The credentials cache functions (some of which are macros which call to
specific types of credentials caches) deal with storing credentials
(tickets, session keys, and other identifying information) in a
semi-permanent store for later use by different programs.
\subsubsection{The krb5_cc_ops structure}
In order to implement a new credentials cache type, the programmer should
declare a {\bf krb5_cc_ops} structure, and fill in the elements of the
structure appropriately, by implementing each of the credential cache
functions for the new credentials cache type.
The prefix element specifies the prefix name of the the new credential
cache type. For example, if the prefix name is ``FILE'', then if the
program calls \funcname{krb5_cc_resolve} with a credential cache name
such as ``FILE:/tmp/krb5_cc_15806'', then \funcname{krb5_cc_resolve}
will call the resolve function (as defined by the {\bf krb5_cc_ops}
structure where the prefix element is ``FILE'') and pass it the
argument ``/tmp/krb5_cc_15806''.
Before a new credentials cache type can be recognized by
\funcname{krb5_cc_resolve}, it must be registered with the Kerberos
library by calling \funcname{krb5_cc_register}.
\begin{verbatim}
typedef struct _krb5_cc_ops {
char *prefix;
char *(*get_name)((krb5_ccache));
krb5_error_code (*resolve)((krb5_ccache *, char *));
krb5_error_code (*gen_new)((krb5_ccache *));
krb5_error_code (*init)((krb5_ccache, krb5_principal));
krb5_error_code (*destroy)((krb5_ccache));
krb5_error_code (*close)((krb5_ccache));
krb5_error_code (*store)((krb5_ccache, krb5_creds *));
krb5_error_code (*retrieve)((krb5_ccache, krb5_flags,
krb5_creds *, krb5_creds *));
krb5_error_code (*get_princ)((krb5_ccache,
krb5_principal *));
krb5_error_code (*get_first)((krb5_ccache,
krb5_cc_cursor *));
krb5_error_code (*get_next)((krb5_ccache, krb5_cc_cursor *,
krb5_creds *));
krb5_error_code (*end_get)((krb5_ccache, krb5_cc_cursor *));
krb5_error_code (*remove_cred)((krb5_ccache, krb5_flags,
krb5_creds *));
krb5_error_code (*set_flags)((krb5_ccache, krb5_flags));
} krb5_cc_ops;
\end{verbatim}
\subsubsection{Per-type functions}
The following entry points must be implemented for each type of
credentials cache. However, \funcname{resolve} and
\funcname{gen_new} are only called by the credentials cache glue code.
They are not called directly by the application.
\begin{funcdecl}{resolve}{krb5_error_code}{\funcout}
\funcarg{krb5_ccache *}{id}
\funcin
\funcarg{char *}{residual}
\end{funcdecl}
Creates a credentials cache named by \funcparam{residual} (which may be
interpreted differently by each type of ccache). The cache is not
opened, but the cache name is held in reserve.
\begin{funcdecl}{gen_new}{krb5_error_code}{\funcout}
\funcarg{krb5_ccache *}{id}
\end{funcdecl}
Creates a new credentials cache whose name is guaranteed to be
unique. The cache is not opened. \funcparam{*id} is
filled in with a \datatype{krb5_ccache} which may be used in subsequent
calls to ccache functions.
\begin{funcdecl}{init}{krb5_error_code}{\funcinout}
\funcarg{krb5_ccache}{id}
\funcin
\funcarg{krb5_principal}{primary_principal}
\end{funcdecl}
Creates/refreshes a credentials cache identified by \funcparam{id} with
primary principal set to \funcparam{primary_principal}.
If the credentials cache already exists, its contents are destroyed.
Modifies: cache identified by \funcparam{id}.
\begin{funcdecl}{destroy}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\end{funcdecl}
Destroys the credentials cache identified by \funcparam{id}, invalidates
\funcparam{id}, and releases any other resources acquired during use of
the credentials cache. Requires that \funcparam{id} identifies a valid
credentials cache. After return, \funcparam{id} must not be used unless
it is first reinitialized.
\begin{funcdecl}{close}{krb5_error_code}{\funcinout}
\funcarg{krb5_ccache}{id}
\end{funcdecl}
Closes the credentials cache \funcparam{id}, invalidates
\funcparam{id}, and releases \funcparam{id} and any other resources
acquired during use of the credentials cache. Requires that
\funcparam{id} identifies a valid credentials cache. After return,
\funcparam{id} must not be used unless it is first reinitialized.
\begin{funcdecl}{store}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcarg{krb5_creds *}{creds}
\end{funcdecl}
Stores \funcparam{creds} in the cache \funcparam{id}, tagged with
\funcparam{creds{\ptsto}client}.
Requires that \funcparam{id} identifies a valid credentials cache.
\begin{funcdecl}{retrieve}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcarg{krb5_flags}{whichfields}
\funcarg{krb5_creds *}{mcreds}
\funcout
\funcarg{krb5_creds *}{creds}
\end{funcdecl}
Searches the cache \funcparam{id} for credentials matching
\funcparam{mcreds}. The fields which are to be matched are specified by
set bits in \funcparam{whichfields}, and always include the principal
name \funcparam{mcreds{\ptsto}server}.
Requires that \funcparam{id} identifies a valid credentials cache.
If at least one match is found, one of the matching credentials is
returned in \funcparam{*creds}. The credentials should be freed using
\funcname{krb5_free_credentials}.
\begin{funcdecl}{get_princ}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcarg{krb5_principal *}{principal}
\end{funcdecl}
Retrieves the primary principal of the credentials cache (as
set by the \funcname{init} request)
The primary principal is filled into \funcparam{*principal}; the caller
should release this memory by calling \funcname{krb5_free_principal} on
\funcparam{*principal} when finished.
Requires that \funcparam{id} identifies a valid credentials cache.
\begin{funcdecl}{get_first}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcout
\funcarg{krb5_cc_cursor *}{cursor}
\end{funcdecl}
Prepares to sequentially read every set of cached credentials.
Requires that \funcparam{id} identifies a valid credentials cache opened by
\funcname{krb5_cc_open}.
\funcparam{cursor} is filled in with a cursor to be used in calls to
\funcname{get_next}.
\begin{funcdecl}{get_next}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcout
\funcarg{krb5_creds *}{creds}
\funcinout
\funcarg{krb5_cc_cursor *}{cursor}
\end{funcdecl}
Fetches the next entry from \funcparam{id}, returning its values in
\funcparam{*creds}, and updates \funcparam{*cursor} for the next request.
Requires that \funcparam{id} identifies a valid credentials cache and
\funcparam{*cursor} be a cursor returned by
\funcname{get_first} or a subsequent call to
\funcname{get_next}.
\begin{funcdecl}{end_get}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcarg{krb5_cc_cursor *}{cursor}
\end{funcdecl}
Finishes sequential processing mode and invalidates \funcparam{*cursor}.
\funcparam{*cursor} must never be re-used after this call.
Requires that \funcparam{id} identifies a valid credentials cache and
\funcparam{*cursor} be a cursor returned by
\funcname{get_first} or a subsequent call to
\funcname{get_next}.
\begin{funcdecl}{remove_cred}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcarg{krb5_flags}{which}
\funcarg{krb5_creds *}{cred}
\end{funcdecl}
Removes any credentials from \funcparam{id} which match the principal
name {cred{\ptsto}server} and the fields in \funcparam{cred} masked by
\funcparam{which}.
Requires that \funcparam{id} identifies a valid credentials cache.
\begin{funcdecl}{set_flags}{krb5_error_code}{\funcin}
\funcarg{krb5_ccache}{id}
\funcarg{krb5_flags}{flags}
\end{funcdecl}
Sets the flags on the cache \funcparam{id} to \funcparam{flags}. Useful
flags are defined in {\tt <krb5/ccache.h>}.