#include "idl_types.h"

/*
  Authentication IDL structures

  These are NOT public network structures, but it is helpful to define
  these things in IDL. They may change without ABI breakage or
  warning.

*/

import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
[
	pyhelper("librpc/ndr/py_auth.c"),
	helper("../librpc/ndr/ndr_auth.h"),
	helpstring("internal Samba authentication structures")
]

interface auth
{
	typedef [public] enum {
		SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
		SEC_AUTH_METHOD_NTLM            = 1,
		SEC_AUTH_METHOD_KERBEROS        = 2
	} auth_method;

	/* This is the parts of the session_info that don't change
	 * during local privilage and group manipulations */
	typedef [public] struct {
		[unique,charset(UTF8),string] char *account_name;
		[unique,charset(UTF8),string] char *user_principal_name;
		boolean8 user_principal_constructed;
		[unique,charset(UTF8),string] char *domain_name;
		[unique,charset(UTF8),string] char *dns_domain_name;

		[unique,charset(UTF8),string] char *full_name;
		[unique,charset(UTF8),string] char *logon_script;
		[unique,charset(UTF8),string] char *profile_path;
		[unique,charset(UTF8),string] char *home_directory;
		[unique,charset(UTF8),string] char *home_drive;
		[unique,charset(UTF8),string] char *logon_server;

		NTTIME last_logon;
		NTTIME last_logoff;
		NTTIME acct_expiry;
		NTTIME last_password_change;
		NTTIME allow_password_change;
		NTTIME force_password_change;

		uint16 logon_count;
		uint16 bad_password_count;

		uint32 acct_flags;

		uint8 authenticated;
	} auth_user_info;

	/* This information is preserved only to assist torture tests */
	typedef [public] struct {
		/* Number SIDs from the DC netlogon validation info */
		uint32 num_dc_sids;
		[size_is(num_dc_sids)] dom_sid dc_sids[*];
	} auth_user_info_torture;

	typedef [public] struct {
		[unique,charset(UTF8),string] char *unix_name;

		/*
		 * For performance reasons we keep an alpha_strcpy-sanitized version
		 * of the username around as long as the global variable current_user
		 * still exists. If we did not do keep this, we'd have to call
		 * alpha_strcpy whenever we do a become_user(), potentially on every
		 * smb request. See set_current_user_info in source3.
		 */
		[unique,charset(UTF8),string] char *sanitized_username;
	} auth_user_info_unix;

	/* This is the interim product of the auth subsystem, before
	 * privileges and local groups are handled */
	typedef [public] struct {
		uint32 num_sids;
		[size_is(num_sids)] dom_sid sids[*];
		auth_user_info *info;
		[noprint] DATA_BLOB user_session_key;
		[noprint] DATA_BLOB lm_session_key;
	} auth_user_info_dc;

	typedef [public] struct {
		security_token *security_token;
		security_unix_token *unix_token;
		auth_user_info *info;
		auth_user_info_unix *unix_info;
		[value(NULL), ignore] auth_user_info_torture *torture;

		/* This is the final session key, as used by SMB signing, and
		 * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
		 * when over ncacn_np.
		 * It is calculated by NTLMSSP from the session key in the info3,
		 * and is  set from the Kerberos session key using
		 * krb5_auth_con_getremotesubkey().
		 *
		 * Bottom line, it is not the same as the session keys in info3.
		 */

		[noprint] DATA_BLOB session_key;

		[value(NULL), ignore] cli_credentials *credentials;

	        /*
		 * It is really handy to have our authorization code log a
		 * token that can be used to tie later requests together.
		 * We generate this in auth_generate_session_info()
		 */
	        GUID unique_session_token;
	} auth_session_info;

	typedef [public] struct {
		auth_session_info *session_info;
		[noprint] DATA_BLOB exported_gssapi_credentials;
	} auth_session_info_transport;
}