[apple/security.git] / authd / credential.c

/* Copyright (c) 2012 Apple Inc. All rights reserved. */

#include "credential.h"
#include "authutilities.h"
#include "debugging.h"
#include "crc.h"

#include <pwd.h>
#include <membership.h>
#include <membershipPriv.h>

struct _credential_s {
    __AUTH_BASE_STRUCT_HEADER__;

    bool right;   // is least-privileged credential
    
    uid_t uid;
    char * name;
    char * realName;
    
    CFAbsoluteTime creationTime;
    bool valid;
    bool shared;
    
    CFMutableSetRef cachedGroups;
};

static void
_credential_finalize(CFTypeRef value)
{
    credential_t cred = (credential_t)value;
    
    free_safe(cred->name);
    free_safe(cred->realName);
    CFReleaseSafe(cred->cachedGroups);
}

static CFStringRef
_credential_copy_description(CFTypeRef value)
{
    credential_t cred = (credential_t)value;
    CFStringRef str = NULL;
    CFTimeZoneRef sys_tz = CFTimeZoneCopySystem();
    CFGregorianDate date = CFAbsoluteTimeGetGregorianDate(cred->creationTime, sys_tz);
    CFReleaseSafe(sys_tz);
    if (cred->right) {
        str = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("credential: right=%s, shared=%i, creation=%01i:%01i:%01i, valid=%i"), cred->name, cred->shared, date.hour,date.minute,(int32_t)date.second, cred->valid);
    } else {
        str = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("credential: uid=%i, name=%s, shared=%i, creation=%01i:%01i:%01i valid=%i"), cred->uid, cred->name, cred->shared, date.hour,date.minute,(int32_t)date.second, cred->valid);
    }
    return str;
}

static CFHashCode
_credential_hash(CFTypeRef value)
{
    credential_t cred = (credential_t)value;
    uint64_t crc = crc64_init();
    if (cred->right) {
        crc = crc64_update(crc, cred->name, strlen(cred->name));
    } else {
        crc = crc64_update(crc, &cred->uid, sizeof(cred->uid));
    }
    crc = crc64_update(crc, &cred->shared, sizeof(cred->shared));
    crc = crc64_final(crc);
    
    return crc;
}

static Boolean
_credential_equal(CFTypeRef value1, CFTypeRef value2)
{
    credential_t cred1 = (credential_t)value1;
    credential_t cred2 = (credential_t)value2;
    
    return _credential_hash(cred1) == _credential_hash(cred2);
}

AUTH_TYPE_INSTANCE(credential,
                   .init = NULL,
                   .copy = NULL,
                   .finalize = _credential_finalize,
                   .equal = _credential_equal,
                   .hash = _credential_hash,
                   .copyFormattingDesc = NULL,
                   .copyDebugDesc = _credential_copy_description
                   );

static CFTypeID credential_get_type_id() {
    static CFTypeID type_id = _kCFRuntimeNotATypeID;
    static dispatch_once_t onceToken;
    
    dispatch_once(&onceToken, ^{
        type_id = _CFRuntimeRegisterClass(&_auth_type_credential);
    });
    
    return type_id;
}

static credential_t
_credential_create()
{
    credential_t cred = NULL;
    
    cred = (credential_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, credential_get_type_id(), AUTH_CLASS_SIZE(credential), NULL);
    require(cred != NULL, done);
    
    cred->creationTime = CFAbsoluteTimeGetCurrent();
    cred->cachedGroups = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);;
    
done:
    return cred;
}

credential_t
credential_create(uid_t uid)
{
    credential_t cred = NULL;
    
    cred = _credential_create();
    require(cred != NULL, done);

    struct passwd *pw = getpwuid(uid);
	if (pw != NULL) {
        // avoid hinting a locked account
		if ( (pw->pw_passwd == NULL) || strcmp(pw->pw_passwd, "*") ) {
            cred->uid = pw->pw_uid;
            cred->name = _copy_string(pw->pw_name);
            cred->realName = _copy_string(pw->pw_gecos);
            cred->valid = true;
        } else {
            cred->uid = (uid_t)-2;
            cred->valid = false;
        }
        endpwent();
    }
    
done:
    return cred;
}

credential_t
credential_create_with_credential(credential_t srcCred, bool shared)
{
    credential_t cred = NULL;
    
    cred = _credential_create();
    require(cred != NULL, done);
    
    cred->uid = srcCred->uid;
    cred->name = _copy_string(srcCred->name);
    cred->realName = _copy_string(srcCred->realName);
    cred->valid = srcCred->valid;
    cred->right = srcCred->right;
    cred->shared = shared;
    
done:
    return cred;
}

credential_t
credential_create_with_right(const char * right)
{
    credential_t cred = NULL;
    
    cred = _credential_create();
    require(cred != NULL, done);
    
    cred->right = true;
    cred->name = _copy_string(right);
    cred->uid = (uid_t)-2;
    cred->valid = true;
    
done:
    return cred;
}

uid_t
credential_get_uid(credential_t cred)
{
    return cred->uid;
}

const char *
credential_get_name(credential_t cred)
{
    return cred->name;
}

const char *
credential_get_realname(credential_t cred)
{
    return cred->realName;
}

CFAbsoluteTime
credential_get_creation_time(credential_t cred)
{
    return cred->creationTime;
}

bool
credential_get_valid(credential_t cred)
{
    return cred->valid;
}

bool
credential_get_shared(credential_t cred)
{
    return cred->shared;
}

bool
credential_is_right(credential_t cred)
{
    return cred->right;
}

bool
credential_check_membership(credential_t cred,const char* group)
{
    bool result = false;
    CFStringRef cachedGroup = NULL;
    require(group != NULL, done);
    require(cred->uid != 0 || cred->uid != (uid_t)-2, done);
    require(cred->right != true, done);
    
    cachedGroup = CFStringCreateWithCString(kCFAllocatorDefault, group, kCFStringEncodingUTF8);
    require(cachedGroup != NULL, done);
    
    if (CFSetGetValue(cred->cachedGroups, cachedGroup) != NULL) {
        result = true;
        goto done;
    }
    
    int rc, ismember;
    uuid_t group_uuid, user_uuid;
    rc = mbr_group_name_to_uuid(group, group_uuid);
    require_noerr(rc, done);
    
    rc = mbr_uid_to_uuid(cred->uid, user_uuid);
    require_noerr(rc, done);
    
    rc = mbr_check_membership(user_uuid, group_uuid, &ismember);
    require_noerr(rc, done);
    
    result = ismember;
    
    if (ismember) {
        CFSetSetValue(cred->cachedGroups, cachedGroup);
    }

done:
    CFReleaseSafe(cachedGroup);
    return result;
}

void
credential_invalidate(credential_t cred)
{
    cred->valid = false;
}
Commit	Line	Data
427c49bc A	1	/* Copyright (c) 2012 Apple Inc. All rights reserved. */
	2
	3	#include "credential.h"
	4	#include "authutilities.h"
	5	#include "debugging.h"
	6	#include "crc.h"
	7
	8	#include <pwd.h>
	9	#include <membership.h>
	10	#include <membershipPriv.h>
	11
	12	struct _credential_s {
	13	__AUTH_BASE_STRUCT_HEADER__;
	14
	15	bool right; // is least-privileged credential
	16
	17	uid_t uid;
	18	char * name;
	19	char * realName;
	20
	21	CFAbsoluteTime creationTime;
	22	bool valid;
	23	bool shared;
	24
	25	CFMutableSetRef cachedGroups;
	26	};
	27
	28	static void
	29	_credential_finalize(CFTypeRef value)
	30	{
	31	credential_t cred = (credential_t)value;
	32
	33	free_safe(cred->name);
	34	free_safe(cred->realName);
	35	CFReleaseSafe(cred->cachedGroups);
	36	}
	37
	38	static CFStringRef
	39	_credential_copy_description(CFTypeRef value)
	40	{
	41	credential_t cred = (credential_t)value;
	42	CFStringRef str = NULL;
	43	CFTimeZoneRef sys_tz = CFTimeZoneCopySystem();
	44	CFGregorianDate date = CFAbsoluteTimeGetGregorianDate(cred->creationTime, sys_tz);
	45	CFReleaseSafe(sys_tz);
	46	if (cred->right) {
	47	str = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("credential: right=%s, shared=%i, creation=%01i:%01i:%01i, valid=%i"), cred->name, cred->shared, date.hour,date.minute,(int32_t)date.second, cred->valid);
	48	} else {
	49	str = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("credential: uid=%i, name=%s, shared=%i, creation=%01i:%01i:%01i valid=%i"), cred->uid, cred->name, cred->shared, date.hour,date.minute,(int32_t)date.second, cred->valid);
	50	}
	51	return str;
	52	}
	53
	54	static CFHashCode
	55	_credential_hash(CFTypeRef value)
	56	{
	57	credential_t cred = (credential_t)value;
	58	uint64_t crc = crc64_init();
	59	if (cred->right) {
	60	crc = crc64_update(crc, cred->name, strlen(cred->name));
	61	} else {
	62	crc = crc64_update(crc, &cred->uid, sizeof(cred->uid));
	63	}
	64	crc = crc64_update(crc, &cred->shared, sizeof(cred->shared));
65	crc = crc64_final(crc);
66
67	return crc;
68	}
69
70	static Boolean
71	_credential_equal(CFTypeRef value1, CFTypeRef value2)
72	{
73	credential_t cred1 = (credential_t)value1;
74	credential_t cred2 = (credential_t)value2;
75
76	return _credential_hash(cred1) == _credential_hash(cred2);
77	}
78
79	AUTH_TYPE_INSTANCE(credential,
80	.init = NULL,
81	.copy = NULL,
82	.finalize = _credential_finalize,
83	.equal = _credential_equal,
84	.hash = _credential_hash,
85	.copyFormattingDesc = NULL,
86	.copyDebugDesc = _credential_copy_description
87	);
88
89	static CFTypeID credential_get_type_id() {
90	static CFTypeID type_id = _kCFRuntimeNotATypeID;
91	static dispatch_once_t onceToken;
92
93	dispatch_once(&onceToken, ^{
94	type_id = _CFRuntimeRegisterClass(&_auth_type_credential);
95	});
96
97	return type_id;
98	}
99
100	static credential_t
101	_credential_create()
102	{
103	credential_t cred = NULL;
104
105	cred = (credential_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, credential_get_type_id(), AUTH_CLASS_SIZE(credential), NULL);
106	require(cred != NULL, done);
107
108	cred->creationTime = CFAbsoluteTimeGetCurrent();
109	cred->cachedGroups = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);;
110
111	done:
112	return cred;
113	}
114
115	credential_t
116	credential_create(uid_t uid)
117	{
118	credential_t cred = NULL;
119
120	cred = _credential_create();
121	require(cred != NULL, done);
122
123	struct passwd *pw = getpwuid(uid);
124	if (pw != NULL) {
125	// avoid hinting a locked account
126	if ( (pw->pw_passwd == NULL) \|\| strcmp(pw->pw_passwd, "*") ) {
127	cred->uid = pw->pw_uid;
128	cred->name = _copy_string(pw->pw_name);
129	cred->realName = _copy_string(pw->pw_gecos);
130	cred->valid = true;
131	} else {
132	cred->uid = (uid_t)-2;
133	cred->valid = false;
134	}
135	endpwent();
136	}
137
138	done:
139	return cred;
140	}
141
142	credential_t
143	credential_create_with_credential(credential_t srcCred, bool shared)
144	{
145	credential_t cred = NULL;
146
147	cred = _credential_create();
148	require(cred != NULL, done);
149
150	cred->uid = srcCred->uid;
151	cred->name = _copy_string(srcCred->name);
152	cred->realName = _copy_string(srcCred->realName);
153	cred->valid = srcCred->valid;
154	cred->right = srcCred->right;
155	cred->shared = shared;
156
157	done:
158	return cred;
159	}
160
161	credential_t
162	credential_create_with_right(const char * right)
163	{
164	credential_t cred = NULL;
165
166	cred = _credential_create();
167	require(cred != NULL, done);
168
169	cred->right = true;
170	cred->name = _copy_string(right);
171	cred->uid = (uid_t)-2;
172	cred->valid = true;
173
174	done:
175	return cred;
176	}
177
178	uid_t
179	credential_get_uid(credential_t cred)
180	{
181	return cred->uid;
182	}
183
184	const char *
185	credential_get_name(credential_t cred)
186	{
187	return cred->name;
188	}
189
190	const char *
191	credential_get_realname(credential_t cred)
192	{
193	return cred->realName;
194	}
195
196	CFAbsoluteTime
197	credential_get_creation_time(credential_t cred)
198	{
199	return cred->creationTime;
200	}
201
202	bool
203	credential_get_valid(credential_t cred)
204	{
205	return cred->valid;
206	}
207
208	bool
209	credential_get_shared(credential_t cred)
210	{
211	return cred->shared;
212	}
213
214	bool
215	credential_is_right(credential_t cred)
216	{
217	return cred->right;
218	}
219
220	bool
221	credential_check_membership(credential_t cred,const char* group)
222	{
223	bool result = false;
224	CFStringRef cachedGroup = NULL;
225	require(group != NULL, done);
226	require(cred->uid != 0 \|\| cred->uid != (uid_t)-2, done);
227	require(cred->right != true, done);
228
229	cachedGroup = CFStringCreateWithCString(kCFAllocatorDefault, group, kCFStringEncodingUTF8);
230	require(cachedGroup != NULL, done);
231
232	if (CFSetGetValue(cred->cachedGroups, cachedGroup) != NULL) {
233	result = true;
234	goto done;
235	}
236
237	int rc, ismember;
238	uuid_t group_uuid, user_uuid;
239	rc = mbr_group_name_to_uuid(group, group_uuid);
240	require_noerr(rc, done);
241
242	rc = mbr_uid_to_uuid(cred->uid, user_uuid);
243	require_noerr(rc, done);
244
245	rc = mbr_check_membership(user_uuid, group_uuid, &ismember);
246	require_noerr(rc, done);
247
248	result = ismember;
249
250	if (ismember) {
251	CFSetSetValue(cred->cachedGroups, cachedGroup);
252	}
253
254	done:
255	CFReleaseSafe(cachedGroup);
256	return result;
257	}
258
259	void
260	credential_invalidate(credential_t cred)
261	{
262	cred->valid = false;
263	}