Security.idl

/* SPDX-License-Identifier: BSD-3-Clause */
/*
 * Copyright 2009 Raritan Inc. All rights reserved.
 */
 
#include <UserEvent.idl>
 
/**
 * %Security Configuration
 */
module security {
 
    /** IP packet filter policy */
    enumeration IpfwPolicy {
        ACCEPT,                         ///< Accept the packet
        DROP,                           ///< Silently discard the packet
        REJECT                          ///< Discard packet, send error response
    };
 
    /** IP packet filter rule */
    structure IpfwRule {
        string ipMask;                  ///< Remote IP and network mask
        IpfwPolicy policy;              ///< Filter policy
    };
 
    /** IP packet filter configuration */
    structure IpFw {
        boolean enabled;                ///< \c true to enable packet filtering
        IpfwPolicy defaultPolicyIn;     ///< The default policy for inbound traffic in case no rule matches
        IpfwPolicy defaultPolicyOut;    ///< The default policy for outbound traffic in case no rule matches
        vector<IpfwRule> ruleSetIn;     ///< Ordered list of inbound firewall rules
        vector<IpfwRule> ruleSetOut;    ///< Ordered list of outbound firewall rules
    };
 
    /** Role-based access policy */
    enumeration RoleAccessPolicy {
        ALLOW,                          ///< Access granted
        DENY                            ///< Access denied
    };
 
    /** Role-based access rule */
    structure RoleAccessRule {
        string           startIp;       ///< Start of IP range
        string           endIp;         ///< End of IP range
        int              roleId;        ///< Role id
        RoleAccessPolicy policy;        ///< Access policy
    };
 
    /** Role-based access control settings */
    structure RoleAccessControl {
        boolean enabled;                ///< \c true to enable role-based access control
        RoleAccessPolicy defaultPolicy; ///< Default policy
        vector<RoleAccessRule> rules;   ///< List of access rules
    };
 
    /** User blocking settings */
    structure BlockSettings {
        int maxFailedLogins;            ///< The number of failed logins before blocking a user
        int blockTimeout;               ///< Time (in minutes) the account will be blocked
        int failedLoginTimeout;         ///< Time (in minutes) before resetting the failure counter
    };
 
    /** Password settings */
    structure PasswordSettings {
        boolean   enableAging;          ///< \c true to enable password aging
        int       agingInterval;        ///< Aging interval in days
        boolean   enableStrongReq;      ///< \c true to enable strong password requirements
        int       minPwLength;          ///< Minimum password length
        int       maxPwLength;          ///< Maximum password length
        boolean   enforceLower;         ///< Passwords must contain at least one lower case character
        boolean   enforceUpper;         ///< Passwords must contain at least one upper case character
        boolean   enforceNumeric;       ///< Passwords must contain at least one numeric character
        boolean   enforceSpecial;       ///< Passwords must contain at least one special character
        int       pwHistoryDepth;       ///< Number of entries in password history
    };
 
    /** SSH authentication settings */
    structure SSHSettings {
        boolean  allowPasswordAuth;     ///< Allow password authentication
        boolean  allowPublicKeyAuth;    ///< Allow public key authentication
    };
 
    /** Type of SSH host key */
    enumeration SSHHostKeyType {
        SSH_HOST_KEY_TYPE_RSA,
        SSH_HOST_KEY_TYPE_ECDSA,
        SSH_HOST_KEY_TYPE_ED25519
    };
 
    /** Type of SSH key fingerprint */
    enumeration SSHKeyFingerprintType {
        SSH_KEY_FPRINT_TYPE_MD5_HEX,
        SSH_KEY_FPRINT_TYPE_SHA256_BASE64,
        SSH_KEY_FPRINT_TYPE_UNKNOWN
    };
 
    /** Fingerprints of SSH host key */
    structure SSHKeyFingerprint {
        string fingerprint;             ///< Fingerprint of SSH key
        SSHKeyFingerprintType type;     ///< Type of fingerprint
    };
 
    /** SSH host keys */
    structure SSHHostKey {
        string key;                             ///< Public key
        SSHHostKeyType type;              ///< Type of public key
        vector<SSHKeyFingerprint> fingerprints; ///< Fingerprints of public key
    };
 
    /** Restricted Service Agreement settings */
    structure RestrictedServiceAgreement {
        boolean enabled;                ///< Enforce Restricted Service Agreement
        string  banner;                 ///< Restricted Service Agreement Banner
    };
 
    /**
     * Information about an installed Secure Element
     *
     * The name TpmInfo is kept for backward compatibility.
     */
    structure TpmInfo {
        boolean detected;
    };
 
    /**
     * FIPS settings
     */
    structure FipsSettings {
        boolean enabled;            ///< FIPS mode enabled state
    };
 
   /**
     * This Event is emitted after any of the password-settings
     * has been changed
     */
    valueobject PasswordSettingsChanged extends event.UserEvent {
        PasswordSettings oldSettings;
        PasswordSettings newSettings;
    };
 
    /**
     * Front panel privileges have been changed
     */
    valueobject FrontPanelPrivilegesChanged extends event.UserEvent {
        vector<string> oldPrivileges;   ///< old front panel privileges
        vector<string> newPrivileges;   ///< new front panel privileges
    };
 
    /** %Security configuration interface */
    interface Security {
 
        constant int ERR_INVALID_VALUE = 1; ///< Invalid arguments
 
        /**
         * Retrieve the current state of the HTTP-to-HTTPS redirection.
         *
         * @return \c true if the HTTP-to-HTTPS redirection is enabled
         */
        boolean getHttpRedirSettings();
 
        /**
         * Enable or disable HTTP-to-HTTPS redirection.
         *
         * @param http2httpsRedir  \c true to enable the redirection
         */
        void setHttpRedirSettings(in boolean http2httpsRedir);
 
        /**
         * Check whether HTTP Strict Transport Security (HSTS) is enabled
         *
         * @return \c true when HSTS is enabled
         */
        boolean isHstsEnabled();
 
        /**
         * Enable or disable HTTP Strict Transport Security (HSTS).
         *
         * @param enable \c true to enable HSTS
         */
        void setHstsEnabled(in boolean enable);
 
        /**
         * Retrieve the IPv4 packet filter configuration.
         *
         * @return %IPv4 packet filter configuration
         */
        IpFw getIpFwSettings();
 
        /**
         * Set the IPv4 packet filter configuration.
         *
         * @param ipFw  New packet filter settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setIpFwSettings(in IpFw ipFw);
 
        /**
         * Retrieve the IPv6 packet filter configuration.
         *
         * @return %IPv6 packet filter configuration
         */
        IpFw getIpV6FwSettings();
 
        /**
         * Set the IPv6 packet filter configuration.
         *
         * @param ipV6Fw  New packet filter settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setIpV6FwSettings(in IpFw ipV6Fw);
 
        /**
         * Retrieve the role-base access control settings for IPv4.
         *
         * @return Role-based access control settings
         */
        RoleAccessControl getRoleAccessControlSettings();
 
        /**
         * Change the role-based access control settings.
         *
         * @param settings  New settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setRoleAccessControlSettings(in RoleAccessControl settings);
 
        /**
         * Retrieve the role-base access control settings for IPv6.
         *
         * @return Role-based access control settings
         */
        RoleAccessControl getRoleAccessControlSettingsV6();
 
        /**
         * Change the role-based access control settings for IPv6.
         *
         * @param settings  New settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setRoleAccessControlSettingsV6(in RoleAccessControl settings);
 
        /**
         * Retrieve the current user blocking settings
         *
         * @return User blocking settings
         */
        BlockSettings getBlockSettings();
 
        /**
         * Change the user blocking settings.
         *
         * @param settings  New settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setBlockSettings(in BlockSettings settings);
 
        /**
         * Retrieve the password settings.
         *
         * @return Password settings
         */
        PasswordSettings getPwSettings();
 
        /**
         * Change the password settings.
         *
         * @param pwSettings  New settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setPwSettings(in PasswordSettings pwSettings);
 
        /**
         * Retrieve the current idle timeout.
         *
         * @return Idle timeout in minutes
         */
        int getIdleTimeoutSettings();
 
        /**
         * Change the session idle timeout.
         *
         * @param idleTimeout  New idle timeout in minutes
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setIdleTimeoutSettings(in int idleTimeout);
 
        /**
         * Retrieve the current single-login limitation setting.
         *
         * @return \c true if single-login limitation is enabled
         */
        boolean getSingleLoginLimitation();
 
        /**
         * Enable or disable single login limitation.
         *
         * @param singleLogin  \c true to enable single login limitation
         */
        void setSingleLoginLimitation(in boolean singleLogin);
 
        /**
         * Retrieve the current SSH settings
         *
         * @return SSH settings
         */
        SSHSettings getSSHSettings();
 
        /**
         * Change the SSH settings
         *
         * @param settings  New settings
         */
        void setSSHSettings(in SSHSettings settings);
 
        /**
         * Retrieve the host SSH keys
         *
         * @return SSH host keys
         */
        vector<SSHHostKey> getSSHHostKeys();
 
        /**
         * Retrieve the current Restricted Service Agreement settings
         *
         * @return Restricted Service Agreement settings
         */
        RestrictedServiceAgreement getRestrictedServiceAgreement();
 
        /**
         * Change the Restricted Service Agreement settings
         *
         * @param settings  New settings
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setRestrictedServiceAgreement(in RestrictedServiceAgreement settings);
 
        /**
         * Retrieve a list of supported privileges for the front panel
         *
         * @return List of privilege names
         */
        vector<string> getSupportedFrontPanelPrivileges();
 
        /**
         * Retrieve the list of active front panel privileges
         *
         * @return List of privilege names
         */
        vector<string> getFrontPanelPrivileges();
 
        /**
         * Set the privileges for the front panel
         *
         * @return 0 on success
         * @return ERR_INVALID_VALUE if any argument was invalid
         */
        int setFrontPanelPrivileges(in vector<string> privileges);
 
        /**
        * Set the default admin account password and optionally disable strong password requirements.
        *
        * The purpose of this method is to set the default admin account password when the device is
        * unprovisioned, i.e. has not been configured yet or has been reset to factory defaults. The
        * difference to the regular setAccountPassword() method in the User.idl is that this method
        * allows to disable the strong password requirements at the same time. It allows choosing a
        * weaker password in case strong password requirements are not needed for the specific purpose.
        *
        * @param password                  The new password
        * @param disableStrongPasswordReq  \c true to disable strong password requirements
        *                                  \c false to keep the current strong password requirement setting
        *
        * @return  0 OK
        * @return  1 The new password has to differ from old password.
        * @return  2 The password must not be empty.
        * @return  3 The password is too short.
        * @return  4 The password is too long.
        * @return  5 The password must not contain control characters.
        * @return  6 The password has to contain at least one lower case character.
        * @return  7 The password has to contain at least one upper case character.
        * @return  8 The password has to contain at least one numeric character.
        * @return  9 The password has to contain at least one printable special character.
        * @return 10 The password already is in history.
        * @return 11 SNMPv3 USM is activated for the user and the password shall be used as auth passphrase.
        *            For this case, the password is too short (must be at least 8 characters).
        */
        int setDefaultAdminAccountPassword(in string password, in boolean disableStrongPasswordReq);
 
        /**
        * Set the password hash for the admin user. Naturally, this circumvents
        * checks for password complexity requirements and the password history,
        * since we only receive the salted hash of a password.
        *
        * This method is only allowed on link units when called by the primary unit.
        *
        * @return  0 OK
        * @return  2 The password hash must not be empty.
        */
        int setAdminAccountPasswordHash(in string passwordHash);
 
        /**
         * Check whether secure boot is active.
         *
         * ATTENTION: There are some uncertainties involved here. It is possible that it reports secure boot
         *            active while it isn't. Theoretically also the opposite is possible. For that reason
         *            the result of this function may not be used to reduce any security checks!
         *
         * @return \c true if secure boot is active
         */
        boolean isSecureBootActive();
 
        /**
         * Return information about an installed Secure Element.
         *
         * The name getTpmInfo is kept for backward compatibility.
         *
         * @return Secure Element information
         */
        TpmInfo getTpmInfo();
 
        /**
         * Get active FIPS settings.
         *
         * @return Active FIPS settings
         */
        FipsSettings getActiveFipsSettings();
 
        /**
         * Get persistent FIPS settings.
         *
         * Those settings are applied on next boot and may differ from currently active settings.
         *
         * @return Persistent FIPS settings
         */
        FipsSettings getPersistentFipsSettings();
 
        /**
         * Set persistent FIPS settings.
         *
         * Those settings are applied on next boot and may differ from currently active settings.
         *
         * @param settings  new persistent FIPS settings
         */
        void setPersistentFipsSettings(in FipsSettings settings);
 
    };
 
}