1 The totally incomplete guide to Citadel internals
2 -----------------------------------------------------
3 -----------------------------------------------------
5 Citadel has evolved quite a bit since its early days, and the data structures
6 have evolved with it. This document provides a rough overview of how the
7 system works internally. For details you're going to have to dig through the
8 code, but this'll get you started.
13 As you probably already know by now, Citadel uses a group of tables stored
14 with a record manager (usually Berkeley DB). Since we're using a record
15 manager rather than a relational database, all record structures are managed
16 by Citadel. Here are some of the tables we keep on disk:
21 This table contains all user records. It's indexed by
22 user name (translated to lower case for indexing purposes). The records in
23 this file look something like this:
25 struct ctdluser { /* User record */
26 int version; /* Cit vers. which created this rec */
27 uid_t uid; /* Associate with a unix account? */
28 char password[32]; /* password (for Citadel-only users)*/
29 unsigned flags; /* See US_ flags below */
30 long timescalled; /* Total number of logins */
31 long posted; /* Number of messages posted (ever) */
32 CIT_UBYTE axlevel; /* Access level */
33 long usernum; /* User number (never recycled) */
34 time_t lastcall; /* Last time the user called */
35 int USuserpurge; /* Purge time (in days) for user */
36 char fullname[64]; /* Name for Citadel messages & mail */
39 Most fields here should be fairly self-explanatory. The ones that might
40 deserve some attention are:
42 - *uid* -- if uid is not the same as the *unix uid* Citadel is running as, then the
43 account is assumed to belong to the user on the underlying Unix system with
44 that uid. This allows us to require the user's OS password instead of having
45 a separate Citadel password.
47 - *usernum* -- these are assigned sequentially, and **NEVER REUSED**. This is
48 important because it allows us to use this number in other data structures
49 without having to worry about users being added/removed later on, as you'll
50 see later in this document.
55 These are room records. There is a room record for every room on the
56 system, public or private or mailbox. It's indexed by room name (also in
57 lower case for easy indexing) and it contains records which look like this:
60 char QRname[ROOMNAMELEN]; /* Name of room */
61 char QRpasswd[10]; /* Only valid if it's a private rm */
62 long QRroomaide; /* User number of room aide */
63 long QRhighest; /* Highest message NUMBER in room */
64 time_t QRgen; /* Generation number of room */
65 unsigned QRflags; /* See flag values below */
66 char QRdirname[15]; /* Directory name, if applicable */
67 long QRinfo; /* Info file update relative to msgs*/
68 char QRfloor; /* Which floor this room is on */
69 time_t QRmtime; /* Date/time of last post */
70 struct ExpirePolicy QRep; /* Message expiration policy */
71 long QRnumber; /* Globally unique room number */
72 char QRorder; /* Sort key for room listing order */
73 unsigned QRflags2; /* Additional flags */
74 int QRdefaultview; /* How to display the contents */
77 Again, mostly self-explanatory. Here are the interesting ones:
79 *QRnumber* is a globally unique room ID, while QRgen is the "generation number"
80 of the room (it's actually a timestamp). The two combined produce a unique
81 value which identifies the room. The reason for two separate fields will be
82 explained below when we discuss the visit table. For now just remember that
83 *QRnumber* remains the same for the duration of the room's existence, and QRgen
84 is timestamped once during room creation but may be restamped later on when
85 certain circumstances exist.
89 Floors. This is so simplistic it's not worth going into detail about, except
90 to note that we keep a reference count of the number of rooms on each floor.
94 Each record in this table consists of a bunch of message numbers
95 which represent the contents of a room. A message can exist in more than one
96 room (for example, a mail message with multiple recipients -- 'single instance
97 store'). This table is never, ever traversed in its entirety. When you do
98 any type of read operation, it fetches the msglist for the room you're in
99 (using the room's ID as the index key) and then you can go ahead and read
100 those messages one by one.
102 Each room is basically just a list of message numbers. Each time
103 we enter a new message in a room, its message number is appended to the end
104 of the list. If an old message is to be expired, we must delete it from the
105 message base. Reading a room is just a matter of looking up the messages
106 one by one and sending them to the client for display, printing, or whatever.
111 This is the tough one. Put on your thinking cap and grab a fresh cup of
112 coffee before attempting to grok the visit table.
114 This table contains records which establish the relationship between users
115 and rooms. Its index is a hash of the user and room combination in question.
116 When looking for such a relationship, the record in this table can tell the
117 server things like "this user has zapped this room," "this user has access to
118 this private room," etc. It's also where we keep track of which messages
119 the user has marked as "old" and which are "new" (which are not necessarily
120 contiguous; contrast with older Citadel implementations which simply kept a
121 "last read" pointer).
124 Here's what the records look like:
131 unsigned int v_flags;
136 #define V_FORGET 1 /* User has zapped this room */
137 #define V_LOCKOUT 2 /* User is locked out of this room */
138 #define V_ACCESS 4 /* Access is granted to this room */
140 This table is indexed by a concatenation of the first three fields. Whenever
141 we want to learn the relationship between a user and a room, we feed that
142 data to a function which looks up the corresponding record. The record is
143 designed in such a way that an "all zeroes" record (which is what you get if
144 the record isn't found) represents the default relationship.
146 With this data, we now know which private rooms we're allowed to visit: if
147 the *V_ACCESS* bit is set, the room is one which the user knows, and it may
148 appear in his/her known rooms list. Conversely, we also know which rooms the
149 user has zapped: if the *V_FORGET* flag is set, we relegate the room to the
150 zapped list and don't bring it up during new message searches. It's also
151 worth noting that the *V_LOCKOUT* flag works in a similar way to administratively
152 lock users out of rooms.
154 Implementing the "cause all users to forget room" command, then, becomes very
155 simple: we simply change the generation number of the room by putting a new
156 timestamp in the *QRgen* field. This causes all relevant visit records to
157 become irrelevant, because they appear to point to a different room. At the
158 same time, we don't lose the messages in the room, because the msglists table
159 is indexed by the room number (*QRnumber*), which never changes.
161 *v_seen* contains a string which represents the set of messages in this room
162 which the user has read (marked as 'seen' or 'old'). It follows the same
163 syntax used by IMAP and NNTP. When we search for new messages, we simply
164 return any messages that are in the room that are **not** represented by this
165 set. Naturally, when we do want to mark more messages as seen (or unmark
166 them), we change this string. Citadel BBS client implementations are naive
167 and think linearly in terms of "everything is old up to this point," but IMAP
168 clients want to have more granularity.
173 This table simply maps Internet e-mail addresses to Citadel network addresses
174 for quick lookup. It is generated from data in the Global Address Book room.
178 This table keeps track of message ID's of messages arriving over a network,
179 to prevent duplicates from being posted if someone misconfigures the network
180 and a loop is created. This table goes unused on a non-networked Citadel.
184 This is where all message text is stored. It's indexed by message number:
185 give it a number, get back a message. Messages are numbered sequentially, and
186 the message numbers are never reused.
188 We also keep a "metadata" record for each message. This record is also stored
189 in the msgmain table, using the index (0 - msgnum). We keep in the metadata
190 record, among other things, a reference count for each message. Since a
191 message may exist in more than one room, it's important to keep this reference
192 count up to date, and to delete the message from disk when the reference count
195 #Here's the format for the message itself:
197 - Each message begins with an 0xFF 'start of message' byte.
199 - The next byte denotes whether this is an anonymous message. The codes
200 available are *MES_NORMAL*, *MES_ANON*, or *MES_AN2* (defined in citadel.h).
202 - The third byte is a "message type" code. The following codes are defined:
203 - 0 - "Traditional" Citadel format. Message is to be displayed "formatted."
204 - 1 - Plain pre-formatted ASCII text (otherwise known as text/plain)
205 - 4 - MIME formatted message. The text of the message which follows is
206 expected to begin with a "Content-type:" header.
208 - After these three opening bytes, the remainder of
209 the message consists of a sequence of character strings. Each string
210 begins with a type byte indicating the meaning of the string and is
211 ended with a null. All strings are printable ASCII: in particular,
212 all numbers are in ASCII rather than binary. This is for simplicity,
213 both in implementing the system and in implementing other code to
214 work with the system. For instance, a database driven off Citadel archives
215 can do wildcard matching without worrying about unpacking binary data such
216 as message ID's first. To provide later downward compatability
217 all software should be written to IGNORE fields not currently defined.
220 #The type bytes currently defined are:
223 | BYTE | Enum | NW | Mnemonic | Enum / Comments
224 |-------|-------------------|------|----------------|---------------------------------------------------------
225 | A | eAuthor | from | Author | *eAuthor*
226 | | | | | Name of originator of message.
227 | B | eBig\_message | | Big message | *eBig\_message*
228 | | | | | This is a flag which indicates that the message is
229 | | | | | big, and Citadel is storing the body in a separate
230 | | | | | record. You will never see this field because the
231 | | | | | internal API handles it.
232 | C | eRemoteRoom | | RemoteRoom | *eRemoteRoom*
233 | | | | | when sent via Citadel Networking, this is the room
234 | | | | | its going to be put on the remote site.
235 | D | eDestination | | Destination | *eDestination*
236 | | | | | Contains name of the system this message should
237 | | | | | be sent to, for mail routing (private mail only).
238 | E | eExclusiveID | exti | Exclusive ID | *eExclusiveID*
239 | | | | | A persistent alphanumeric Message ID used for
240 | | | | | network replication. When a message arrives that
241 | | | | | contains an Exclusive ID, any existing messages which
242 | | | | | contain the same Exclusive ID and are *older* than this
243 | | | | | message should be deleted. If there exist any messages
244 | | | | | with the same Exclusive ID that are *newer*, then this
245 | | | | | message should be dropped.
246 | F | erFc822Addr | rfca | rFc822 address | *erFc822Addr*
247 | | | | | For Internet mail, this is the delivery address of the
248 | | | | | message author.
249 | H | eHumanNode | hnod | Human node name| *eHumanNode*
250 | | | | | Human-readable name of system message originated on.
251 | I | emessageId | msgn | Message ID | *emessageId*
252 | | | | | An RFC822-compatible message ID for this message.
253 | J | eJournal | jrnl | Journal | *eJournal*
254 | | | | | The presence of this field indicates that the message
255 | | | | | is disqualified from being journaled, perhaps because
256 | | | | | it is itself a journalized message and we wish to
257 | | | | | avoid double journaling.
258 | K | eReplyTo | rep2 | Reply-To | *eReplyTo*
259 | | | | | the Reply-To header for mailinglist outbound messages
260 | L | eListID | list | List-ID | *eListID*
261 | | | | | Mailing list identification, as per RFC 2919
262 | M | eMesageText | text | Message Text | *eMesageText*
263 | | | | | Normal ASCII, newlines seperated by CR's or LF's,
264 | | | | | null terminated as always.
265 | N | eNodeName | node | Nodename | *eNodeName*
266 | | | | | Contains node name of system message originated on.
267 | O | eOriginalRoom | room | Room | *eOriginalRoom* - Room of origin.
268 | P | eMessagePath | path | Path | *eMessagePath*
269 | | | | | Complete path of message, as in the UseNet news
270 | | | | | standard. A user should be able to send Internet mail
271 | | | | | to this path. (Note that your system name will not be
272 | | | | | tacked onto this until you're sending the message to
273 | | | | | someone else)
274 | R | eRecipient | rcpt | Recipient | *eRecipient* - Only present in Mail messages.
275 | S | eSpecialField | spec | Special field | *eSpecialField*
276 | | | | | Only meaningful for messages being spooled over a
277 | | | | | network. Usually means that the message isn't really
278 | | | | | a message, but rather some other network function:
279 | | | | | -> "S" followed by "FILE" (followed by a null, of
280 | | | | | course) means that the message text is actually an
281 | | | | | IGnet/Open file transfer. (OBSOLETE)
282 | | | | | -> "S" followed by "CANCEL" means that this message
283 | | | | | should be deleted from the local message base once
284 | | | | | it has been replicated to all network systems.
285 | T | eTimestamp | time | date/Time | *eTimestamp*
286 | | | | | Unix timestamp containing the creation date/time of
287 | | | | | the message.
288 | U | eMsgSubject | subj | sUbject | *eMsgSubject* - Optional.
289 | | | | | Developers may choose whether they wish to
290 | | | | | generate or display subject fields.
291 | V | eenVelopeTo | nvto | enVelope-to | *eenVelopeTo*
292 | | | | | The recipient specified in incoming SMTP messages.
293 | W | eWeferences | wefw | Wefewences | *eWeferences*
294 | | | | | Previous message ID's for conversation threading. When
295 | | | | | converting from RFC822 we use References: if present, or
296 | | | | | In-Reply-To: otherwise.
297 | | | | | (Who in extnotify spool messages which don't need to know
298 | | | | | other message ids)
299 | Y | eCarbonCopY | cccc | carbon copY | *eCarbonCopY*
300 | | | | | Optional, and only in Mail messages.
301 | 0 | eErrorMsg | | Error | *eErrorMsg*
302 | | | | | This field is typically never found in a message on
303 | | | | | disk or in transit. Message scanning modules are
304 | | | | | expected to fill in this field when rejecting a message
305 | | | | | with an explanation as to what happened (virus found,
306 | | | | | message looks like spam, etc.)
307 | 1 | eSuppressIdx | | suppress index | *eSuppressIdx*
308 | | | | | The presence of this field indicates that the message is
309 | | | | | disqualified from being added to the full text index.
310 | 2 | eExtnotify | | extnotify | *eExtnotify* - Used internally by the serv_extnotify module.
311 | 3 | eVltMsgNum | | msgnum | *eVltMsgNum*
312 | | | | | Used internally to pass the local message number in the
313 | | | | | database to after-save hooks. Discarded afterwards.
317 Let *<FF>* be a *0xFF* byte, and *<0>* be a null *(0x00)* byte. Then a message
320 Apr 12, 1988 23:16 From Test User In Network Test> @lifesys (Life Central)
323 might be stored as...
325 <FF><40><0>I12345<0>Pneighbor!lifesys!test_user<0>T576918988<0> (continued)
326 -----------|Mesg ID#|--Message Path---------------|--Date------
328 AThe Test User<0>ONetwork Test<0>Nlifesys<0>HLife Central<0>MHave a nice day!<0>
329 |-----Author-----|-Room name-----|-nodename-|Human Name-|--Message text-----
331 Weird things can happen if fields are missing, especially if you use the
332 networker. But basically, the date, author, room, and nodename may be in any
333 order. But the leading fields and the message text must remain in the same
334 place. The H field looks better when it is placed immediately after the N
338 EUID (EXCLUSIVE MESSAGE ID'S)
339 -----------------------------
340 This is where the groupware magic happens. Any message in any room may have
341 a field called the Exclusive message *ID*, or *EUID*. We keep an index in the
342 table *CDB_EUIDINDEX* which knows the message number of any item that has an
343 *EUID*. This allows us to do two things:
345 - If a subsequent message arrives with the same *EUID*, it automatically
346 *deletes* the existing one, because the new one is considered a replacement
347 for the existing one.
348 - If we know the *EUID* of the item we're looking for, we can fetch it by *EUID*
349 and get the most up-to-date version, even if it's been updated several times.
351 This functionality is made more useful by server-side hooks. For example,
352 when we save a vCard to an address book room, or an iCalendar item to a
353 calendar room, our server modules detect this condition, and automatically set
354 the *EUID* of the message to the *UUID* of the *vCard* or *iCalendar* item.
355 Therefore when you save an updated version of an address book entry or
356 a calendar item, the old one is automatically deleted.
358 NETWORKING (REPLICATION)
359 ------------------------
360 Citadel nodes network by sharing one or more rooms. Any Citadel node
361 can choose to share messages with any other Citadel node, through the sending
362 of spool files. The sending system takes all messages it hasn't sent yet, and
363 spools them to the recieving system, which posts them in the rooms.
365 The *EUID* discussion above is extremely relevant, because *EUID* is carried over
366 the network as well, and the replacement rules are followed over the network
367 as well. Therefore, when a message containing an *EUID* is saved in a networked
368 room, it replaces any existing message with the same *EUID* *on every node in
371 Complexities arise primarily from the possibility of densely connected
372 networks: one does not wish to accumulate multiple copies of a given
373 message, which can easily happen. Nor does one want to see old messages
374 percolating indefinitely through the system.
376 This problem is handled by keeping track of the path a message has taken over
377 the network, like the UseNet news system does. When a system sends out a
378 message, it adds its own name to the bang-path in the *<P>* field of the
379 message. If no path field is present, it generates one.
381 With the path present, all the networker has to do to assure that it doesn't
382 send another system a message it's already received is check the <P>ath field
383 for that system's name somewhere in the bang path. If it's present, the system
384 has already seen the message, so we don't send it.
386 We also keep a small database, called the "use table," containing the ID's of
387 all messages we've seen recently. If the same message arrives a second or
388 subsequent time, we will find its ID in the use table, indicating that we
389 already have a copy of that message. It will therefore be discarded.
391 The above discussion should make the function of the fields reasonably clear:
393 o Travelling messages need to carry original message-id, system of origin,
394 date of origin, author, and path with them, to keep reproduction and
395 cycling under control.
397 (Uncoincidentally) the format used to transmit messages for networking
398 purposes is precisely that used on disk, serialized. The current
399 distribution includes serv_network.c, which is basically a database replicator;
400 please see network.txt on its operation and functionality (if any).
404 Citadel is 64-bit clean, architecture-independent, and Year 2000
405 compliant. The software should compile on any POSIX compliant system with
406 a full pthreads implementation and TCP/IP support. In the future we may
407 try to port it to non-POSIX systems as well.
409 On the client side, it's also POSIX compliant. The client even seems to
410 build ok on non-POSIX systems with porting libraries (such as Cygwin).
412 SUPPORTING PRIVATE MAIL
413 -----------------------
414 Can one have an elegant kludge? This must come pretty close.
416 Private mail is sent and recieved in the *Mail>* room, which otherwise
417 behaves pretty much as any other room. To make this work, we have a
418 separate Mail> room for each user behind the scenes. The actual room name
419 in the database looks like *"0000001234.Mail"* (where *'1234'* is the user
420 number) and it's flagged with the *QR_MAILBOX* flag. The user number is
421 stripped off by the server before the name is presented to the client. This
422 provides the ability to give each user a separate namespace for mailboxes
425 This requires a little fiddling to get things just right. For example,
426 *make_message()* has to be kludged to ask for the name of the recipient
427 of the message whenever a message is entered in *Mail>*. But basically
428 it works pretty well, keeping the code and user interface simple and
431 PASSWORDS AND NAME VALIDATION
432 -----------------------------
433 This has changed a couple of times over the course of Citadel's history. At
434 this point it's very simple, again due to the fact that record managers are
435 used for everything. The user file (user) is indexed using the user's
436 name, converted to all lower-case. Searching for a user, then, is easy. We
437 just lowercase the name we're looking for and query the database. If no
438 match is found, it is assumed that the user does not exist.
440 This makes it difficult to forge messages from an existing user. (Fine
441 point: nonprinting characters are converted to printing characters, and
442 leading, trailing, and double blanks are deleted.)
projects / citadel.git / blob