[apple/mdnsresponder.git] / mDNSMacOSX / PreferencePane / ConfigurationAuthority.c

/*
    File: ConfigurationAuthority.c

    Abstract: Interface to system security framework that manages access
    to protected resources like system configuration preferences.

    Copyright: (c) Copyright 2005 Apple Computer, Inc. All rights reserved.

    Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple Computer, Inc.
    ("Apple") in consideration of your agreement to the following terms, and your
    use, installation, modification or redistribution of this Apple software
    constitutes acceptance of these terms.  If you do not agree with these terms,
    please do not use, install, modify or redistribute this Apple software.

    In consideration of your agreement to abide by the following terms, and subject
    to these terms, Apple grants you a personal, non-exclusive license, under Apple's
    copyrights in this original Apple software (the "Apple Software"), to use,
    reproduce, modify and redistribute the Apple Software, with or without
    modifications, in source and/or binary forms; provided that if you redistribute
    the Apple Software in its entirety and without modifications, you must retain
    this notice and the following text and disclaimers in all such redistributions of
    the Apple Software.  Neither the name, trademarks, service marks or logos of
    Apple Computer, Inc. may be used to endorse or promote products derived from the
    Apple Software without specific prior written permission from Apple.  Except as
    expressly stated in this notice, no other rights or licenses, express or implied,
    are granted by Apple herein, including but not limited to any patent rights that
    may be infringed by your derivative works or by other works in which the Apple
    Software may be incorporated.

    The Apple Software is provided by Apple on an "AS IS" basis.  APPLE MAKES NO
    WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
    WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN
    COMBINATION WITH YOUR PRODUCTS.

    IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR
    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
    GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION, MODIFICATION AND/OR DISTRIBUTION
    OF THE APPLE SOFTWARE, HOWEVER CAUSED AND WHETHER UNDER THEORY OF CONTRACT, TORT
    (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN
    ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "ConfigurationAuthority.h"
#include "ConfigurationRights.h"

#include <AssertMacros.h>


static AuthorizationRef gAuthRef = 0;

static AuthorizationItem gAuthorizations[] = {   { UPDATE_SC_RIGHT, 0, NULL, 0 },
                                                 { EDIT_SYS_KEYCHAIN_RIGHT, 0, NULL, 0 }};
static AuthorizationRights gAuthSet = { sizeof gAuthorizations / sizeof gAuthorizations[0], gAuthorizations };

static CFDictionaryRef  CreateRightsDict( CFStringRef prompt)
/* Create a CFDictionary decribing an auth right. See /etc/authorization for examples. */
/* Specifies that the right requires admin authentication, which persists for 5 minutes. */
{
    CFMutableDictionaryRef dict = NULL, tmpDict;
    CFMutableArrayRef mechanisms;
    CFNumberRef timeout;
    int val;

    tmpDict = CFDictionaryCreateMutable( (CFAllocatorRef) NULL, 0, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
    require( tmpDict != NULL, MakeDictFailed);

    CFDictionaryAddValue(tmpDict, CFSTR("class"), CFSTR("user"));
    CFDictionaryAddValue(tmpDict, CFSTR("comment"), prompt);
    CFDictionaryAddValue(tmpDict, CFSTR("group"), CFSTR("admin"));

    mechanisms = CFArrayCreateMutable((CFAllocatorRef) NULL, 1, &kCFTypeArrayCallBacks);
    require( mechanisms != NULL, MakeArrayFailed);
    CFArrayAppendValue( mechanisms, CFSTR("builtin:authenticate"));
    CFDictionaryAddValue( tmpDict, CFSTR("mechanisms"), mechanisms);

    val = 300;  // seconds
    timeout = CFNumberCreate((CFAllocatorRef) NULL, kCFNumberIntType, &val);
    require( timeout != NULL, MakeIntFailed);
    CFDictionaryAddValue( tmpDict, CFSTR("timeout"), timeout);
    CFDictionaryAddValue( tmpDict, CFSTR("shared"), kCFBooleanTrue);

    dict = tmpDict;
    tmpDict = NULL;

    CFRelease( timeout);
MakeIntFailed:
    CFRelease( mechanisms);
MakeArrayFailed:
    if ( tmpDict)
        CFRelease( tmpDict);
MakeDictFailed:
    return dict;
}

OSStatus InitConfigAuthority(void)
/* Initialize the authorization record-keeping */
{
    OSStatus err;
    CFDictionaryRef dict;
    CFStringRef rightInfo;

    err = AuthorizationCreate((AuthorizationRights*) NULL, (AuthorizationEnvironment*) NULL,
                              (AuthorizationFlags) 0, &gAuthRef);
    require_noerr( err, NewAuthFailed);

    err = AuthorizationRightGet( UPDATE_SC_RIGHT, (CFDictionaryRef*) NULL);
    if (err == errAuthorizationDenied)
    {
        rightInfo = CFCopyLocalizedString(CFSTR("Authentication required to set Dynamic DNS preferences."),
                                          CFSTR("Describes operation that requires user authorization"));
        require_action( rightInfo != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
        dict = CreateRightsDict(rightInfo);
        require_action( dict != NULL, GetStrFailed, err=coreFoundationUnknownErr;);

        err = AuthorizationRightSet(gAuthRef, UPDATE_SC_RIGHT, dict, (CFStringRef) NULL,
                                    (CFBundleRef) NULL, (CFStringRef) NULL);
        CFRelease(rightInfo);
        CFRelease(dict);
    }
    require_noerr( err, AuthSetFailed);

    err = AuthorizationRightGet( EDIT_SYS_KEYCHAIN_RIGHT, (CFDictionaryRef*) NULL);
    if (err == errAuthorizationDenied)
    {
        rightInfo = CFCopyLocalizedString( CFSTR("Authentication required to edit System Keychain."),
                                           CFSTR("Describes operation that requires user authorization"));
        require_action( rightInfo != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
        dict = CreateRightsDict( rightInfo);
        require_action( dict != NULL, GetStrFailed, err=coreFoundationUnknownErr;);

        err = AuthorizationRightSet(gAuthRef, EDIT_SYS_KEYCHAIN_RIGHT, dict, (CFStringRef) NULL,
                                    (CFBundleRef) NULL, (CFStringRef) NULL);
        CFRelease( rightInfo);
        CFRelease( dict);
    }
    require_noerr( err, AuthSetFailed);

AuthSetFailed:
GetStrFailed:
NewAuthFailed:
    return err;
}

OSStatus    AttemptAcquireAuthority( Boolean allowUI)
/* Try to get permission for privileged ops, either implicitly or by asking the user for */
/* authority to perform operations (if necessary) */
{
    AuthorizationFlags allowFlag = allowUI ? kAuthorizationFlagInteractionAllowed : 0;
    OSStatus err;

    err = AuthorizationCopyRights( gAuthRef, &gAuthSet, (AuthorizationEnvironment*) NULL,
                                   kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize |
                                   allowFlag,
                                   (AuthorizationRights**) NULL);
    return err;
}

OSStatus ReleaseAuthority(void)
/* Discard authority to perform operations */
{
    (void) AuthorizationFree( gAuthRef, kAuthorizationFlagDefaults);
    gAuthRef = 0;
    return AuthorizationCreate( (AuthorizationRights*) NULL, (AuthorizationEnvironment*) NULL,
                                (AuthorizationFlags) 0, &gAuthRef);
}

Boolean CurrentlyAuthorized(void)
{
    OSStatus err = AttemptAcquireAuthority(true);
    return err == noErr;
}


OSStatus ExternalizeAuthority(AuthorizationExternalForm *pAuth)
/* Package up current authorizations for transfer to another process */
{
    return AuthorizationMakeExternalForm(gAuthRef, pAuth);
}
Commit	Line	Data
7cb34e5c A	1	/*
	2	File: ConfigurationAuthority.c
	3
	4	Abstract: Interface to system security framework that manages access
	5	to protected resources like system configuration preferences.
	6
	7	Copyright: (c) Copyright 2005 Apple Computer, Inc. All rights reserved.
	8
	9	Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple Computer, Inc.
	10	("Apple") in consideration of your agreement to the following terms, and your
	11	use, installation, modification or redistribution of this Apple software
	12	constitutes acceptance of these terms. If you do not agree with these terms,
	13	please do not use, install, modify or redistribute this Apple software.
	14
	15	In consideration of your agreement to abide by the following terms, and subject
	16	to these terms, Apple grants you a personal, non-exclusive license, under Apple's
	17	copyrights in this original Apple software (the "Apple Software"), to use,
	18	reproduce, modify and redistribute the Apple Software, with or without
	19	modifications, in source and/or binary forms; provided that if you redistribute
	20	the Apple Software in its entirety and without modifications, you must retain
	21	this notice and the following text and disclaimers in all such redistributions of
	22	the Apple Software. Neither the name, trademarks, service marks or logos of
	23	Apple Computer, Inc. may be used to endorse or promote products derived from the
	24	Apple Software without specific prior written permission from Apple. Except as
	25	expressly stated in this notice, no other rights or licenses, express or implied,
	26	are granted by Apple herein, including but not limited to any patent rights that
	27	may be infringed by your derivative works or by other works in which the Apple
	28	Software may be incorporated.
	29
	30	The Apple Software is provided by Apple on an "AS IS" basis. APPLE MAKES NO
	31	WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
	32	WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	33	PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN
	34	COMBINATION WITH YOUR PRODUCTS.
	35
	36	IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR
	37	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
	38	GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	39	ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION, MODIFICATION AND/OR DISTRIBUTION
	40	OF THE APPLE SOFTWARE, HOWEVER CAUSED AND WHETHER UNDER THEORY OF CONTRACT, TORT
	41	(INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN
	42	ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
263eeeab	43	*/
7cb34e5c A	44
	45	#include "ConfigurationAuthority.h"
	46	#include "ConfigurationRights.h"
	47
	48	#include <AssertMacros.h>
	49
	50
83fb1e36	51	static AuthorizationRef gAuthRef = 0;
7cb34e5c	52
83fb1e36 A	53	static AuthorizationItem gAuthorizations[] = { { UPDATE_SC_RIGHT, 0, NULL, 0 },
	54	{ EDIT_SYS_KEYCHAIN_RIGHT, 0, NULL, 0 }};
	55	static AuthorizationRights gAuthSet = { sizeof gAuthorizations / sizeof gAuthorizations[0], gAuthorizations };
7cb34e5c	56
83fb1e36	57	static CFDictionaryRef CreateRightsDict( CFStringRef prompt)
7cb34e5c A	58	/* Create a CFDictionary decribing an auth right. See /etc/authorization for examples. */
	59	/* Specifies that the right requires admin authentication, which persists for 5 minutes. */
	60	{
83fb1e36 A	61	CFMutableDictionaryRef dict = NULL, tmpDict;
	62	CFMutableArrayRef mechanisms;
	63	CFNumberRef timeout;
	64	int val;
	65
	66	tmpDict = CFDictionaryCreateMutable( (CFAllocatorRef) NULL, 0, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	67	require( tmpDict != NULL, MakeDictFailed);
	68
	69	CFDictionaryAddValue(tmpDict, CFSTR("class"), CFSTR("user"));
	70	CFDictionaryAddValue(tmpDict, CFSTR("comment"), prompt);
	71	CFDictionaryAddValue(tmpDict, CFSTR("group"), CFSTR("admin"));
	72
	73	mechanisms = CFArrayCreateMutable((CFAllocatorRef) NULL, 1, &kCFTypeArrayCallBacks);
	74	require( mechanisms != NULL, MakeArrayFailed);
	75	CFArrayAppendValue( mechanisms, CFSTR("builtin:authenticate"));
	76	CFDictionaryAddValue( tmpDict, CFSTR("mechanisms"), mechanisms);
	77
	78	val = 300; // seconds
	79	timeout = CFNumberCreate((CFAllocatorRef) NULL, kCFNumberIntType, &val);
	80	require( timeout != NULL, MakeIntFailed);
	81	CFDictionaryAddValue( tmpDict, CFSTR("timeout"), timeout);
	82	CFDictionaryAddValue( tmpDict, CFSTR("shared"), kCFBooleanTrue);
	83
	84	dict = tmpDict;
	85	tmpDict = NULL;
	86
	87	CFRelease( timeout);
7cb34e5c	88	MakeIntFailed:
83fb1e36	89	CFRelease( mechanisms);
7cb34e5c	90	MakeArrayFailed:
83fb1e36 A	91	if ( tmpDict)
83fb1e36 A	92	CFRelease( tmpDict);
7cb34e5c	93	MakeDictFailed:
83fb1e36	94	return dict;
7cb34e5c A	95	}
	96
	97	OSStatus InitConfigAuthority(void)
	98	/* Initialize the authorization record-keeping */
	99	{
83fb1e36 A	100	OSStatus err;
	101	CFDictionaryRef dict;
	102	CFStringRef rightInfo;
	103
	104	err = AuthorizationCreate((AuthorizationRights) NULL, (AuthorizationEnvironment) NULL,
	105	(AuthorizationFlags) 0, &gAuthRef);
	106	require_noerr( err, NewAuthFailed);
	107
	108	err = AuthorizationRightGet( UPDATE_SC_RIGHT, (CFDictionaryRef*) NULL);
	109	if (err == errAuthorizationDenied)
	110	{
	111	rightInfo = CFCopyLocalizedString(CFSTR("Authentication required to set Dynamic DNS preferences."),
	112	CFSTR("Describes operation that requires user authorization"));
	113	require_action( rightInfo != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
	114	dict = CreateRightsDict(rightInfo);
	115	require_action( dict != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
	116
	117	err = AuthorizationRightSet(gAuthRef, UPDATE_SC_RIGHT, dict, (CFStringRef) NULL,
	118	(CFBundleRef) NULL, (CFStringRef) NULL);
	119	CFRelease(rightInfo);
	120	CFRelease(dict);
	121	}
	122	require_noerr( err, AuthSetFailed);
	123
	124	err = AuthorizationRightGet( EDIT_SYS_KEYCHAIN_RIGHT, (CFDictionaryRef*) NULL);
	125	if (err == errAuthorizationDenied)
	126	{
	127	rightInfo = CFCopyLocalizedString( CFSTR("Authentication required to edit System Keychain."),
	128	CFSTR("Describes operation that requires user authorization"));
	129	require_action( rightInfo != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
	130	dict = CreateRightsDict( rightInfo);
	131	require_action( dict != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
	132
	133	err = AuthorizationRightSet(gAuthRef, EDIT_SYS_KEYCHAIN_RIGHT, dict, (CFStringRef) NULL,
	134	(CFBundleRef) NULL, (CFStringRef) NULL);
	135	CFRelease( rightInfo);
	136	CFRelease( dict);
	137	}
	138	require_noerr( err, AuthSetFailed);
7cb34e5c	139
7cb34e5c A	140	AuthSetFailed:
	141	GetStrFailed:
	142	NewAuthFailed:
83fb1e36	143	return err;
7cb34e5c A	144	}
7cb34e5c A	145
83fb1e36	146	OSStatus AttemptAcquireAuthority( Boolean allowUI)
7cb34e5c A	147	/* Try to get permission for privileged ops, either implicitly or by asking the user for */
	148	/* authority to perform operations (if necessary) */
	149	{
83fb1e36 A	150	AuthorizationFlags allowFlag = allowUI ? kAuthorizationFlagInteractionAllowed : 0;
	151	OSStatus err;
	152
	153	err = AuthorizationCopyRights( gAuthRef, &gAuthSet, (AuthorizationEnvironment*) NULL,
	154	kAuthorizationFlagExtendRights \| kAuthorizationFlagPreAuthorize \|
	155	allowFlag,
	156	(AuthorizationRights**) NULL);
	157	return err;
7cb34e5c A	158	}
	159
	160	OSStatus ReleaseAuthority(void)
	161	/* Discard authority to perform operations */
	162	{
83fb1e36 A	163	(void) AuthorizationFree( gAuthRef, kAuthorizationFlagDefaults);
	164	gAuthRef = 0;
	165	return AuthorizationCreate( (AuthorizationRights) NULL, (AuthorizationEnvironment) NULL,
	166	(AuthorizationFlags) 0, &gAuthRef);
7cb34e5c A	167	}
7cb34e5c A	168
83fb1e36	169	Boolean CurrentlyAuthorized(void)
7cb34e5c	170	{
83fb1e36 A	171	OSStatus err = AttemptAcquireAuthority(true);
83fb1e36 A	172	return err == noErr;
7cb34e5c A	173	}
	174
	175
	176	OSStatus ExternalizeAuthority(AuthorizationExternalForm *pAuth)
	177	/* Package up current authorizations for transfer to another process */
	178	{
83fb1e36	179	return AuthorizationMakeExternalForm(gAuthRef, pAuth);
7cb34e5c	180	}