blob: bc8bec6ec1982532f1876a85c91c51062f0dfd1c [file] [log] [blame]
// Copyright 2016 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string>
#include <vector>
#include <base/time/time.h>
namespace authpolicy {
class Anonymizer;
// Number of code points in randomly generated machine passwords.
constexpr size_t kMachinePasswordCodePoints = 32;
// By default, change the machine password every 30 days.
constexpr base::TimeDelta kDefaultMachinePasswordChangeRate =
// Group policy flags.
const int kGpFlagAllEnabled = 0x00;
const int kGpFlagUserDisabled = 0x01;
const int kGpFlagMachineDisabled = 0x02;
const int kGpFlagAllDisabled = 0x03;
const int kGpFlagCount = 0x04;
const int kGpFlagInvalid = 0x04;
extern const char* const kGpFlagsStr[];
// Params for net and smbclient.
extern const char kKerberosParam[];
extern const char kConfigParam[];
extern const char kDebugParam[];
extern const char kCommandParam[];
extern const char kUserParam[];
extern const char kMachinepassStdinParam[];
extern const char kCreatecomputerParam[];
extern const char kOsNameParam[];
extern const char kOsVersionParam[];
extern const char kOsServicePackParam[];
// Params for kinit.
extern const char kUseKeytabParam[];
extern const char kValidityLifetimeParam[];
extern const char kRenewalLifetimeParam[];
extern const char kRenewParam[];
// Params for klist.
extern const char kSetExitStatusParam[];
extern const char kCredentialCacheParam[];
// Kerberos encryption types strings for the Kerberos configuration.
extern const char kEncTypesAll[];
extern const char kEncTypesStrong[];
extern const char kEncTypesLegacy[];
// Marker for user affiliation (whether the device domain trusts the user
// domain). This marker is added to PolicyData.device_affiliation_ids for device
// policy. For user policy, it is added if and only if
// SambaInterface::IsUserAffiliated indicates that the user is affiliated.
extern const char kAffiliationMarker[];
// Parses user_name@some.realm into its components and normalizes (uppercases)
// the part behind the @. |user_name| is 'user_name', |realm| is |SOME.REALM|
// and |normalized_user_principal_name| is user_name@SOME.REALM.
bool ParseUserPrincipalName(const std::string& user_principal_name,
std::string* user_name,
std::string* realm,
std::string* normalized_user_principal_name);
// Parses the given |in_str| consisting of individual lines for
// ... \n
// |token| <token_separator> |result| \n
// ... \n
// and returns the first non-empty |result|. Whitespace is trimmed.
bool FindToken(const std::string& in_str,
char token_separator,
const std::string& token,
std::string* result);
// Returns true if the given one-line string |in_line| has the form
// |token| <token_separator> |result|
// and returns |result|. Whitespace is trimmed.
bool FindTokenInLine(const std::string& in_line,
char token_separator,
const std::string& token,
std::string* result);
// Parses a GPO version string, which consists of a number and the same number
// as base-16 hex number, e.g. '31 (0x0000001f)'.
bool ParseGpoVersion(const std::string& str, uint32_t* version);
// Parses a group policy flags string, which consists of a number 0-3 and a
// descriptive name. See |kGpFlag*| for possible values.
bool ParseGpFlags(const std::string& str, int* gp_flags);
// Returns true if the string contains the given substring.
bool Contains(const std::string& str, const std::string& substr);
// Converts a valid GUID (see base::IsValidGUID()) to an octet string, see e.g.
// Returns an empty string on error.
std::string GuidToOctetString(const std::string& guid);
// Converts an octet string to a GUID. Inverse of GuidToOctetString(). Only for
// testing! Just performs basic size checks, no strict format checks. Returns an
// empty string on error.
std::string OctetStringToGuidForTesting(const std::string& octet_str);
// Converts an |account_id| (aka objectGUID) to an account_id_key by adding a
// prefix |kActiveDirectoryPrefix|.
std::string GetAccountIdKey(const std::string& account_id);
// Logs |str| to INFO, prepending |header|. Splits |str| into lines and logs the
// lines. This works around a restriction of syslog of 8kb per log and fixes
// unreadable logs where \n is replaced by #012. Anonymizes logs with
// |anonymizer| to remove sensitive data. |color| is a color from log_colors.h.
void LogLongString(const char* color,
const std::string& header,
const std::string& str,
Anonymizer* anonymizer);
// Builds a distinguished name from a vector of |organizational_units|, ordered
// leaf-to-root, and a DNS |domain| name. Returns a combined string
// 'ou=ouLeaf,...,ou=ouRoot,dc="example",dc="com"'. Makes sure the result is
// properly escaped..
std::string BuildDistinguishedName(
const std::vector<std::string>& organizational_units,
const std::string& domain);
// Generates a random password that can be used for Active Directory machine
// accounts. It is UTF-8 encoded with |kMachinePasswordCodePoints| code points.
// Since Kerberos code cannot handle higher code points, all code points are
// below or equal to 0xFFFF. Excludes
// - invalid code points,
// - '\0', so that the string can be safely converted to and from char*, and
// - '\n', so that the password can be read from stdin.
// The runtime is not deterministic, but the average runtime is
// O(kMachinePasswordCodePoints).
std::string GenerateRandomMachinePassword();
using RandomBytesGenerator = void(void* bytes, size_t length);
void SetRandomNumberGeneratorForTesting(RandomBytesGenerator* rand_bytes);
// Returns the OS name from the lsb-release file or an empty string on error.
std::string GetOsName();
// Returns the OS version from the lsb-release file or an empty string on error.
std::string GetOsVersion();
} // namespace authpolicy