/*
   Unix SMB/CIFS implementation.

   interface functions for the sam database

   Copyright (C) Andrew Tridgell 2004

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#ifndef __SAMDB_H__
#define __SAMDB_H__

struct auth_SidAttr;
struct auth_session_info;
struct dsdb_control_current_partition;
struct dsdb_extended_replicated_object;
struct dsdb_extended_replicated_objects;
struct loadparm_context;
struct tevent_context;
struct tsocket_address;
struct dsdb_trust_routing_table;
struct gmsa_update_pwd_part;
struct gmsa_update;
struct gmsa_return_pwd;
struct KeyEnvelope;

enum dsdb_password_checked {
	DSDB_PASSWORD_NOT_CHECKED = 0, /* unused */
	DSDB_PASSWORD_RESET,
	DSDB_PASSWORD_CHECKED_AND_CORRECT,
	/*
	 * This disables the password rules for this new random
	 * password for ResetSmartCardAccountPassword handling.  This
	 * produces a
	 * DSDB_CONTROL_PASSWORD_KDC_RESET_SMARTCARD_ACCOUNT_PASSWORD
	 * control.
	 */
	DSDB_PASSWORD_KDC_RESET_SMARTCARD_ACCOUNT_PASSWORD
};

#include "lib/util/data_blob.h"
#include "librpc/gen_ndr/security.h"
#include <ldb.h>
#include "lib/ldb-samba/ldif_handlers.h"
#include "lib/util/time.h"
#include "librpc/gen_ndr/samr.h"
#include "libcli/util/werror.h"
#include "librpc/gen_ndr/drsuapi.h"
#include "librpc/gen_ndr/drsblobs.h"
#include "dsdb/schema/schema.h"
#include "auth/session.h"
#include "dsdb/samdb/samdb_proto.h"
#include "dsdb/common/dsdb_dn.h"
#include "dsdb/common/util_links.h"
#include "lib/crypto/gmsa.h"
#include "dsdb/common/proto.h"
#include "../libds/common/flags.h"

#define DSDB_CONTROL_CURRENT_PARTITION_OID "1.3.6.1.4.1.7165.4.3.2"
struct dsdb_control_current_partition {
	/*
	 * this is the version of the dsdb_control_current_partition
	 * version 0: initial implementation
	 * version 1: got rid of backend and module fields
	 */
#define DSDB_CONTROL_CURRENT_PARTITION_VERSION 1
	uint32_t version;
	struct ldb_dn *dn;
};


/*
  flags in dsdb_repl_flags to control replication logic
 */
#define DSDB_REPL_FLAG_PRIORITISE_INCOMING 1
#define DSDB_REPL_FLAG_PARTIAL_REPLICA     2
#define DSDB_REPL_FLAG_ADD_NCNAME	   4
#define DSDB_REPL_FLAG_EXPECT_NO_SECRETS   8
#define DSDB_REPL_FLAG_OBJECT_SUBSET       16
#define DSDB_REPL_FLAG_TARGETS_UPTODATE    32

#define DSDB_CONTROL_REPLICATED_UPDATE_OID "1.3.6.1.4.1.7165.4.3.3"

#define DSDB_CONTROL_DN_STORAGE_FORMAT_OID "1.3.6.1.4.1.7165.4.3.4"
/* DSDB_CONTROL_DN_STORAGE_FORMAT_OID has NULL data and behaves very
 * much like LDB_CONTROL_EXTENDED_DN_OID when the DB stores an
 * extended DN, and otherwise returns normal DNs */

#define DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID "1.3.6.1.4.1.7165.4.3.8"

struct dsdb_user_pwd_settings {
	uint32_t pwdProperties;
	uint32_t pwdHistoryLength;
	int64_t maxPwdAge;
	int64_t minPwdAge;
	uint32_t minPwdLength;
	bool store_cleartext;
	const char *netbios_domain;
	const char *dns_domain;
	const char *realm;
};

struct dsdb_control_password_change_status {
	struct dsdb_user_pwd_settings domain_data;
	enum samPwdChangeReason reject_reason;
};

#define DSDB_CONTROL_PASSWORD_HASH_VALUES_OID "1.3.6.1.4.1.7165.4.3.9"

#define DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID "1.3.6.1.4.1.7165.4.3.10"
struct dsdb_control_password_change {
	enum dsdb_password_checked old_password_checked;
};

/**
   DSDB_CONTROL_APPLY_LINKS is internal to Samba4 - a token passed between repl_meta_data and linked_attributes modules
*/
#define DSDB_CONTROL_APPLY_LINKS "1.3.6.1.4.1.7165.4.3.11"

/*
 * this should only be used for importing users from Samba3
 */
#define DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID "1.3.6.1.4.1.7165.4.3.12"

/**
  OID used to allow the replacement of replPropertyMetaData.
  It is used when the current replmetadata needs to be edited.
*/
#define DSDB_CONTROL_CHANGEREPLMETADATA_OID "1.3.6.1.4.1.7165.4.3.14"

/* passed when we want to get the behaviour of the non-global catalog port */
#define DSDB_CONTROL_NO_GLOBAL_CATALOG "1.3.6.1.4.1.7165.4.3.17"

/* passed when we want special behaviour for partial replicas */
#define DSDB_CONTROL_PARTIAL_REPLICA "1.3.6.1.4.1.7165.4.3.18"

/* passed when we want special behaviour for dbcheck */
#define DSDB_CONTROL_DBCHECK "1.3.6.1.4.1.7165.4.3.19"

/* passed when dbcheck wants to modify a read only replica (very special case) */
#define DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA "1.3.6.1.4.1.7165.4.3.19.1"

/* passed by dbcheck to fix duplicate linked attributes (bug #13095) */
#define DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS "1.3.6.1.4.1.7165.4.3.19.2"

/* passed by dbcheck to fix the DN string of a one-way-link (bug #13495) */
#define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME "1.3.6.1.4.1.7165.4.3.19.3"

/* passed by dbcheck to fix the DN SID of a one-way-link (bug #13418) */
#define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID "1.3.6.1.4.1.7165.4.3.19.4"

/* passed when importing plain text password on upgrades */
#define DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.20"

/*
 * passed from the descriptor module in order to
 * store the recalculated nTSecurityDescriptor without
 * modifying the replPropertyMetaData.
 */
#define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.3.21"

/*
 * passed when creating a interdomain trust account through LSA
 * to relax constraints in the samldb ldb module.
 */
#define DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID "1.3.6.1.4.1.7165.4.3.23"

/*
 * Internal control to mark requests as being part of Tombstone restoring
 * procedure - it requires slightly special behavior like:
 *  - a bit different security checks
 *  - restoring certain attributes to their default values, etc
 */
#define DSDB_CONTROL_RESTORE_TOMBSTONE_OID "1.3.6.1.4.1.7165.4.3.24"

/**
  OID used to allow the replacement of replPropertyMetaData.
  It is used when the current replmetadata needs only to be re-sorted, but not edited.
*/
#define DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID "1.3.6.1.4.1.7165.4.3.25"

/*
 * pass the default state of pwdLastSet between the "samldb" and "password_hash"
 * modules.
 */
#define DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.26"

/*
 * pass the userAccountControl changes between the "samldb" and "password_hash"
 * modules.
 */
#define DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID "1.3.6.1.4.1.7165.4.3.27"
struct dsdb_control_password_user_account_control {
	uint32_t req_flags; /* the flags given by the client request */
	uint32_t old_flags; /* the old flags stored (0 on add) */
	uint32_t new_flags; /* the new flags stored */
};

/*
 * Ignores strict checking when adding objects to samldb.
 * This is used when provisioning, as checking all objects when added
 * was slow due to an unindexed search.
 */
#define DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID "1.3.6.1.4.1.7165.4.3.28"

/* passed when we want to thoroughly delete linked attributes */
#define DSDB_CONTROL_REPLMD_VANISH_LINKS "1.3.6.1.4.1.7165.4.3.29"

/*
 * lockoutTime is a replicated attribute, but must be modified before
 * connectivity occurs to allow password lockouts.
 */
#define DSDB_CONTROL_FORCE_RODC_LOCAL_CHANGE "1.3.6.1.4.1.7165.4.3.31"

#define DSDB_CONTROL_INVALID_NOT_IMPLEMENTED "1.3.6.1.4.1.7165.4.3.32"

/*
 * Used to pass "user password change" vs "password reset" from the ACL to the
 * password_hash module, ensuring both modules treat the request identical.
 */
#define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33"
struct dsdb_control_password_acl_validation {
	bool pwd_reset;
};

/*
 * Used to pass the current transaction identifier from the audit_log
 * module to group membership auditing module
 */
#define DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID "1.3.6.1.4.1.7165.4.3.34"
struct dsdb_control_transaction_identifier {
	struct GUID transaction_guid;
};

/*
 * passed when we want to allow validated writes to dNSHostName and
 * servicePrincipalName.
 */
#define DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID "1.3.6.1.4.1.7165.4.3.35"

/*
 * Used by descriptor module to pass a special SD to acl module,
 * one without the user-provided descriptor taken into account
 */

#define DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID "1.3.6.1.4.1.7165.4.3.36"
struct dsdb_control_calculated_default_sd {
	struct security_descriptor *default_sd;
	bool specified_sd:1;
	bool specified_sacl:1;
};

#define DSDB_CONTROL_ACL_READ_OID "1.3.6.1.4.1.7165.4.3.37"

/*
 * Used by the operational module to indicate to the LDAP server that the keys
 * and Managed Password ID of a Group Managed Service Account are to be updated.
 */
#define DSDB_CONTROL_GMSA_UPDATE_OID "1.3.6.1.4.1.7165.4.3.38"
/* struct gmsa_update */

/*
 * KDC is running ResetSmartCardAccountPassword behaviour, the password needs to be made random
 */
#define DSDB_CONTROL_PASSWORD_KDC_RESET_SMARTCARD_ACCOUNT_PASSWORD "1.3.6.1.4.1.7165.4.3.39"

#define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
struct dsdb_extended_replicated_object {
	struct ldb_message *msg;
	struct GUID object_guid;
	struct GUID *parent_guid;
	const char *when_changed;
	struct replPropertyMetaDataBlob *meta_data;

	/* Only used for internal processing in repl_meta_data */
	struct ldb_dn *last_known_parent;
	struct ldb_dn *local_parent_dn;
};

/*
 * the schema_dn is passed as struct ldb_dn in
 * req->op.extended.data
 */
#define DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID "1.3.6.1.4.1.7165.4.4.2"

struct dsdb_extended_replicated_objects {
	/*
	 * this is the version of the dsdb_extended_replicated_objects
	 * version 0: initial implementation
	 */
#define DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION 3
	uint32_t version;

	/* DSDB_REPL_FLAG_* flags */
	uint32_t dsdb_repl_flags;

	struct ldb_dn *partition_dn;

	const struct repsFromTo1 *source_dsa;
	const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector;

	uint32_t num_objects;
	struct dsdb_extended_replicated_object *objects;

	uint32_t linked_attributes_count;
	struct drsuapi_DsReplicaLinkedAttribute *linked_attributes;

	WERROR error;

	bool originating_updates;
};

/* In ldb.h: LDB_EXTENDED_SEQUENCE_NUMBER 1.3.6.1.4.1.7165.4.4.3 */

#define DSDB_EXTENDED_CREATE_PARTITION_OID "1.3.6.1.4.1.7165.4.4.4"
struct dsdb_create_partition_exop {
	struct ldb_dn *new_dn;
};

/* this takes a struct dsdb_fsmo_extended_op */
#define DSDB_EXTENDED_ALLOCATE_RID_POOL "1.3.6.1.4.1.7165.4.4.5"

struct dsdb_fsmo_extended_op {
	uint64_t fsmo_info;
	struct GUID destination_dsa_guid;
};

#define DSDB_EXTENDED_SCHEMA_UPGRADE_IN_PROGRESS_OID "1.3.6.1.4.1.7165.4.4.6"

/*
 * passed from the descriptor module in order to
 * store the recalculated nTSecurityDescriptor without
 * modifying the replPropertyMetaData.
 */
#define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.4.7"
struct dsdb_extended_sec_desc_propagation_op {
	struct ldb_dn *nc_root;
	struct GUID guid;
	bool include_self;
	struct GUID parent_guid;
};

/* this takes no data */
#define DSDB_EXTENDED_CREATE_OWN_RID_SET "1.3.6.1.4.1.7165.4.4.8"

/* this takes a struct dsdb_extended_allocate_rid */
#define DSDB_EXTENDED_ALLOCATE_RID "1.3.6.1.4.1.7165.4.4.9"

struct dsdb_extended_allocate_rid {
	uint32_t rid;
};

#define DSDB_EXTENDED_SCHEMA_LOAD "1.3.6.1.4.1.7165.4.4.10"

#define DSDB_OPENLDAP_DEREFERENCE_CONTROL "1.3.6.1.4.1.4203.666.5.16"

struct dsdb_openldap_dereference {
	const char *source_attribute;
	const char **dereference_attribute;
};

struct dsdb_openldap_dereference_control {
	struct dsdb_openldap_dereference **dereference;
};

struct dsdb_openldap_dereference_result {
	const char *source_attribute;
	const char *dereferenced_dn;
	int num_attributes;
	struct ldb_message_element *attributes;
};

struct dsdb_openldap_dereference_result_control {
	struct dsdb_openldap_dereference_result **attributes;
};

struct samldb_msds_intid_persistant {
	uint32_t msds_intid;
};

#define SAMLDB_MSDS_INTID_OPAQUE "SAMLDB_MSDS_INTID_OPAQUE"

#define DSDB_PARTITION_DN "@PARTITION"
#define DSDB_PARTITION_ATTR "partition"

#define DSDB_EXTENDED_DN_STORE_FORMAT_OPAQUE_NAME "dsdb_extended_dn_store_format"
struct dsdb_extended_dn_store_format {
	bool store_extended_dn_in_ldb;
};

#define DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME "DSDB_OPAQUE_PARTITION_MODULE_MSG"

#define DSDB_FULL_JOIN_REPLICATION_COMPLETED_OPAQUE_NAME "DSDB_FULL_JOIN_REPLICATION_COMPLETED"

#define DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME "DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_MSG"
struct dsdb_encrypted_connection_state {
	bool using_encrypted_connection;
};

#define DSDB_SAMDB_MINIMUM_ALLOWED_RID   1000

#define DSDB_METADATA_SCHEMA_SEQ_NUM	"SCHEMA_SEQ_NUM"

/*
 * must be in LDB_FLAG_INTERNAL_MASK
 * see also the values in lib/ldb/include/ldb_module.h
 */
#define DSDB_FLAG_INTERNAL_FORCE_META_DATA 0x10000

#define SAMBA_COMPATIBLE_FEATURES_ATTR "compatibleFeatures"
#define SAMBA_REQUIRED_FEATURES_ATTR "requiredFeatures"
#define SAMBA_FEATURES_SUPPORTED_FLAG "@SAMBA_FEATURES_SUPPORTED"

#define SAMBA_SORTED_LINKS_FEATURE "sortedLinks"
#define SAMBA_ENCRYPTED_SECRETS_FEATURE "encryptedSecrets"
/*
 * lmdb level one feature is an experimental release with basic support
 * for lmdb database files, instead of tdb.
 * - Keys are limited to 511 bytes long so GUID indexes are required
 * - Currently only the:
 *     partition data files
 *   are in lmdb format.
 */
#define SAMBA_LMDB_LEVEL_ONE_FEATURE "lmdbLevelOne"

#define SAMBA_LDB_WRAP_CONNECT_FLAG_NO_SHARE_CONTEXT 0x01000000

#endif /* __SAMDB_H__ */