt_func_t. 1016 * @deprecated Only used by old libgnome-keyring implementation. */ 1017 #define SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC "gnome-keyring-unlock-prompt-func" 1018 1019 /** @brief The baton which is passed to 1020 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC. 1021 * @deprecated Only used by old libgnome-keyring implementation. */ 1022 #define SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_BATON "gnome-keyring-unlock-prompt-baton" 1023 1024 #if (!defined(DARWIN) && !defined(WIN32)) || defined(DOXYGEN) 1025 /** 1026 * Get libsvn_auth_gnome_keyring version information. 1027 * 1028 * @since New in 1.6 1029 */ 1030 const svn_version_t * 1031 svn_auth_gnome_keyring_version(void); 1032 1033 1034 /** 1035 * Set @a *provider to an authentication provider of type @c 1036 * svn_auth_cred_simple_t that gets/sets information from the user's 1037 * ~/.subversion configuration directory. 1038 * 1039 * This is like svn_client_get_simple_provider(), except that the 1040 * password is stored in GNOME Keyring. 1041 * 1042 * If the GNOME Keyring is locked the old libgnome-keyring provider calls 1043 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC in order to unlock 1044 * the keyring. 1045 * 1046 * @c SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_BATON is passed to 1047 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC. 1048 * 1049 * Allocate @a *provider in @a pool. 1050 * 1051 * @since New in 1.6 1052 * @note This function actually works only on systems with 1053 * libsvn_auth_gnome_keyring and GNOME Keyring installed. 1054 * @deprecated Provided for backwards compatibility with the 1.8 API. 1055 * Use svn_auth_get_platform_specific_provider with provider_name 1056 * of "gnome_keyring" and provider_type of "simple". 1057 */ 1058 SVN_DEPRECATED 1059 void 1060 svn_auth_get_gnome_keyring_simple_provider( 1061 svn_auth_provider_object_t **provider, 1062 apr_pool_t *pool); 1063 1064 1065 /** 1066 * Set @a *provider to an authentication provider of type @c 1067 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 1068 * user's ~/.subversion configuration directory. 1069 * 1070 * This is like svn_client_get_ssl_client_cert_pw_file_provider(), except 1071 * that the password is stored in GNOME Keyring. 1072 * 1073 * If the GNOME Keyring is locked the provider calls 1074 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC in order to unlock 1075 * the keyring. 1076 * 1077 * @c SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_BATON is passed to 1078 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC. 1079 * 1080 * Allocate @a *provider in @a pool. 1081 * 1082 * @since New in 1.6 1083 * @note This function actually works only on systems with 1084 * libsvn_auth_gnome_keyring and GNOME Keyring installed. 1085 * @deprecated Provided for backwards compatibility with the 1.8 API. 1086 * Use svn_auth_get_platform_specific_provider with provider_name 1087 * of "gnome_keyring" and provider_type of "ssl_client_cert_pw". 1088 */ 1089 SVN_DEPRECATED 1090 void 1091 svn_auth_get_gnome_keyring_ssl_client_cert_pw_provider( 1092 svn_auth_provider_object_t **provider, 1093 apr_pool_t *pool); 1094 1095 1096 /** 1097 * Get libsvn_auth_kwallet version information. 1098 * 1099 * @since New in 1.6 1100 */ 1101 const svn_version_t * 1102 svn_auth_kwallet_version(void); 1103 1104 1105 /** 1106 * Set @a *provider to an authentication provider of type @c 1107 * svn_auth_cred_simple_t that gets/sets information from the user's 1108 * ~/.subversion configuration directory. Allocate @a *provider in 1109 * @a pool. 1110 * 1111 * This is like svn_client_get_simple_provider(), except that the 1112 * password is stored in KWallet. 1113 * 1114 * @since New in 1.6 1115 * @note This function actually works only on systems with libsvn_auth_kwallet 1116 * and KWallet installed. 1117 * @deprecated Provided for backwards compatibility with the 1.8 API. 1118 * Use svn_auth_get_platform_specific_provider with provider_name 1119 * of "kwallet" and provider_type of "simple". 1120 */ 1121 SVN_DEPRECATED 1122 void 1123 svn_auth_get_kwallet_simple_provider(svn_auth_provider_object_t **provider, 1124 apr_pool_t *pool); 1125 1126 1127 /** 1128 * Set @a *provider to an authentication provider of type @c 1129 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 1130 * user's ~/.subversion configuration directory. Allocate @a *provider in 1131 * @a pool. 1132 * 1133 * This is like svn_client_get_ssl_client_cert_pw_file_provider(), except 1134 * that the password is stored in KWallet. 1135 * 1136 * @since New in 1.6 1137 * @note This function actually works only on systems with libsvn_auth_kwallet 1138 * and KWallet installed. 1139 * @deprecated Provided for backwards compatibility with the 1.8 API. 1140 * Use svn_auth_get_platform_specific_provider with provider_name 1141 * of "kwallet" and provider_type of "ssl_client_cert_pw". 1142 */ 1143 SVN_DEPRECATED 1144 void 1145 svn_auth_get_kwallet_ssl_client_cert_pw_provider( 1146 svn_auth_provider_object_t **provider, 1147 apr_pool_t *pool); 1148 #endif /* (!DARWIN && !WIN32) || DOXYGEN */ 1149 1150 #if !defined(WIN32) || defined(DOXYGEN) 1151 /** 1152 * Set @a *provider to an authentication provider of type @c 1153 * svn_auth_cred_simple_t that gets/sets information from the user's 1154 * ~/.subversion configuration directory. 1155 * 1156 * This is like svn_client_get_simple_provider(), except that the 1157 * password is obtained from gpg_agent, which will keep it in 1158 * a memory cache. 1159 * 1160 * Allocate @a *provider in @a pool. 1161 * 1162 * @since New in 1.8 1163 * @note This function actually works only on systems with 1164 * GNU Privacy Guard installed. 1165 * @deprecated Provided for backwards compatibility with the 1.8 API. 1166 * Use svn_auth_get_platform_specific_provider with provider_name 1167 * of "gpg_agent" and provider_type of "simple". 1168 */ 1169 SVN_DEPRECATED 1170 void 1171 svn_auth_get_gpg_agent_simple_provider 1172 (svn_auth_provider_object_t **provider, 1173 apr_pool_t *pool); 1174 #endif /* !defined(WIN32) || defined(DOXYGEN) */ 1175 1176 1177 /** Set @a *provider to an authentication provider of type @c 1178 * svn_auth_cred_username_t that gets/sets information from a user's 1179 * ~/.subversion configuration directory. Allocate @a *provider in 1180 * @a pool. 1181 * 1182 * If a default username is available, @a *provider will honor it, 1183 * and return it when svn_auth_first_credentials() is called. (See 1184 * @c SVN_AUTH_PARAM_DEFAULT_USERNAME.) 1185 * 1186 * @since New in 1.4. 1187 */ 1188 void 1189 svn_auth_get_username_provider(svn_auth_provider_object_t **provider, 1190 apr_pool_t *pool); 1191 1192 1193 /** Set @a *provider to an authentication provider of type @c 1194 * svn_auth_cred_ssl_server_trust_t, allocated in @a pool. 1195 * 1196 * @a *provider retrieves its credentials from the configuration 1197 * mechanism. The returned credential is used to override SSL 1198 * security on an error. 1199 * 1200 * @since New in 1.4. 1201 */ 1202 void 1203 svn_auth_get_ssl_server_trust_file_provider( 1204 svn_auth_provider_object_t **provider, 1205 apr_pool_t *pool); 1206 1207 /** Set @a *provider to an authentication provider of type @c 1208 * svn_auth_cred_ssl_client_cert_t, allocated in @a pool. 1209 * 1210 * @a *provider retrieves its credentials from the configuration 1211 * mechanism. The returned credential is used to load the appropriate 1212 * client certificate for authentication when requested by a server. 1213 * 1214 * @since New in 1.4. 1215 */ 1216 void 1217 svn_auth_get_ssl_client_cert_file_provider( 1218 svn_auth_provider_object_t **provider, 1219 apr_pool_t *pool); 1220 1221 1222 /** Set @a *provider to an authentication provider of type @c 1223 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the user's 1224 * ~/.subversion configuration directory. 1225 * 1226 * If the provider is going to save the passphrase unencrypted, 1227 * it calls @a plaintext_passphrase_prompt_func, passing @a 1228 * prompt_baton, before saving the passphrase. 1229 * 1230 * If @a plaintext_passphrase_prompt_func is NULL it is not called 1231 * and the passphrase is not stored in plaintext. 1232 * Client developers are highly encouraged to provide this callback 1233 * to ensure their users are made aware of the fact that their passphrase 1234 * is going to be stored unencrypted. 1235 * 1236 * Clients can however set the callback to NULL and set 1237 * SVN_AUTH_PARAM_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT to SVN_CONFIG_FALSE or 1238 * SVN_CONFIG_TRUE to enforce a certain behaviour. 1239 * 1240 * Allocate @a *provider in @a pool. 1241 * 1242 * @since New in 1.6. 1243 */ 1244 void 1245 svn_auth_get_ssl_client_cert_pw_file_provider2( 1246 svn_auth_provider_object_t **provider, 1247 svn_auth_plaintext_passphrase_prompt_func_t plaintext_passphrase_prompt_func, 1248 void *prompt_baton, 1249 apr_pool_t *pool); 1250 1251 /** Like svn_auth_get_ssl_client_cert_pw_file_provider2, but without 1252 * the ability to call the svn_auth_plaintext_passphrase_prompt_func_t 1253 * callback, and the provider always assumes that it is not allowed 1254 * to store the passphrase in plaintext. 1255 * 1256 * @deprecated Provided for backwards compatibility with the 1.5 API. 1257 * @since New in 1.4. 1258 */ 1259 SVN_DEPRECATED 1260 void 1261 svn_auth_get_ssl_client_cert_pw_file_provider( 1262 svn_auth_provider_object_t **provider, 1263 apr_pool_t *pool); 1264 1265 1266 /** Set @a *provider to an authentication provider of type @c 1267 * svn_auth_cred_ssl_server_trust_t, allocated in @a pool. 1268 * 1269 * @a *provider retrieves its credentials by using the @a prompt_func 1270 * and @a prompt_baton. The returned credential is used to override 1271 * SSL security on an error. 1272 * 1273 * @since New in 1.4. 1274 */ 1275 void 1276 svn_auth_get_ssl_server_trust_prompt_provider( 1277 svn_auth_provider_object_t **provider, 1278 svn_auth_ssl_server_trust_prompt_func_t prompt_func, 1279 void *prompt_baton, 1280 apr_pool_t *pool); 1281 1282 1283 /** Set @a *provider to an authentication provider of type @c 1284 * svn_auth_cred_ssl_client_cert_t, allocated in @a pool. 1285 * 1286 * @a *provider retrieves its credentials by using the @a prompt_func 1287 * and @a prompt_baton. The returned credential is used to load the 1288 * appropriate client certificate for authentication when requested by 1289 * a server. The prompt will be retried @a retry_limit times. For 1290 * infinite retries, set @a retry_limit to value less than 0. 1291 * 1292 * @since New in 1.4. 1293 */ 1294 void 1295 svn_auth_get_ssl_client_cert_prompt_provider( 1296 svn_auth_provider_object_t **provider, 1297 svn_auth_ssl_client_cert_prompt_func_t prompt_func, 1298 void *prompt_baton, 1299 int retry_limit, 1300 apr_pool_t *pool); 1301 1302 1303 /** Set @a *provider to an authentication provider of type @c 1304 * svn_auth_cred_ssl_client_cert_pw_t, allocated in @a pool. 1305 * 1306 * @a *provider retrieves its credentials by using the @a prompt_func 1307 * and @a prompt_baton. The returned credential is used when a loaded 1308 * client certificate is protected by a passphrase. The prompt will 1309 * be retried @a retry_limit times. For infinite retries, set 1310 * @a retry_limit to value less than 0. 1311 * 1312 * @since New in 1.4. 1313 */ 1314 void 1315 svn_auth_get_ssl_client_cert_pw_prompt_provider( 1316 svn_auth_provider_object_t **provider, 1317 svn_auth_ssl_client_cert_pw_prompt_func_t prompt_func, 1318 void *prompt_baton, 1319 int retry_limit, 1320 apr_pool_t *pool); 1321 1322 1323 #ifdef __cplusplus 1324 } 1325 #endif /* __cplusplus */ 1326 1327 #endif /* SVN_AUTH_H */ 1328