[apple/security.git] / securityd / src / session.h

/*
 * Copyright (c) 2000-2010,2012-2013 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// session - authentication session domains
//
#ifndef _H_SESSION
#define _H_SESSION

#include "structure.h"
#include "acls.h"
#include "authhost.h"
#include <Security/AuthSession.h>
#include <security_utilities/casts.h>
#include <security_utilities/ccaudit.h>
#include <security_cdsa_utilities/handletemplates_defs.h>
#include <security_cdsa_utilities/u32handleobject.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <bsm/audit.h>
#include <bsm/audit_session.h>
#include <sys/event.h>
#include "securityd_service/securityd_service/securityd_service_client.h"

class Key;
class Connection;
class Server;
class AuthHostInstance;

enum {
    session_keybag_locked           = 0,
    session_keybag_unlocked         = 1 << 0,
    session_keybag_check_master_key = 1 << 1,
    session_keybag_loaded           = 1 << 2,
};

//
// A Session object represents one or more Connections that are known to
// belong to the same authentication domain. Informally this means just
// about "the same user", for the right definition of "user." The upshot
// is that global credentials can be shared by Connections of one Session
// with a modicum of security, and so Sessions are the natural nexus of
// single-sign-on functionality.
//
class Session : public PerSession {
public:
	typedef au_asid_t SessionId;			// internal session identifier (audit session id)

    Session(const CommonCriteria::AuditInfo &audit, Server &server);
	virtual ~Session();
    
	Server &server() const;

	SessionId sessionId() const { return mAudit.sessionId(); }
	CommonCriteria::AuditInfo &auditInfo() { return mAudit; }
    
	IFDUMP(virtual void dumpNode());
    
public:
    static const SessionAttributeBits settableAttributes =
        sessionHasGraphicAccess | sessionHasTTY | sessionIsRemote | AU_SESSION_FLAG_HAS_AUTHENTICATED;

    SessionAttributeBits attributes() const			{ updateAudit(); return int_cast<au_asflgs_t,SessionAttributeBits>(mAudit.ai_flags); }
    bool attribute(SessionAttributeBits bits) const	{ return attributes() & bits; }
	void setAttributes(SessionAttributeBits bits);
	
    virtual void setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs);

	virtual uid_t originatorUid();

	static const char kUsername[];
    static const char kRealname[];
    
protected:
	void updateAudit() const;

public:
    void invalidateSessionAuthHosts();      // invalidate auth hosts in this session
    static void invalidateAuthHosts();      // invalidate auth hosts in all sessions
	
	static void processSystemSleep();
	void processLockAll();

	RefPointer<AuthHostInstance> authhost(const bool restart = false);

protected:
 	mutable CommonCriteria::AuditInfo mAudit;
	
	mutable Mutex mAuthHostLock;
	AuthHostInstance *mSecurityAgent;
	
	void kill();

public:
    void verifyKeyStorePassphrase(int32_t retries, bool useForACLFallback = false, const char *itemname = NULL);
    void changeKeyStorePassphrase();
    void resetKeyStorePassphrase(const CssmData &passphrase);
    service_context_t get_current_service_context();
    void keybagClearState(int state);
    void keybagSetState(int state);
    bool keybagGetState(int state);
private:
    int mKeybagState;

public:
	static Session &find(SessionId id, bool create);	// find and optionally create
    template <class SessionType> static SessionType &find(SecuritySessionId id);
	static void destroy(SessionId id);

protected:
	typedef std::map<SessionId, RefPointer<Session> > SessionMap;
	static SessionMap mSessions;
	static Mutex mSessionLock;
};


template <class SessionType>
SessionType &Session::find(SecuritySessionId id)
{
	if (SessionType *ssn = dynamic_cast<SessionType *>(&find(id, false)))
		return *ssn;
	else
		MacOSError::throwMe(errSessionInvalidId);
}


//
// The RootSession is the session of all code that originates from system startup processing
// and does not belong to any particular login origin. (Or, if you prefer, whose login origin
// is the system itself.)
//
class RootSession : public Session {
public:
    RootSession(uint64_t attributes, Server &server);
};


#endif //_H_SESSION
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2000-2010,2012-2013 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// session - authentication session domains
	27	//
	28	#ifndef _H_SESSION
	29	#define _H_SESSION
	30
	31	#include "structure.h"
	32	#include "acls.h"
d8f41ccd A	33	#include "authhost.h"
d8f41ccd A	34	#include <Security/AuthSession.h>
fa7225c8	35	#include <security_utilities/casts.h>
d8f41ccd A	36	#include <security_utilities/ccaudit.h>
	37	#include <security_cdsa_utilities/handletemplates_defs.h>
	38	#include <security_cdsa_utilities/u32handleobject.h>
	39	#include <security_cdsa_utilities/cssmdb.h>
	40	#include <bsm/audit.h>
	41	#include <bsm/audit_session.h>
	42	#include <sys/event.h>
	43	#include "securityd_service/securityd_service/securityd_service_client.h"
	44
	45	class Key;
	46	class Connection;
	47	class Server;
	48	class AuthHostInstance;
	49
	50	enum {
	51	session_keybag_locked = 0,
	52	session_keybag_unlocked = 1 << 0,
	53	session_keybag_check_master_key = 1 << 1,
	54	session_keybag_loaded = 1 << 2,
	55	};
	56
	57	//
	58	// A Session object represents one or more Connections that are known to
	59	// belong to the same authentication domain. Informally this means just
	60	// about "the same user", for the right definition of "user." The upshot
	61	// is that global credentials can be shared by Connections of one Session
	62	// with a modicum of security, and so Sessions are the natural nexus of
	63	// single-sign-on functionality.
	64	//
	65	class Session : public PerSession {
	66	public:
	67	typedef au_asid_t SessionId; // internal session identifier (audit session id)
	68
	69	Session(const CommonCriteria::AuditInfo &audit, Server &server);
	70	virtual ~Session();
	71
	72	Server &server() const;
	73
	74	SessionId sessionId() const { return mAudit.sessionId(); }
	75	CommonCriteria::AuditInfo &auditInfo() { return mAudit; }
	76
	77	IFDUMP(virtual void dumpNode());
	78
	79	public:
	80	static const SessionAttributeBits settableAttributes =
	81	sessionHasGraphicAccess \| sessionHasTTY \| sessionIsRemote \| AU_SESSION_FLAG_HAS_AUTHENTICATED;
	82
fa7225c8	83	SessionAttributeBits attributes() const { updateAudit(); return int_cast<au_asflgs_t,SessionAttributeBits>(mAudit.ai_flags); }
d8f41ccd A	84	bool attribute(SessionAttributeBits bits) const { return attributes() & bits; }
	85	void setAttributes(SessionAttributeBits bits);
	86
	87	virtual void setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs);
	88
	89	virtual uid_t originatorUid();
	90
d8f41ccd A	91	static const char kUsername[];
	92	static const char kRealname[];
	93
d8f41ccd A	94	protected:
	95	void updateAudit() const;
	96
d8f41ccd A	97	public:
	98	void invalidateSessionAuthHosts(); // invalidate auth hosts in this session
	99	static void invalidateAuthHosts(); // invalidate auth hosts in all sessions
	100
	101	static void processSystemSleep();
	102	void processLockAll();
	103
fa7225c8	104	RefPointer<AuthHostInstance> authhost(const bool restart = false);
d8f41ccd A	105
	106	protected:
	107	mutable CommonCriteria::AuditInfo mAudit;
	108
d8f41ccd A	109	mutable Mutex mAuthHostLock;
d8f41ccd A	110	AuthHostInstance *mSecurityAgent;
d8f41ccd A	111
	112	void kill();
	113
	114	public:
dd5fb164	115	void verifyKeyStorePassphrase(int32_t retries, bool useForACLFallback = false, const char *itemname = NULL);
d8f41ccd A	116	void changeKeyStorePassphrase();
	117	void resetKeyStorePassphrase(const CssmData &passphrase);
	118	service_context_t get_current_service_context();
	119	void keybagClearState(int state);
	120	void keybagSetState(int state);
	121	bool keybagGetState(int state);
	122	private:
	123	int mKeybagState;
	124
	125	public:
	126	static Session &find(SessionId id, bool create); // find and optionally create
	127	template <class SessionType> static SessionType &find(SecuritySessionId id);
	128	static void destroy(SessionId id);
	129
	130	protected:
	131	typedef std::map<SessionId, RefPointer<Session> > SessionMap;
	132	static SessionMap mSessions;
	133	static Mutex mSessionLock;
	134	};
	135
	136
	137	template <class SessionType>
	138	SessionType &Session::find(SecuritySessionId id)
	139	{
	140	if (SessionType ssn = dynamic_cast<SessionType >(&find(id, false)))
	141	return *ssn;
	142	else
	143	MacOSError::throwMe(errSessionInvalidId);
	144	}
	145
	146
	147	//
	148	// The RootSession is the session of all code that originates from system startup processing
	149	// and does not belong to any particular login origin. (Or, if you prefer, whose login origin
	150	// is the system itself.)
	151	//
	152	class RootSession : public Session {
	153	public:
	154	RootSession(uint64_t attributes, Server &server);
d8f41ccd A	155	};
	156
	157
	158	#endif //_H_SESSION