svn_auth.h revision 299742
1/** 2 * @copyright 3 * ==================================================================== 4 * Licensed to the Apache Software Foundation (ASF) under one 5 * or more contributor license agreements. See the NOTICE file 6 * distributed with this work for additional information 7 * regarding copyright ownership. The ASF licenses this file 8 * to you under the Apache License, Version 2.0 (the 9 * "License"); you may not use this file except in compliance 10 * with the License. You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 * KIND, either express or implied. See the License for the 18 * specific language governing permissions and limitations 19 * under the License. 20 * ==================================================================== 21 * @endcopyright 22 * 23 * @file svn_auth.h 24 * @brief Subversion's authentication system 25 */ 26 27#ifndef SVN_AUTH_H 28#define SVN_AUTH_H 29 30#include <apr.h> 31#include <apr_pools.h> 32#include <apr_hash.h> 33#include <apr_tables.h> 34 35#include "svn_types.h" 36#include "svn_config.h" 37 38#ifdef __cplusplus 39extern "C" { 40#endif /* __cplusplus */ 41 42/** Overview of the svn authentication system. 43 * 44 * We define an authentication "provider" as a module that is able to 45 * return a specific set of credentials. (e.g. username/password, 46 * certificate, etc.) Each provider implements a vtable that 47 * 48 * - can fetch initial credentials 49 * - can retry the fetch (or try to fetch something different) 50 * - can store the credentials for future use 51 * 52 * For any given type of credentials, there can exist any number of 53 * separate providers -- each provider has a different method of 54 * fetching. (i.e. from a disk store, by prompting the user, etc.) 55 * 56 * The application begins by creating an auth baton object, and 57 * "registers" some number of providers with the auth baton, in a 58 * specific order. (For example, it may first register a 59 * username/password provider that looks in disk store, then register 60 * a username/password provider that prompts the user.) 61 * 62 * Later on, when any svn library is challenged, it asks the auth 63 * baton for the specific credentials. If the initial credentials 64 * fail to authenticate, the caller keeps requesting new credentials. 65 * Under the hood, libsvn_auth effectively "walks" over each provider 66 * (in order of registry), one at a time, until all the providers have 67 * exhausted all their retry options. 68 * 69 * This system allows an application to flexibly define authentication 70 * behaviors (by changing registration order), and very easily write 71 * new authentication providers. 72 * 73 * An auth_baton also contains an internal hashtable of run-time 74 * parameters; any provider or library layer can set these run-time 75 * parameters at any time, so that the provider has access to the 76 * data. (For example, certain run-time data may not be available 77 * until an authentication challenge is made.) Each credential type 78 * must document the run-time parameters that are made available to 79 * its providers. 80 * 81 * @defgroup auth_fns Authentication functions 82 * @{ 83 */ 84 85 86/** The type of a Subversion authentication object */ 87typedef struct svn_auth_baton_t svn_auth_baton_t; 88 89/** The type of a Subversion authentication-iteration object */ 90typedef struct svn_auth_iterstate_t svn_auth_iterstate_t; 91 92 93/** The main authentication "provider" vtable. */ 94typedef struct svn_auth_provider_t 95{ 96 /** The kind of credentials this provider knows how to retrieve. */ 97 const char *cred_kind; 98 99 /** Get an initial set of credentials. 100 * 101 * Set @a *credentials to a set of valid credentials within @a 102 * realmstring, or NULL if no credentials are available. Set @a 103 * *iter_baton to context that allows a subsequent call to @c 104 * next_credentials, in case the first credentials fail to 105 * authenticate. @a provider_baton is general context for the 106 * vtable, @a parameters contains any run-time data that the 107 * provider may need, and @a realmstring comes from the 108 * svn_auth_first_credentials() call. 109 */ 110 svn_error_t * (*first_credentials)(void **credentials, 111 void **iter_baton, 112 void *provider_baton, 113 apr_hash_t *parameters, 114 const char *realmstring, 115 apr_pool_t *pool); 116 117 /** Get a different set of credentials. 118 * 119 * Set @a *credentials to another set of valid credentials (using @a 120 * iter_baton as the context from previous call to first_credentials 121 * or next_credentials). If no more credentials are available, set 122 * @a *credentials to NULL. If the provider only has one set of 123 * credentials, this function pointer should simply be NULL. @a 124 * provider_baton is general context for the vtable, @a parameters 125 * contains any run-time data that the provider may need, and @a 126 * realmstring comes from the svn_auth_first_credentials() call. 127 */ 128 svn_error_t * (*next_credentials)(void **credentials, 129 void *iter_baton, 130 void *provider_baton, 131 apr_hash_t *parameters, 132 const char *realmstring, 133 apr_pool_t *pool); 134 135 /** Save credentials. 136 * 137 * Store @a credentials for future use. @a provider_baton is 138 * general context for the vtable, and @a parameters contains any 139 * run-time data the provider may need. Set @a *saved to TRUE if 140 * the save happened, or FALSE if not. The provider is not required 141 * to save; if it refuses or is unable to save for non-fatal 142 * reasons, return FALSE. If the provider never saves data, then 143 * this function pointer should simply be NULL. @a realmstring comes 144 * from the svn_auth_first_credentials() call. 145 */ 146 svn_error_t * (*save_credentials)(svn_boolean_t *saved, 147 void *credentials, 148 void *provider_baton, 149 apr_hash_t *parameters, 150 const char *realmstring, 151 apr_pool_t *pool); 152 153} svn_auth_provider_t; 154 155 156/** A provider object, ready to be put into an array and given to 157 svn_auth_open(). */ 158typedef struct svn_auth_provider_object_t 159{ 160 const svn_auth_provider_t *vtable; 161 void *provider_baton; 162 163} svn_auth_provider_object_t; 164 165/** The type of function returning authentication provider. */ 166typedef void (*svn_auth_simple_provider_func_t)( 167 svn_auth_provider_object_t **provider, 168 apr_pool_t *pool); 169 170 171/** Specific types of credentials **/ 172 173/** Simple username/password pair credential kind. 174 * 175 * The following auth parameters are available to the providers: 176 * 177 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_CONFIG (@c svn_config_t*) 178 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 179 * 180 * The following auth parameters may be available to the providers: 181 * 182 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 183 * - @c SVN_AUTH_PARAM_DEFAULT_USERNAME (@c char*) 184 * - @c SVN_AUTH_PARAM_DEFAULT_PASSWORD (@c char*) 185 */ 186#define SVN_AUTH_CRED_SIMPLE "svn.simple" 187 188/** @c SVN_AUTH_CRED_SIMPLE credentials. */ 189typedef struct svn_auth_cred_simple_t 190{ 191 /** Username */ 192 const char *username; 193 /** Password */ 194 const char *password; 195 /** Indicates if the credentials may be saved (to disk). For example, a 196 * GUI prompt implementation with a remember password checkbox shall set 197 * @a may_save to TRUE if the checkbox is checked. 198 */ 199 svn_boolean_t may_save; 200} svn_auth_cred_simple_t; 201 202 203/** Username credential kind. 204 * 205 * The following optional auth parameters are relevant to the providers: 206 * 207 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 208 * - @c SVN_AUTH_PARAM_DEFAULT_USERNAME (@c char*) 209 */ 210#define SVN_AUTH_CRED_USERNAME "svn.username" 211 212/** @c SVN_AUTH_CRED_USERNAME credentials. */ 213typedef struct svn_auth_cred_username_t 214{ 215 /** Username */ 216 const char *username; 217 /** Indicates if the credentials may be saved (to disk). For example, a 218 * GUI prompt implementation with a remember username checkbox shall set 219 * @a may_save to TRUE if the checkbox is checked. 220 */ 221 svn_boolean_t may_save; 222} svn_auth_cred_username_t; 223 224 225/** SSL client certificate credential type. 226 * 227 * The following auth parameters are available to the providers: 228 * 229 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 230 * - @c SVN_AUTH_PARAM_SERVER_GROUP (@c char*) 231 * 232 * The following optional auth parameters are relevant to the providers: 233 * 234 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 235 */ 236#define SVN_AUTH_CRED_SSL_CLIENT_CERT "svn.ssl.client-cert" 237 238/** @c SVN_AUTH_CRED_SSL_CLIENT_CERT credentials. */ 239typedef struct svn_auth_cred_ssl_client_cert_t 240{ 241 /** Absolute path to the certificate file */ 242 const char *cert_file; 243 /** Indicates if the credentials may be saved (to disk). For example, a 244 * GUI prompt implementation with a remember certificate checkbox shall 245 * set @a may_save to TRUE if the checkbox is checked. 246 */ 247 svn_boolean_t may_save; 248} svn_auth_cred_ssl_client_cert_t; 249 250 251/** A function returning an SSL client certificate passphrase provider. */ 252typedef void (*svn_auth_ssl_client_cert_pw_provider_func_t)( 253 svn_auth_provider_object_t **provider, 254 apr_pool_t *pool); 255 256/** SSL client certificate passphrase credential type. 257 * 258 * @note The realmstring used with this credential type must be a name that 259 * makes it possible for the user to identify the certificate. 260 * 261 * The following auth parameters are available to the providers: 262 * 263 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_CONFIG (@c svn_config_t*) 264 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 265 * - @c SVN_AUTH_PARAM_SERVER_GROUP (@c char*) 266 * 267 * The following optional auth parameters are relevant to the providers: 268 * 269 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 270 */ 271#define SVN_AUTH_CRED_SSL_CLIENT_CERT_PW "svn.ssl.client-passphrase" 272 273/** @c SVN_AUTH_CRED_SSL_CLIENT_CERT_PW credentials. */ 274typedef struct svn_auth_cred_ssl_client_cert_pw_t 275{ 276 /** Certificate password */ 277 const char *password; 278 /** Indicates if the credentials may be saved (to disk). For example, a 279 * GUI prompt implementation with a remember password checkbox shall set 280 * @a may_save to TRUE if the checkbox is checked. 281 */ 282 svn_boolean_t may_save; 283} svn_auth_cred_ssl_client_cert_pw_t; 284 285 286/** SSL server verification credential type. 287 * 288 * The following auth parameters are available to the providers: 289 * 290 * - @c SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS (@c svn_config_t*) 291 * - @c SVN_AUTH_PARAM_SERVER_GROUP (@c char*) 292 * - @c SVN_AUTH_PARAM_SSL_SERVER_FAILURES (@c apr_uint32_t*) 293 * - @c SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO 294 * (@c svn_auth_ssl_server_cert_info_t*) 295 * 296 * The following optional auth parameters are relevant to the providers: 297 * 298 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 299 */ 300#define SVN_AUTH_CRED_SSL_SERVER_TRUST "svn.ssl.server" 301 302/** SSL server certificate information used by @c 303 * SVN_AUTH_CRED_SSL_SERVER_TRUST providers. 304 */ 305typedef struct svn_auth_ssl_server_cert_info_t 306{ 307 /** Primary CN */ 308 const char *hostname; 309 /** ASCII fingerprint */ 310 const char *fingerprint; 311 /** ASCII date from which the certificate is valid */ 312 const char *valid_from; 313 /** ASCII date until which the certificate is valid */ 314 const char *valid_until; 315 /** DN of the certificate issuer */ 316 const char *issuer_dname; 317 /** Base-64 encoded DER certificate representation */ 318 const char *ascii_cert; 319} svn_auth_ssl_server_cert_info_t; 320 321/** 322 * Return a deep copy of @a info, allocated in @a pool. 323 * 324 * @since New in 1.3. 325 */ 326svn_auth_ssl_server_cert_info_t * 327svn_auth_ssl_server_cert_info_dup(const svn_auth_ssl_server_cert_info_t *info, 328 apr_pool_t *pool); 329 330/** @c SVN_AUTH_CRED_SSL_SERVER_TRUST credentials. */ 331typedef struct svn_auth_cred_ssl_server_trust_t 332{ 333 /** Indicates if the credentials may be saved (to disk). For example, a 334 * GUI prompt implementation with a checkbox to accept the certificate 335 * permanently shall set @a may_save to TRUE if the checkbox is checked. 336 */ 337 svn_boolean_t may_save; 338 /** Bit mask of the accepted failures */ 339 apr_uint32_t accepted_failures; 340} svn_auth_cred_ssl_server_trust_t; 341 342 343 344/** Credential-constructing prompt functions. **/ 345 346/** These exist so that different client applications can use 347 * different prompt mechanisms to supply the same credentials. For 348 * example, if authentication requires a username and password, a 349 * command-line client's prompting function might prompt first for the 350 * username and then for the password, whereas a GUI client's would 351 * present a single dialog box asking for both, and a telepathic 352 * client's would read all the information directly from the user's 353 * mind. All these prompting functions return the same type of 354 * credential, but the information used to construct the credential is 355 * gathered in an interface-specific way in each case. 356 */ 357 358/** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 359 * @a baton is an implementation-specific closure. 360 * 361 * If @a realm is non-NULL, maybe use it in the prompt string. 362 * 363 * If @a username is non-NULL, then the user might be prompted only 364 * for a password, but @a *cred would still be filled with both 365 * username and password. For example, a typical usage would be to 366 * pass @a username on the first call, but then leave it NULL for 367 * subsequent calls, on the theory that if credentials failed, it's 368 * as likely to be due to incorrect username as incorrect password. 369 * 370 * If @a may_save is FALSE, the auth system does not allow the credentials 371 * to be saved (to disk). A prompt function shall not ask the user if the 372 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 373 * client with a remember password checkbox would grey out the checkbox if 374 * @a may_save is FALSE. 375 */ 376typedef svn_error_t *(*svn_auth_simple_prompt_func_t)( 377 svn_auth_cred_simple_t **cred, 378 void *baton, 379 const char *realm, 380 const char *username, 381 svn_boolean_t may_save, 382 apr_pool_t *pool); 383 384 385/** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 386 * @a baton is an implementation-specific closure. 387 * 388 * If @a realm is non-NULL, maybe use it in the prompt string. 389 * 390 * If @a may_save is FALSE, the auth system does not allow the credentials 391 * to be saved (to disk). A prompt function shall not ask the user if the 392 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 393 * client with a remember username checkbox would grey out the checkbox if 394 * @a may_save is FALSE. 395 */ 396typedef svn_error_t *(*svn_auth_username_prompt_func_t)( 397 svn_auth_cred_username_t **cred, 398 void *baton, 399 const char *realm, 400 svn_boolean_t may_save, 401 apr_pool_t *pool); 402 403 404/** @name SSL server certificate failure bits 405 * 406 * @note These values are stored in the on disk auth cache by the SSL 407 * server certificate auth provider, so the meaning of these bits must 408 * not be changed. 409 * @{ 410 */ 411/** Certificate is not yet valid. */ 412#define SVN_AUTH_SSL_NOTYETVALID 0x00000001 413/** Certificate has expired. */ 414#define SVN_AUTH_SSL_EXPIRED 0x00000002 415/** Certificate's CN (hostname) does not match the remote hostname. */ 416#define SVN_AUTH_SSL_CNMISMATCH 0x00000004 417/** @brief Certificate authority is unknown (i.e. not trusted) */ 418#define SVN_AUTH_SSL_UNKNOWNCA 0x00000008 419/** @brief Other failure. This can happen if an unknown failure occurs 420 * that we do not handle yet. */ 421#define SVN_AUTH_SSL_OTHER 0x40000000 422/** @} */ 423 424/** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 425 * @a baton is an implementation-specific closure. 426 * 427 * @a cert_info is a structure describing the server cert that was 428 * presented to the client, and @a failures is a bitmask that 429 * describes exactly why the cert could not be automatically validated, 430 * composed from the constants SVN_AUTH_SSL_* (@c SVN_AUTH_SSL_NOTYETVALID 431 * etc.). @a realm is a string that can be used in the prompt string. 432 * 433 * If @a may_save is FALSE, the auth system does not allow the credentials 434 * to be saved (to disk). A prompt function shall not ask the user if the 435 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 436 * client with a trust permanently checkbox would grey out the checkbox if 437 * @a may_save is FALSE. 438 */ 439typedef svn_error_t *(*svn_auth_ssl_server_trust_prompt_func_t)( 440 svn_auth_cred_ssl_server_trust_t **cred, 441 void *baton, 442 const char *realm, 443 apr_uint32_t failures, 444 const svn_auth_ssl_server_cert_info_t *cert_info, 445 svn_boolean_t may_save, 446 apr_pool_t *pool); 447 448 449/** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 450 * @a baton is an implementation-specific closure. @a realm is a string 451 * that can be used in the prompt string. 452 * 453 * If @a may_save is FALSE, the auth system does not allow the credentials 454 * to be saved (to disk). A prompt function shall not ask the user if the 455 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 456 * client with a remember certificate checkbox would grey out the checkbox 457 * if @a may_save is FALSE. 458 */ 459typedef svn_error_t *(*svn_auth_ssl_client_cert_prompt_func_t)( 460 svn_auth_cred_ssl_client_cert_t **cred, 461 void *baton, 462 const char *realm, 463 svn_boolean_t may_save, 464 apr_pool_t *pool); 465 466 467/** Set @a *cred by prompting the user, allocating @a *cred in @a pool. 468 * @a baton is an implementation-specific closure. @a realm is a string 469 * identifying the certificate, and can be used in the prompt string. 470 * 471 * If @a may_save is FALSE, the auth system does not allow the credentials 472 * to be saved (to disk). A prompt function shall not ask the user if the 473 * credentials shall be saved if @a may_save is FALSE. For example, a GUI 474 * client with a remember password checkbox would grey out the checkbox if 475 * @a may_save is FALSE. 476 */ 477typedef svn_error_t *(*svn_auth_ssl_client_cert_pw_prompt_func_t)( 478 svn_auth_cred_ssl_client_cert_pw_t **cred, 479 void *baton, 480 const char *realm, 481 svn_boolean_t may_save, 482 apr_pool_t *pool); 483 484/** A type of callback function for asking whether storing a password to 485 * disk in plaintext is allowed. 486 * 487 * In this callback, the client should ask the user whether storing 488 * a password for the realm identified by @a realmstring to disk 489 * in plaintext is allowed. 490 * 491 * The answer is returned in @a *may_save_plaintext. 492 * @a baton is an implementation-specific closure. 493 * All allocations should be done in @a pool. 494 * 495 * @since New in 1.6 496 */ 497typedef svn_error_t *(*svn_auth_plaintext_prompt_func_t)( 498 svn_boolean_t *may_save_plaintext, 499 const char *realmstring, 500 void *baton, 501 apr_pool_t *pool); 502 503/** A type of callback function for asking whether storing a passphrase to 504 * disk in plaintext is allowed. 505 * 506 * In this callback, the client should ask the user whether storing 507 * a passphrase for the realm identified by @a realmstring to disk 508 * in plaintext is allowed. 509 * 510 * The answer is returned in @a *may_save_plaintext. 511 * @a baton is an implementation-specific closure. 512 * All allocations should be done in @a pool. 513 * 514 * @since New in 1.6 515 */ 516typedef svn_error_t *(*svn_auth_plaintext_passphrase_prompt_func_t)( 517 svn_boolean_t *may_save_plaintext, 518 const char *realmstring, 519 void *baton, 520 apr_pool_t *pool); 521 522 523/** Initialize an authentication system. 524 * 525 * Return an authentication object in @a *auth_baton (allocated in @a 526 * pool) that represents a particular instance of the svn 527 * authentication system. @a providers is an array of @c 528 * svn_auth_provider_object_t pointers, already allocated in @a pool 529 * and intentionally ordered. These pointers will be stored within @a 530 * *auth_baton, grouped by credential type, and searched in this exact 531 * order. 532 */ 533void 534svn_auth_open(svn_auth_baton_t **auth_baton, 535 const apr_array_header_t *providers, 536 apr_pool_t *pool); 537 538/** Set an authentication run-time parameter. 539 * 540 * Store @a name / @a value pair as a run-time parameter in @a 541 * auth_baton, making the data accessible to all providers. @a name 542 * and @a value will NOT be duplicated into the auth_baton's pool. 543 * To delete a run-time parameter, pass NULL for @a value. 544 */ 545void 546svn_auth_set_parameter(svn_auth_baton_t *auth_baton, 547 const char *name, 548 const void *value); 549 550/** Get an authentication run-time parameter. 551 * 552 * Return a value for run-time parameter @a name from @a auth_baton. 553 * Return NULL if the parameter doesn't exist. 554 */ 555const void * 556svn_auth_get_parameter(svn_auth_baton_t *auth_baton, 557 const char *name); 558 559/** Universal run-time parameters, made available to all providers. 560 561 If you are writing a new provider, then to be a "good citizen", 562 you should notice these global parameters! Note that these 563 run-time params should be treated as read-only by providers; the 564 application is responsible for placing them into the auth_baton 565 hash. */ 566 567/** The auth-hash prefix indicating that the parameter is global. */ 568#define SVN_AUTH_PARAM_PREFIX "svn:auth:" 569 570/** 571 * @name Default credentials defines 572 * Property values are const char *. 573 * @{ */ 574/** Default username provided by the application itself (e.g. --username) */ 575#define SVN_AUTH_PARAM_DEFAULT_USERNAME SVN_AUTH_PARAM_PREFIX "username" 576/** Default password provided by the application itself (e.g. --password) */ 577#define SVN_AUTH_PARAM_DEFAULT_PASSWORD SVN_AUTH_PARAM_PREFIX "password" 578/** @} */ 579 580/** @brief The application doesn't want any providers to prompt 581 * users. Property value is irrelevant; only property's existence 582 * matters. */ 583#define SVN_AUTH_PARAM_NON_INTERACTIVE SVN_AUTH_PARAM_PREFIX "non-interactive" 584 585/** @brief The application doesn't want any providers to save passwords 586 * to disk. Property value is irrelevant; only property's existence 587 * matters. */ 588#define SVN_AUTH_PARAM_DONT_STORE_PASSWORDS SVN_AUTH_PARAM_PREFIX \ 589 "dont-store-passwords" 590 591/** @brief Indicates whether providers may save passwords to disk in 592 * plaintext. Property value can be either SVN_CONFIG_TRUE, 593 * SVN_CONFIG_FALSE, or SVN_CONFIG_ASK. 594 * @since New in 1.6. 595 */ 596#define SVN_AUTH_PARAM_STORE_PLAINTEXT_PASSWORDS SVN_AUTH_PARAM_PREFIX \ 597 "store-plaintext-passwords" 598 599/** @brief The application doesn't want any providers to save passphrase 600 * to disk. Property value is irrelevant; only property's existence 601 * matters. 602 * @since New in 1.6. 603 */ 604#define SVN_AUTH_PARAM_DONT_STORE_SSL_CLIENT_CERT_PP \ 605 SVN_AUTH_PARAM_PREFIX "dont-store-ssl-client-cert-pp" 606 607/** @brief Indicates whether providers may save passphrase to disk in 608 * plaintext. Property value can be either SVN_CONFIG_TRUE, 609 * SVN_CONFIG_FALSE, or SVN_CONFIG_ASK. 610 * @since New in 1.6. 611 */ 612#define SVN_AUTH_PARAM_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT \ 613 SVN_AUTH_PARAM_PREFIX "store-ssl-client-cert-pp-plaintext" 614 615/** @brief The application doesn't want any providers to save credentials 616 * to disk. Property value is irrelevant; only property's existence 617 * matters. */ 618#define SVN_AUTH_PARAM_NO_AUTH_CACHE SVN_AUTH_PARAM_PREFIX "no-auth-cache" 619 620/** @brief The following property is for SSL server cert providers. This 621 * provides a pointer to an @c apr_uint32_t containing the failures 622 * detected by the certificate validator. */ 623#define SVN_AUTH_PARAM_SSL_SERVER_FAILURES SVN_AUTH_PARAM_PREFIX \ 624 "ssl:failures" 625 626/** @brief The following property is for SSL server cert providers. This 627 * provides the cert info (svn_auth_ssl_server_cert_info_t). */ 628#define SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO SVN_AUTH_PARAM_PREFIX \ 629 "ssl:cert-info" 630 631/** This provides a pointer to a @c svn_config_t containting the config 632 * category. */ 633#define SVN_AUTH_PARAM_CONFIG_CATEGORY_CONFIG SVN_AUTH_PARAM_PREFIX \ 634 "config-category-config" 635 636/** This provides a pointer to a @c svn_config_t containting the servers 637 * category. */ 638#define SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS SVN_AUTH_PARAM_PREFIX \ 639 "config-category-servers" 640 641/** @deprecated Provided for backward compatibility with the 1.5 API. */ 642#define SVN_AUTH_PARAM_CONFIG SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS 643 644/** The current server group. */ 645#define SVN_AUTH_PARAM_SERVER_GROUP SVN_AUTH_PARAM_PREFIX "server-group" 646 647/** @brief A configuration directory that overrides the default 648 * ~/.subversion. */ 649#define SVN_AUTH_PARAM_CONFIG_DIR SVN_AUTH_PARAM_PREFIX "config-dir" 650 651/** Get an initial set of credentials. 652 * 653 * Ask @a auth_baton to set @a *credentials to a set of credentials 654 * defined by @a cred_kind and valid within @a realmstring, or NULL if 655 * no credentials are available. Otherwise, return an iteration state 656 * in @a *state, so that the caller can call 657 * svn_auth_next_credentials(), in case the first set of credentials 658 * fails to authenticate. 659 * 660 * Use @a pool to allocate @a *state, and for temporary allocation. 661 * Note that @a *credentials will be allocated in @a auth_baton's pool. 662 */ 663svn_error_t * 664svn_auth_first_credentials(void **credentials, 665 svn_auth_iterstate_t **state, 666 const char *cred_kind, 667 const char *realmstring, 668 svn_auth_baton_t *auth_baton, 669 apr_pool_t *pool); 670 671/** Get another set of credentials, assuming previous ones failed to 672 * authenticate. 673 * 674 * Use @a state to fetch a different set of @a *credentials, as a 675 * follow-up to svn_auth_first_credentials() or 676 * svn_auth_next_credentials(). If no more credentials are available, 677 * set @a *credentials to NULL. 678 * 679 * Note that @a *credentials will be allocated in @c auth_baton's pool. 680 */ 681svn_error_t * 682svn_auth_next_credentials(void **credentials, 683 svn_auth_iterstate_t *state, 684 apr_pool_t *pool); 685 686/** Save a set of credentials. 687 * 688 * Ask @a state to store the most recently returned credentials, 689 * presumably because they successfully authenticated. 690 * All allocations should be done in @a pool. 691 * 692 * If no credentials were ever returned, do nothing. 693 */ 694svn_error_t * 695svn_auth_save_credentials(svn_auth_iterstate_t *state, 696 apr_pool_t *pool); 697 698/** Forget a set (or all) memory-cached credentials. 699 * 700 * Remove references (if any) in @a auth_baton to credentials cached 701 * therein. If @a cred_kind and @a realmstring are non-NULL, forget 702 * only the credentials associated with those credential types and 703 * realm. Otherwise @a cred_kind and @a realmstring must both be 704 * NULL, and this function will forget all credentials cached within 705 * @a auth_baton. 706 * 707 * @note This function does not affect persisted authentication 708 * credential storage at all. It is merely a way to cause Subversion 709 * to forget about credentials already fetched from a provider, 710 * forcing them to be fetched again later should they be required. 711 * 712 * @since New in 1.8. 713 */ 714svn_error_t * 715svn_auth_forget_credentials(svn_auth_baton_t *auth_baton, 716 const char *cred_kind, 717 const char *realmstring, 718 apr_pool_t *pool); 719 720/** @} */ 721 722/** Set @a *provider to an authentication provider of type 723 * svn_auth_cred_simple_t that gets information by prompting the user 724 * with @a prompt_func and @a prompt_baton. Allocate @a *provider in 725 * @a pool. 726 * 727 * If both @c SVN_AUTH_PARAM_DEFAULT_USERNAME and 728 * @c SVN_AUTH_PARAM_DEFAULT_PASSWORD are defined as runtime 729 * parameters in the @c auth_baton, then @a *provider will return the 730 * default arguments when svn_auth_first_credentials() is called. If 731 * svn_auth_first_credentials() fails, then @a *provider will 732 * re-prompt @a retry_limit times (via svn_auth_next_credentials()). 733 * For infinite retries, set @a retry_limit to value less than 0. 734 * 735 * @since New in 1.4. 736 */ 737void 738svn_auth_get_simple_prompt_provider(svn_auth_provider_object_t **provider, 739 svn_auth_simple_prompt_func_t prompt_func, 740 void *prompt_baton, 741 int retry_limit, 742 apr_pool_t *pool); 743 744 745/** Set @a *provider to an authentication provider of type @c 746 * svn_auth_cred_username_t that gets information by prompting the 747 * user with @a prompt_func and @a prompt_baton. Allocate @a *provider 748 * in @a pool. 749 * 750 * If @c SVN_AUTH_PARAM_DEFAULT_USERNAME is defined as a runtime 751 * parameter in the @c auth_baton, then @a *provider will return the 752 * default argument when svn_auth_first_credentials() is called. If 753 * svn_auth_first_credentials() fails, then @a *provider will 754 * re-prompt @a retry_limit times (via svn_auth_next_credentials()). 755 * For infinite retries, set @a retry_limit to value less than 0. 756 * 757 * @since New in 1.4. 758 */ 759void 760svn_auth_get_username_prompt_provider( 761 svn_auth_provider_object_t **provider, 762 svn_auth_username_prompt_func_t prompt_func, 763 void *prompt_baton, 764 int retry_limit, 765 apr_pool_t *pool); 766 767 768/** Set @a *provider to an authentication provider of type @c 769 * svn_auth_cred_simple_t that gets/sets information from the user's 770 * ~/.subversion configuration directory. 771 * 772 * If the provider is going to save the password unencrypted, it calls @a 773 * plaintext_prompt_func, passing @a prompt_baton, before saving the 774 * password. 775 * 776 * If @a plaintext_prompt_func is NULL it is not called and the answer is 777 * assumed to be TRUE. This matches the deprecated behaviour of storing 778 * unencrypted passwords by default, and is only done this way for backward 779 * compatibility reasons. 780 * Client developers are highly encouraged to provide this callback 781 * to ensure their users are made aware of the fact that their password 782 * is going to be stored unencrypted. In the future, providers may 783 * default to not storing the password unencrypted if this callback is NULL. 784 * 785 * Clients can however set the callback to NULL and set 786 * SVN_AUTH_PARAM_STORE_PLAINTEXT_PASSWORDS to SVN_CONFIG_FALSE or 787 * SVN_CONFIG_TRUE to enforce a certain behaviour. 788 * 789 * Allocate @a *provider in @a pool. 790 * 791 * If a default username or password is available, @a *provider will 792 * honor them as well, and return them when 793 * svn_auth_first_credentials() is called. (see @c 794 * SVN_AUTH_PARAM_DEFAULT_USERNAME and @c 795 * SVN_AUTH_PARAM_DEFAULT_PASSWORD). 796 * 797 * @since New in 1.6. 798 */ 799void 800svn_auth_get_simple_provider2( 801 svn_auth_provider_object_t **provider, 802 svn_auth_plaintext_prompt_func_t plaintext_prompt_func, 803 void *prompt_baton, 804 apr_pool_t *pool); 805 806/** Like svn_auth_get_simple_provider2, but without the ability to 807 * call the svn_auth_plaintext_prompt_func_t callback, and the provider 808 * always assumes that it is allowed to store the password in plaintext. 809 * 810 * @deprecated Provided for backwards compatibility with the 1.5 API. 811 * @since New in 1.4. 812 */ 813SVN_DEPRECATED 814void 815svn_auth_get_simple_provider(svn_auth_provider_object_t **provider, 816 apr_pool_t *pool); 817 818/** Set @a *provider to an authentication provider of type @c 819 * svn_auth_provider_object_t, or return @c NULL if the provider is not 820 * available for the requested platform or the requested provider is unknown. 821 * 822 * Valid @a provider_name values are: "gnome_keyring", "keychain", "kwallet", 823 * "gpg_agent", and "windows". 824 * 825 * Valid @a provider_type values are: "simple", "ssl_client_cert_pw" and 826 * "ssl_server_trust". 827 * 828 * Allocate @a *provider in @a pool. 829 * 830 * What actually happens is we invoke the appropriate provider function to 831 * supply the @a provider, like so: 832 * 833 * svn_auth_get_<name>_<type>_provider(@a provider, @a pool); 834 * 835 * @since New in 1.6. 836 */ 837svn_error_t * 838svn_auth_get_platform_specific_provider( 839 svn_auth_provider_object_t **provider, 840 const char *provider_name, 841 const char *provider_type, 842 apr_pool_t *pool); 843 844/** Set @a *providers to an array of <tt>svn_auth_provider_object_t *</tt> 845 * objects. 846 * Only client authentication providers available for the current platform are 847 * returned. Order of the platform-specific authentication providers is 848 * determined by the 'password-stores' configuration option which is retrieved 849 * from @a config. @a config can be NULL. 850 * 851 * Create and allocate @a *providers in @a pool. 852 * 853 * Default order of the platform-specific authentication providers: 854 * 1. gnome-keyring 855 * 2. kwallet 856 * 3. keychain 857 * 4. gpg-agent 858 * 5. windows-cryptoapi 859 * 860 * @since New in 1.6. 861 */ 862svn_error_t * 863svn_auth_get_platform_specific_client_providers( 864 apr_array_header_t **providers, 865 svn_config_t *config, 866 apr_pool_t *pool); 867 868#if (defined(WIN32) && !defined(__MINGW32__)) || defined(DOXYGEN) 869/** 870 * Set @a *provider to an authentication provider of type @c 871 * svn_auth_cred_simple_t that gets/sets information from the user's 872 * ~/.subversion configuration directory. Allocate @a *provider in 873 * @a pool. 874 * 875 * This is like svn_auth_get_simple_provider(), except that, when 876 * running on Window 2000 or newer (or any other Windows version that 877 * includes the CryptoAPI), the provider encrypts the password before 878 * storing it to disk. On earlier versions of Windows, the provider 879 * does nothing. 880 * 881 * @since New in 1.4. 882 * @note This function is only available on Windows. 883 * 884 * @note An administrative password reset may invalidate the account's 885 * secret key. This function will detect that situation and behave as 886 * if the password were not cached at all. 887 * @deprecated Provided for backwards compatibility with the 1.8 API. Use 888 * svn_auth_get_platform_specific_provider with provider_name of "windows" 889 * and provider_type of "simple". 890 */ 891SVN_DEPRECATED 892void 893svn_auth_get_windows_simple_provider(svn_auth_provider_object_t **provider, 894 apr_pool_t *pool); 895 896/** 897 * Set @a *provider to an authentication provider of type @c 898 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 899 * user's ~/.subversion configuration directory. Allocate @a *provider in 900 * @a pool. 901 * 902 * This is like svn_auth_get_ssl_client_cert_pw_file_provider(), except that 903 * when running on Window 2000 or newer, the provider encrypts the password 904 * before storing it to disk. On earlier versions of Windows, the provider 905 * does nothing. 906 * 907 * @since New in 1.6 908 * @note This function is only available on Windows. 909 * 910 * @note An administrative password reset may invalidate the account's 911 * secret key. This function will detect that situation and behave as 912 * if the password were not cached at all. 913 * @deprecated Provided for backwards compatibility with the 1.8 API. 914 * Use svn_auth_get_platform_specific_provider with provider_name 915 * of "windows" and provider_type of "ssl_client_cert_pw". 916 */ 917SVN_DEPRECATED 918void 919svn_auth_get_windows_ssl_client_cert_pw_provider( 920 svn_auth_provider_object_t **provider, 921 apr_pool_t *pool); 922 923/** 924 * Set @a *provider to an authentication provider of type @c 925 * svn_auth_cred_ssl_server_trust_t, allocated in @a pool. 926 * 927 * This provider automatically validates ssl server certificates with 928 * the CryptoApi, like Internet Explorer and the Windows network API do. 929 * This allows the rollout of root certificates via Windows Domain 930 * policies, instead of Subversion specific configuration. 931 * 932 * @since New in 1.5. 933 * @note This function is only available on Windows. 934 * @deprecated Provided for backwards compatibility with the 1.8 API. 935 * Use svn_auth_get_platform_specific_provider with provider_name 936 * of "windows" and provider_type of "ssl_server_trust". 937 */ 938SVN_DEPRECATED 939void 940svn_auth_get_windows_ssl_server_trust_provider( 941 svn_auth_provider_object_t **provider, 942 apr_pool_t *pool); 943 944#endif /* WIN32 && !__MINGW32__ || DOXYGEN */ 945 946#if defined(DARWIN) || defined(DOXYGEN) 947/** 948 * Set @a *provider to an authentication provider of type @c 949 * svn_auth_cred_simple_t that gets/sets information from the user's 950 * ~/.subversion configuration directory. Allocate @a *provider in 951 * @a pool. 952 * 953 * This is like svn_auth_get_simple_provider(), except that the 954 * password is stored in the Mac OS KeyChain. 955 * 956 * @since New in 1.4 957 * @note This function is only available on Mac OS 10.2 and higher. 958 * @deprecated Provided for backwards compatibility with the 1.8 API. 959 * Use svn_auth_get_platform_specific_provider with provider_name 960 * of "keychain" and provider_type of "simple". 961 */ 962SVN_DEPRECATED 963void 964svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t **provider, 965 apr_pool_t *pool); 966 967/** 968 * Set @a *provider to an authentication provider of type @c 969 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 970 * user's ~/.subversion configuration directory. Allocate @a *provider in 971 * @a pool. 972 * 973 * This is like svn_auth_get_ssl_client_cert_pw_file_provider(), except 974 * that the password is stored in the Mac OS KeyChain. 975 * 976 * @since New in 1.6 977 * @note This function is only available on Mac OS 10.2 and higher. 978 * @deprecated Provided for backwards compatibility with the 1.8 API. 979 * Use svn_auth_get_platform_specific_provider with provider_name 980 * of "keychain" and provider_type of "ssl_client_cert_pw". 981 */ 982SVN_DEPRECATED 983void 984svn_auth_get_keychain_ssl_client_cert_pw_provider( 985 svn_auth_provider_object_t **provider, 986 apr_pool_t *pool); 987#endif /* DARWIN || DOXYGEN */ 988 989/* Note that the gnome keyring unlock prompt related items below must be 990 * declared for all platforms in order to allow SWIG interfaces to be 991 * used regardless of the platform. */ 992 993/** A type of callback function for obtaining the GNOME Keyring password. 994 * 995 * In this callback, the client should ask the user for default keyring 996 * @a keyring_name password. 997 * 998 * The answer is returned in @a *keyring_password. 999 * @a baton is an implementation-specific closure. 1000 * All allocations should be done in @a pool. 1001 * 1002 * @since New in 1.6 1003 */ 1004typedef svn_error_t *(*svn_auth_gnome_keyring_unlock_prompt_func_t)( 1005 char **keyring_password, 1006 const char *keyring_name, 1007 void *baton, 1008 apr_pool_t *pool); 1009 1010 1011/** libsvn_auth_gnome_keyring-specific run-time parameters. */ 1012 1013/** @brief The pointer to function which prompts user for GNOME Keyring 1014 * password. 1015 * The type of this pointer should be svn_auth_gnome_keyring_unlock_prompt_func_t. */ 1016#define SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC "gnome-keyring-unlock-prompt-func" 1017 1018/** @brief The baton which is passed to 1019 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC. */ 1020#define SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_BATON "gnome-keyring-unlock-prompt-baton" 1021 1022#if (!defined(DARWIN) && !defined(WIN32)) || defined(DOXYGEN) 1023/** 1024 * Get libsvn_auth_gnome_keyring version information. 1025 * 1026 * @since New in 1.6 1027 */ 1028const svn_version_t * 1029svn_auth_gnome_keyring_version(void); 1030 1031 1032/** 1033 * Set @a *provider to an authentication provider of type @c 1034 * svn_auth_cred_simple_t that gets/sets information from the user's 1035 * ~/.subversion configuration directory. 1036 * 1037 * This is like svn_client_get_simple_provider(), except that the 1038 * password is stored in GNOME Keyring. 1039 * 1040 * If the GNOME Keyring is locked the provider calls 1041 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC in order to unlock 1042 * the keyring. 1043 * 1044 * @c SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_BATON is passed to 1045 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC. 1046 * 1047 * Allocate @a *provider in @a pool. 1048 * 1049 * @since New in 1.6 1050 * @note This function actually works only on systems with 1051 * libsvn_auth_gnome_keyring and GNOME Keyring installed. 1052 * @deprecated Provided for backwards compatibility with the 1.8 API. 1053 * Use svn_auth_get_platform_specific_provider with provider_name 1054 * of "gnome_keyring" and provider_type of "simple". 1055 */ 1056SVN_DEPRECATED 1057void 1058svn_auth_get_gnome_keyring_simple_provider( 1059 svn_auth_provider_object_t **provider, 1060 apr_pool_t *pool); 1061 1062 1063/** 1064 * Set @a *provider to an authentication provider of type @c 1065 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 1066 * user's ~/.subversion configuration directory. 1067 * 1068 * This is like svn_client_get_ssl_client_cert_pw_file_provider(), except 1069 * that the password is stored in GNOME Keyring. 1070 * 1071 * If the GNOME Keyring is locked the provider calls 1072 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC in order to unlock 1073 * the keyring. 1074 * 1075 * @c SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_BATON is passed to 1076 * @c *SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC. 1077 * 1078 * Allocate @a *provider in @a pool. 1079 * 1080 * @since New in 1.6 1081 * @note This function actually works only on systems with 1082 * libsvn_auth_gnome_keyring and GNOME Keyring installed. 1083 * @deprecated Provided for backwards compatibility with the 1.8 API. 1084 * Use svn_auth_get_platform_specific_provider with provider_name 1085 * of "gnome_keyring" and provider_type of "ssl_client_cert_pw". 1086 */ 1087SVN_DEPRECATED 1088void 1089svn_auth_get_gnome_keyring_ssl_client_cert_pw_provider( 1090 svn_auth_provider_object_t **provider, 1091 apr_pool_t *pool); 1092 1093 1094/** 1095 * Get libsvn_auth_kwallet version information. 1096 * 1097 * @since New in 1.6 1098 */ 1099const svn_version_t * 1100svn_auth_kwallet_version(void); 1101 1102 1103/** 1104 * Set @a *provider to an authentication provider of type @c 1105 * svn_auth_cred_simple_t that gets/sets information from the user's 1106 * ~/.subversion configuration directory. Allocate @a *provider in 1107 * @a pool. 1108 * 1109 * This is like svn_client_get_simple_provider(), except that the 1110 * password is stored in KWallet. 1111 * 1112 * @since New in 1.6 1113 * @note This function actually works only on systems with libsvn_auth_kwallet 1114 * and KWallet installed. 1115 * @deprecated Provided for backwards compatibility with the 1.8 API. 1116 * Use svn_auth_get_platform_specific_provider with provider_name 1117 * of "kwallet" and provider_type of "simple". 1118 */ 1119SVN_DEPRECATED 1120void 1121svn_auth_get_kwallet_simple_provider(svn_auth_provider_object_t **provider, 1122 apr_pool_t *pool); 1123 1124 1125/** 1126 * Set @a *provider to an authentication provider of type @c 1127 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the 1128 * user's ~/.subversion configuration directory. Allocate @a *provider in 1129 * @a pool. 1130 * 1131 * This is like svn_client_get_ssl_client_cert_pw_file_provider(), except 1132 * that the password is stored in KWallet. 1133 * 1134 * @since New in 1.6 1135 * @note This function actually works only on systems with libsvn_auth_kwallet 1136 * and KWallet installed. 1137 * @deprecated Provided for backwards compatibility with the 1.8 API. 1138 * Use svn_auth_get_platform_specific_provider with provider_name 1139 * of "kwallet" and provider_type of "ssl_client_cert_pw". 1140 */ 1141SVN_DEPRECATED 1142void 1143svn_auth_get_kwallet_ssl_client_cert_pw_provider( 1144 svn_auth_provider_object_t **provider, 1145 apr_pool_t *pool); 1146#endif /* (!DARWIN && !WIN32) || DOXYGEN */ 1147 1148#if !defined(WIN32) || defined(DOXYGEN) 1149/** 1150 * Set @a *provider to an authentication provider of type @c 1151 * svn_auth_cred_simple_t that gets/sets information from the user's 1152 * ~/.subversion configuration directory. 1153 * 1154 * This is like svn_client_get_simple_provider(), except that the 1155 * password is obtained from gpg_agent, which will keep it in 1156 * a memory cache. 1157 * 1158 * Allocate @a *provider in @a pool. 1159 * 1160 * @since New in 1.8 1161 * @note This function actually works only on systems with 1162 * GNU Privacy Guard installed. 1163 * @deprecated Provided for backwards compatibility with the 1.8 API. 1164 * Use svn_auth_get_platform_specific_provider with provider_name 1165 * of "gpg_agent" and provider_type of "simple". 1166 */ 1167SVN_DEPRECATED 1168void 1169svn_auth_get_gpg_agent_simple_provider 1170 (svn_auth_provider_object_t **provider, 1171 apr_pool_t *pool); 1172#endif /* !defined(WIN32) || defined(DOXYGEN) */ 1173 1174 1175/** Set @a *provider to an authentication provider of type @c 1176 * svn_auth_cred_username_t that gets/sets information from a user's 1177 * ~/.subversion configuration directory. Allocate @a *provider in 1178 * @a pool. 1179 * 1180 * If a default username is available, @a *provider will honor it, 1181 * and return it when svn_auth_first_credentials() is called. (See 1182 * @c SVN_AUTH_PARAM_DEFAULT_USERNAME.) 1183 * 1184 * @since New in 1.4. 1185 */ 1186void 1187svn_auth_get_username_provider(svn_auth_provider_object_t **provider, 1188 apr_pool_t *pool); 1189 1190 1191/** Set @a *provider to an authentication provider of type @c 1192 * svn_auth_cred_ssl_server_trust_t, allocated in @a pool. 1193 * 1194 * @a *provider retrieves its credentials from the configuration 1195 * mechanism. The returned credential is used to override SSL 1196 * security on an error. 1197 * 1198 * @since New in 1.4. 1199 */ 1200void 1201svn_auth_get_ssl_server_trust_file_provider( 1202 svn_auth_provider_object_t **provider, 1203 apr_pool_t *pool); 1204 1205/** Set @a *provider to an authentication provider of type @c 1206 * svn_auth_cred_ssl_client_cert_t, allocated in @a pool. 1207 * 1208 * @a *provider retrieves its credentials from the configuration 1209 * mechanism. The returned credential is used to load the appropriate 1210 * client certificate for authentication when requested by a server. 1211 * 1212 * @since New in 1.4. 1213 */ 1214void 1215svn_auth_get_ssl_client_cert_file_provider( 1216 svn_auth_provider_object_t **provider, 1217 apr_pool_t *pool); 1218 1219 1220/** Set @a *provider to an authentication provider of type @c 1221 * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the user's 1222 * ~/.subversion configuration directory. 1223 * 1224 * If the provider is going to save the passphrase unencrypted, 1225 * it calls @a plaintext_passphrase_prompt_func, passing @a 1226 * prompt_baton, before saving the passphrase. 1227 * 1228 * If @a plaintext_passphrase_prompt_func is NULL it is not called 1229 * and the passphrase is not stored in plaintext. 1230 * Client developers are highly encouraged to provide this callback 1231 * to ensure their users are made aware of the fact that their passphrase 1232 * is going to be stored unencrypted. 1233 * 1234 * Clients can however set the callback to NULL and set 1235 * SVN_AUTH_PARAM_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT to SVN_CONFIG_FALSE or 1236 * SVN_CONFIG_TRUE to enforce a certain behaviour. 1237 * 1238 * Allocate @a *provider in @a pool. 1239 * 1240 * @since New in 1.6. 1241 */ 1242void 1243svn_auth_get_ssl_client_cert_pw_file_provider2( 1244 svn_auth_provider_object_t **provider, 1245 svn_auth_plaintext_passphrase_prompt_func_t plaintext_passphrase_prompt_func, 1246 void *prompt_baton, 1247 apr_pool_t *pool); 1248 1249/** Like svn_auth_get_ssl_client_cert_pw_file_provider2, but without 1250 * the ability to call the svn_auth_plaintext_passphrase_prompt_func_t 1251 * callback, and the provider always assumes that it is not allowed 1252 * to store the passphrase in plaintext. 1253 * 1254 * @deprecated Provided for backwards compatibility with the 1.5 API. 1255 * @since New in 1.4. 1256 */ 1257SVN_DEPRECATED 1258void 1259svn_auth_get_ssl_client_cert_pw_file_provider( 1260 svn_auth_provider_object_t **provider, 1261 apr_pool_t *pool); 1262 1263 1264/** Set @a *provider to an authentication provider of type @c 1265 * svn_auth_cred_ssl_server_trust_t, allocated in @a pool. 1266 * 1267 * @a *provider retrieves its credentials by using the @a prompt_func 1268 * and @a prompt_baton. The returned credential is used to override 1269 * SSL security on an error. 1270 * 1271 * @since New in 1.4. 1272 */ 1273void 1274svn_auth_get_ssl_server_trust_prompt_provider( 1275 svn_auth_provider_object_t **provider, 1276 svn_auth_ssl_server_trust_prompt_func_t prompt_func, 1277 void *prompt_baton, 1278 apr_pool_t *pool); 1279 1280 1281/** Set @a *provider to an authentication provider of type @c 1282 * svn_auth_cred_ssl_client_cert_t, allocated in @a pool. 1283 * 1284 * @a *provider retrieves its credentials by using the @a prompt_func 1285 * and @a prompt_baton. The returned credential is used to load the 1286 * appropriate client certificate for authentication when requested by 1287 * a server. The prompt will be retried @a retry_limit times. For 1288 * infinite retries, set @a retry_limit to value less than 0. 1289 * 1290 * @since New in 1.4. 1291 */ 1292void 1293svn_auth_get_ssl_client_cert_prompt_provider( 1294 svn_auth_provider_object_t **provider, 1295 svn_auth_ssl_client_cert_prompt_func_t prompt_func, 1296 void *prompt_baton, 1297 int retry_limit, 1298 apr_pool_t *pool); 1299 1300 1301/** Set @a *provider to an authentication provider of type @c 1302 * svn_auth_cred_ssl_client_cert_pw_t, allocated in @a pool. 1303 * 1304 * @a *provider retrieves its credentials by using the @a prompt_func 1305 * and @a prompt_baton. The returned credential is used when a loaded 1306 * client certificate is protected by a passphrase. The prompt will 1307 * be retried @a retry_limit times. For infinite retries, set 1308 * @a retry_limit to value less than 0. 1309 * 1310 * @since New in 1.4. 1311 */ 1312void 1313svn_auth_get_ssl_client_cert_pw_prompt_provider( 1314 svn_auth_provider_object_t **provider, 1315 svn_auth_ssl_client_cert_pw_prompt_func_t prompt_func, 1316 void *prompt_baton, 1317 int retry_limit, 1318 apr_pool_t *pool); 1319 1320 1321#ifdef __cplusplus 1322} 1323#endif /* __cplusplus */ 1324 1325#endif /* SVN_AUTH_H */ 1326