[apple/security.git] / codesign_wrapper / MISEntitlement.c

#include "MISEntitlement.h"

static const CFStringRef kEntitlementAllValuesAllowed = CFSTR("*");

static Boolean whitelistArrayAllowsEntitlementValue(CFArrayRef whitelist, CFStringRef value)
{
    Boolean allowed = false;

    CFIndex i, count = CFArrayGetCount(whitelist);
    for (i = 0; (i < count) && (allowed == false); i++) {
        CFStringRef item = (CFStringRef) CFArrayGetValueAtIndex(whitelist, i);
        if (CFGetTypeID(item) == CFStringGetTypeID()) {

            CFIndex len = CFStringGetLength(item);
            if (len > 0) {
                if (CFStringGetCharacterAtIndex(item, len-1) != '*') {

                    /* Not a wildcard, must be an exact match */
                    allowed = CFStringCompare(item, value, 0) == kCFCompareEqualTo;
                } else {

                    /* Last character is a wildcard - do some matching */
                    CFStringRef wildcardPrefix = CFStringCreateWithSubstring(kCFAllocatorDefault, item, CFRangeMake(0, len-1));
                    allowed = CFStringHasPrefix(value, wildcardPrefix);
                    CFRelease(wildcardPrefix);
                }
            }
        } else {

            /* Unexpected item in whitelist - bail */
            break;
        }
    }

    return allowed;
}

Boolean MISEntitlementDictionaryAllowsEntitlementValue(CFDictionaryRef entitlements, CFStringRef entitlement, CFTypeRef value)
{
    Boolean allowsEntitlement = false;

    /* NULL is never a valid entitlement value */
    if (value != NULL) {

        /* Make sure the entitlement is present */
        CFTypeRef storedValue = CFDictionaryGetValue(entitlements, entitlement);
        if (storedValue != NULL) {

            /*
             * Handling depends on the type
             * If the value matches our constant, the entitlement is permitted
             * to have any value.
             * If the value in the dictionary is a boolean, then the entitlement
             * value must be a boolean with the same value
             * If the value in the dictionary is an array (of strings), then the
             * entitlement must be either one of those strings OR an array that
             * includes only present strings
             */
            if (CFEqual(storedValue, kEntitlementAllValuesAllowed) == true) {

                /* XXX: Does this need to restrict the value to some types */
                allowsEntitlement = true;
            } else if (CFGetTypeID(storedValue) == CFBooleanGetTypeID()) {
                allowsEntitlement = CFEqual(storedValue, value);
            } else if (CFGetTypeID(storedValue) == CFStringGetTypeID()) {
                if (CFGetTypeID(value) == CFStringGetTypeID()) {
                    CFArrayRef array = CFArrayCreate(kCFAllocatorDefault, (const void **) &storedValue, 1, &kCFTypeArrayCallBacks);
                    allowsEntitlement = whitelistArrayAllowsEntitlementValue(array, (CFStringRef) value);
                    CFRelease(array);
                }
            } else if (CFGetTypeID(storedValue) == CFArrayGetTypeID()) {

                /* value is either a single string or array of strings */
                if (CFGetTypeID(value) == CFStringGetTypeID()) {
                    allowsEntitlement = whitelistArrayAllowsEntitlementValue((CFArrayRef) storedValue, (CFStringRef) value);
                } else if (CFGetTypeID(value) == CFArrayGetTypeID()) {

                    /*
                     * Assume allowed, will set back to false if we encounter
                     * elements that are not permitted
                     */
                    allowsEntitlement = true;

                    /* Make sure each element is a string and in the array */
                    CFIndex i, count = CFArrayGetCount((CFArrayRef) value);
                    for (i = 0; (i < count) && (allowsEntitlement == true); i++) {
                        CFTypeRef element = CFArrayGetValueAtIndex((CFArrayRef) value, i);
                        if (CFGetTypeID(element) == CFStringGetTypeID()) {
                            allowsEntitlement = whitelistArrayAllowsEntitlementValue((CFArrayRef) storedValue, (CFStringRef) element);
                        } else {
                            allowsEntitlement = false;
                        }
                    }
                }
            }
        }
    }

    return allowsEntitlement;
}
Commit	Line	Data
d8f41ccd A	1	#include "MISEntitlement.h"
	2
	3	static const CFStringRef kEntitlementAllValuesAllowed = CFSTR("*");
	4
	5	static Boolean whitelistArrayAllowsEntitlementValue(CFArrayRef whitelist, CFStringRef value)
	6	{
	7	Boolean allowed = false;
	8
	9	CFIndex i, count = CFArrayGetCount(whitelist);
	10	for (i = 0; (i < count) && (allowed == false); i++) {
	11	CFStringRef item = (CFStringRef) CFArrayGetValueAtIndex(whitelist, i);
	12	if (CFGetTypeID(item) == CFStringGetTypeID()) {
	13
	14	CFIndex len = CFStringGetLength(item);
	15	if (len > 0) {
	16	if (CFStringGetCharacterAtIndex(item, len-1) != '*') {
	17
	18	/* Not a wildcard, must be an exact match */
	19	allowed = CFStringCompare(item, value, 0) == kCFCompareEqualTo;
	20	} else {
	21
	22	/* Last character is a wildcard - do some matching */
	23	CFStringRef wildcardPrefix = CFStringCreateWithSubstring(kCFAllocatorDefault, item, CFRangeMake(0, len-1));
	24	allowed = CFStringHasPrefix(value, wildcardPrefix);
	25	CFRelease(wildcardPrefix);
	26	}
	27	}
	28	} else {
	29
	30	/* Unexpected item in whitelist - bail */
	31	break;
	32	}
	33	}
	34
	35	return allowed;
	36	}
	37
	38	Boolean MISEntitlementDictionaryAllowsEntitlementValue(CFDictionaryRef entitlements, CFStringRef entitlement, CFTypeRef value)
	39	{
	40	Boolean allowsEntitlement = false;
	41
	42	/* NULL is never a valid entitlement value */
	43	if (value != NULL) {
	44
	45	/* Make sure the entitlement is present */
	46	CFTypeRef storedValue = CFDictionaryGetValue(entitlements, entitlement);
	47	if (storedValue != NULL) {
	48
	49	/*
	50	* Handling depends on the type
	51	* If the value matches our constant, the entitlement is permitted
	52	* to have any value.
	53	* If the value in the dictionary is a boolean, then the entitlement
	54	* value must be a boolean with the same value
	55	* If the value in the dictionary is an array (of strings), then the
	56	* entitlement must be either one of those strings OR an array that
	57	* includes only present strings
	58	*/
	59	if (CFEqual(storedValue, kEntitlementAllValuesAllowed) == true) {
	60
	61	/* XXX: Does this need to restrict the value to some types */
	62	allowsEntitlement = true;
	63	} else if (CFGetTypeID(storedValue) == CFBooleanGetTypeID()) {
	64	allowsEntitlement = CFEqual(storedValue, value);
65	} else if (CFGetTypeID(storedValue) == CFStringGetTypeID()) {
66	if (CFGetTypeID(value) == CFStringGetTypeID()) {
67	CFArrayRef array = CFArrayCreate(kCFAllocatorDefault, (const void **) &storedValue, 1, &kCFTypeArrayCallBacks);
68	allowsEntitlement = whitelistArrayAllowsEntitlementValue(array, (CFStringRef) value);
69	CFRelease(array);
70	}
71	} else if (CFGetTypeID(storedValue) == CFArrayGetTypeID()) {
72
73	/* value is either a single string or array of strings */
74	if (CFGetTypeID(value) == CFStringGetTypeID()) {
75	allowsEntitlement = whitelistArrayAllowsEntitlementValue((CFArrayRef) storedValue, (CFStringRef) value);
76	} else if (CFGetTypeID(value) == CFArrayGetTypeID()) {
77
78	/*
79	* Assume allowed, will set back to false if we encounter
80	* elements that are not permitted
81	*/
82	allowsEntitlement = true;
83
84	/* Make sure each element is a string and in the array */
85	CFIndex i, count = CFArrayGetCount((CFArrayRef) value);
86	for (i = 0; (i < count) && (allowsEntitlement == true); i++) {
87	CFTypeRef element = CFArrayGetValueAtIndex((CFArrayRef) value, i);
88	if (CFGetTypeID(element) == CFStringGetTypeID()) {
89	allowsEntitlement = whitelistArrayAllowsEntitlementValue((CFArrayRef) storedValue, (CFStringRef) element);
90	} else {
91	allowsEntitlement = false;
92	}
93	}
94	}
95	}
96	}
97	}
98
99	return allowsEntitlement;
100	}