security.idl

支持组件模型CCM的开源中间件-mico

// MICOSec 
// based CORBASec 1.7

#if !defined(_SECURITY_IDL_)
#define _SECURITY_IDL_

#pragma prefix "omg.org"

#include <mico/service_info.idl>
#include <mico/timebase.idl>
#include <mico/policy.idl>
#include <mico/security/csi_base.idl>

module Security {
  typedef string SecurityName;
  typedef sequence <octet> Opaque;
	
  // Constant declarations for Security Service Options
    
  const CORBA::ServiceOption SecurityLevel1 = 1;
  const CORBA::ServiceOption SecurityLevel2 = 2;
  const CORBA::ServiceOption NonRepudiation = 3;
  const CORBA::ServiceOption SecurityORBServiceReady = 4;
  const CORBA::ServiceOption SecurityServiceReady = 5;
  const CORBA::ServiceOption ReplaceORBServices = 6;
  const CORBA::ServiceOption ReplaceSecurityServices = 7;
  const CORBA::ServiceOption StandardSecureInteroperability = 8;
  const CORBA::ServiceOption DCESecureInteroperability = 9;
  
  // Service options for Common Secure Interoperability
  
  const CORBA::ServiceOption CommonInteroperabilityLevel0 = 10;
  const CORBA::ServiceOption CommonInteroperabilityLevel1 = 11;
  const CORBA::ServiceOption CommonInteroperabilityLevel2 = 12;
  
  // Security mech types supported for secure association
  const CORBA::ServiceDetailType SecurityMechanismType = 1;
  
  // privillege types supported in standard access policy
  const CORBA::ServiceDetailType SecurityAttribute = 2;
  
  // extensible families for standard data types
  
  struct ExtensibleFamily {
    unsigned short                  family_definer;
    unsigned short                  family;
  };

  // security attributes
  
  typedef unsigned long   SecurityAttributeType;
  
  // identity attributes; family = 0
  
  const SecurityAttributeType       AuditId = 1;
  const SecurityAttributeType       AccountingId = 2;
  const SecurityAttributeType       NonRepudiationId = 3;
  
  // privilege attributes; family = 1
  
  const SecurityAttributeType       _Public = 1;
  const SecurityAttributeType       AccessId = 2;                   
  const SecurityAttributeType       PrimaryGroupId = 3;
  const SecurityAttributeType       GroupId = 4;
  const SecurityAttributeType       Role = 5;
  const SecurityAttributeType       AttributeSet = 6;
  const SecurityAttributeType       Clearance = 7;      
  const SecurityAttributeType       Capability = 8;

  // X.509 Certificate; family = 10

  const SecurityAttributeType X509Subject = 1;
  const SecurityAttributeType X509Issuer = 2;
  const SecurityAttributeType X509Cipher = 3;
  const SecurityAttributeType X509Subject_CN = 4;
  const SecurityAttributeType X509Subject_C = 5;
  const SecurityAttributeType X509Subject_L = 6;
  const SecurityAttributeType X509Subject_ST = 7;
  const SecurityAttributeType X509Subject_O = 8;
  const SecurityAttributeType X509Subject_OU = 9;
  const SecurityAttributeType X509Issuer_CN = 10;
  const SecurityAttributeType X509Issuer_C = 11;
  const SecurityAttributeType X509Issuer_L = 12;
  const SecurityAttributeType X509Issuer_ST = 13;
  const SecurityAttributeType X509Issuer_O = 14;
  const SecurityAttributeType X509Issuer_OU = 15;
  
  // MICO Property; family = 11
  const SecurityAttributeType AuthMethod = 1;
  const SecurityAttributeType PeerAddress = 2;

  struct AttributeType {
    ExtensibleFamily            attribute_family;
    SecurityAttributeType       attribute_type;
  };
  
  typedef sequence<AttributeType> AttributeTypeList;
  
  struct SecAttribute {
    AttributeType       attribute_type; 
    CSI::OID                 defining_authority; 
    Opaque              value;    
    // the value of this attribute; can be 
    // interpreted only with knowledge of type
  };

  typedef sequence<SecAttribute> AttributeList;
  
  // Authentication return status
  
  enum AuthenticationStatus {
    SecAuthSuccess,
    SecAuthFailure,
    SecAuthContinue,
    SecAuthExpired
  };
  
  // Association return status
  
  enum AssociationStatus {
    SecAssocSuccess,
    SecAssocFailure,
    SecAssocContinue
  };
  
  // Authentication method
  typedef unsigned long AuthenticationMethod;
  typedef sequence<AuthenticationMethod> AuthenticationMethodList;
  
  //AuthenticationMethods 
  //const AuthenticationMethod KeyCertCAPass = 1;	
  	
  // Credential types which can be set as Current default
    
  enum CredentialsType {
    SecOwnCredentials,
    SecReceivedCredentials,
    SecTargetCredentials
  };
  
  struct ChannelBindings {
    unsigned long    initiator_addrtype;
    sequence<octet>  initiator_address;
    unsigned long    acceptor_addrtype;
    sequence<octet>  acceptor_address;
    sequence<octet>  application_data;
  };
  
  // Declarations related to Rights
  
  //    enum RightsFamilies {
  //    	corba
  //    }
    
  // ###ras IDL adapted to CORBA 2.4.1
  // Thu Jul  5 03:12:16 CEST 2001
  struct Right {
    ExtensibleFamily        rights_family;
    string                  rights_list;		// gsmu for corba
  };
  
  typedef sequence <Right> RightsList;
  
  enum RightsCombinator {
    SecAllRights,
    SecAnyRight
  };
  
  // Delegation related
  
  enum DelegationState {
    SecInitiator,
    SecDelegate
  };
  
  /**
     * This is the Delegation Directive. This directive
     * is part of the policy of whether or not to 
     * enable delegation of credentials for a particular
     * invocation.
     */
  
  enum DelegationDirective { 
    Delegate, 
    NoDelegate 
  };
  
  // pick up from TimeBase
  typedef TimeBase::UtcT       UtcT;
  typedef TimeBase::IntervalT  IntervalT;
  typedef TimeBase::TimeT      TimeT;
  
  // Security features available on credentials.
    
  enum SecurityFeature {      
    SecNoDelegation,                    
    SecSimpleDelegation,
    SecCompositeDelegation,
    SecNoProtection,
    SecIntegrity,
    SecConfidentiality,     
    SecIntegrityAndConfidentiality,
    SecDetectReplay,        
    SecDetectMisordering,       
    SecEstablishTrustInTarget,
    SecEstablishTrustInClient
  };
  
  // Quality of protection which can be specified
  // for an object reference and used to protect messages
  
  enum QOP {
    SecQOPNoProtection,
    SecQOPIntegrity,
    SecQOPConfidentiality,
    SecQOPIntegrityAndConfidentiality
  };
  
  // Type of SecurityContext
  
  enum SecurityContextType {
    ClientSecurityContext,
    ServerSecurityContext
  };
  
    // Operational State of a Security Context
  
  /**
   * The state of a context may go through several state
   * changes before becoming usuable.
   *  
   * o SecContextInitialized 
   * This state indicates that it has been initialized
   * and the initialized token as been produced. This
   * state is only good for Client type.
   *  
   * o SecContextContinued
   * This state indicates that the security context has
   * needs more negotiation.
   *  
   * o SecContextClientEstablished
   * This state indicates that when on the Client side,
   * we are able to protect messages and send them to the 
   * server, however, we are still awaiting continue tokens
   * to fully establish the context, before we can reclaim
   * messages.
   *  
   * o SecContextEstablished
   * This state indicates that the security context is invalid,
   * i.e. or no longer valid, and should not be used.
   *  
   * o SecContextEstablishExpired
   * This state indicates that the security context expired
   * during the establish phase.
   *  
   * o SecContextExpired
   * This state indicates that the security context expired
   * i.e. or no longer valid, and should not be used.
   *  
   * o SecContextInvalid
   * This state indicates that the security context is invalid,
   * i.e. or no longer valid, and should not be used.
   */
   
  enum SecurityContextState {
    SecContextInitialized,
    SecContextContinued,
    SecContextClientEstablished,
    SecContextEstablished,
    SecContextEstablishExpired,
    SecContextExpired,
    SecContextInvalid
  };  
  
  // For use with SecurityReplaceable
  
  struct OpaqueBuffer {
    Opaque        buffer;
    unsigned long startpos;
    unsigned long endpos;
    // startpos <= endpos
    // OpaqueBuffer is said to be empty if startpos == endpos
  };
  
  // Association options which can be administered
  // on secure invocation policy and used to
  // Initialize security context
  
// kcg: in case somebody needs interoperability with broken VB
// he/she needs to uncommend following define.
//#define MICO_SSL_VB_COMPAT
#ifdef MICO_SSL_VB_COMPAT
  typedef unsigned long AssociationOptions;
#else
  typedef unsigned short AssociationOptions;
#endif

  const AssociationOptions NoProtection  = 1; 
  const AssociationOptions Integrity = 2; 
  const AssociationOptions Confidentiality  = 4; 
  const AssociationOptions DetectReplay = 8; 
  const AssociationOptions DetectMisordering = 16;
  const AssociationOptions EstablishTrustInTarget = 32; 
  const AssociationOptions EstablishTrustInClient = 64;
  const AssociationOptions NoDelegation = 128;
  const AssociationOptions SimpleDelegation = 256;
  const AssociationOptions CompositeDelegation = 512;
  
  // Flag to indicate whether association options being
  // administered are the "required" or "supported" set
  
  enum RequiresSupports {     
    SecRequires,
    SecSupports
  };
  
  // Direction of communication for which
    // secure invocation policy applies
  
  enum CommunicationDirection {   
    SecDirectionBoth,
    SecDirectionRequest,
    SecDirectionReply
  };
  
  // AssociationOptions-Direction pair
  
  struct OptionsDirectionPair {
    AssociationOptions              options;
    CommunicationDirection          direction;
  };
  
  typedef sequence<OptionsDirectionPair> OptionsDirectionPairList;
  
  // Delegation mode which can be administered
  
  enum DelegationMode {
    SecDelModeNoDelegation,         // i.e. use own credentials
    SecDelModeSimpleDelegation,     // delegate received credentials 
    SecDelModeCompositeDelegation   // delegate both; 
  };
  
  
  // security association mechanism type
  
  typedef string          MechanismType;
  
  typedef sequence<MechanismType> MechanismTypeList;
  
  struct SecurityMechanismData {
    MechanismType       mechanism;
    SecurityName        security_name;
    AssociationOptions  options_supported;
    AssociationOptions  options_required;
  };
  
  typedef sequence<SecurityMechanismData>
  SecurityMechanismDataList;
  
  // Association options supported by a given mech type
  
  struct MechandOptions {
    MechanismType           mechanism_type;
    AssociationOptions      options_supported;
  };
  
  typedef sequence<MechandOptions> MechandOptionsList;
    
  // Attribute of the SecurityLevel2::EstablishTrustPolicy
  
  struct EstablishTrust {
    boolean trust_in_client;
    boolean trust_in_target;
  };
  
  // Audit 
  
  typedef unsigned long               AuditChannelId;
  typedef unsigned short              _EventType;
    
  const _EventType    AuditAll = 0;
  const _EventType    AuditPrincipalAuth = 1;
  const _EventType    AuditSessionAuth = 2;
  const _EventType    AuditAuthorization = 3;
  const _EventType    AuditInvocation = 4;
  const _EventType    AuditSecEnvChange = 5;
  const _EventType    AuditPolicyChange = 6;
  const _EventType    AuditObjectCreation = 7;
  const _EventType    AuditObjectDestruction = 8;
  const _EventType    AuditNonRepudiation = 9;
  
  enum DayOfTheWeek {
    Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday };
  
  enum AuditCombinator {
    SecAllSelectors,
    SecAnySelector
  };
  
  struct AuditEventType {
    ExtensibleFamily        event_family;
    unsigned short          event_type;
  };
  
  typedef sequence<AuditEventType> AuditEventTypeList;
  typedef unsigned long           SelectorType;
  
  const SelectorType    InterfaceName = 1;
  const SelectorType    ObjectRef = 2;
  const SelectorType    Operation = 3;
  const SelectorType    Initiator = 4;
  const SelectorType    SuccessFailure = 5;
  const SelectorType    Time = 6;
  const SelectorType    DayOfWeek = 7;
  
  // values defined for audit_needed and audit_write are:
  // InterfaceName: CORBA::RepositoryId
  // ObjectRef: object reference
  // Operation: op_name 
  // Initiator: Credentials
  // SuccessFailure: boolean
  // Time: utc time on audit_write; time picked up from
  //             environment in audit_needed if required
  // DayOfWeek: DayOfTheWeek
  
  struct      SelectorValue {
    SelectorType    selector;
    any             value;
  };
  
    typedef sequence<SelectorValue> SelectorValueList;
  
  // Constant declaration for Security Policy Types
  
  // General Administrative Policies
  const CORBA::PolicyType SecClientInvocationAccess = 1;
  const CORBA::PolicyType SecTargetInvocationAccess = 2;
  const CORBA::PolicyType SecApplicationAccess      = 3;
  const CORBA::PolicyType SecClientInvocationAudit  = 4;
  const CORBA::PolicyType SecTargetInvocationAudit  = 5;
  const CORBA::PolicyType SecApplicationAudit       = 6;
  const CORBA::PolicyType SecDelegation             = 7;
  const CORBA::PolicyType SecClientSecureInvocation = 8;
  const CORBA::PolicyType SecTargetSecureInvocation = 9;
  const CORBA::PolicyType SecNonRepudiation         = 10;
  
  // Policies used to control attributes of a binding to a target
  const CORBA::PolicyType SecMechanismPolicy        = 12;
  const CORBA::PolicyType SecInvocationCredentialsPolicy = 13;
  const CORBA::PolicyType SecFeaturesPolicy         = 14; // obsolete
  const CORBA::PolicyType SecQOPPolicy              = 15;
  
  const CORBA::PolicyType SecDelegationDirectivePolicy   = 38;
  const CORBA::PolicyType SecEstablishTrustPolicy        = 39;
  
  
  //&&& Data for SSL Authentication 
  struct SSLKeyCertCAPass {
    string _key;
    string cert;
    string CAfile;
    string CAdir;
    string pass;
  };
};

#endif /* _SECURITY_IDL_ */