projects / apple / security.git / blame
| Commit | Line | Data |
|---|---|---|
| d8f41ccd A |
1 | /* |
| 2 | * Copyright (c) 2003-2007,2009-2010 Apple Inc. All Rights Reserved. | |
| 3 | * | |
| 4 | * @APPLE_LICENSE_HEADER_START@ | |
| 5 | * | |
| 6 | * This file contains Original Code and/or Modifications of Original Code | |
| 7 | * as defined in and that are subject to the Apple Public Source License | |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in | |
| 9 | * compliance with the License. Please obtain a copy of the License at | |
| 10 | * http://www.opensource.apple.com/apsl/ and read it before using this | |
| 11 | * file. | |
| 12 | * | |
| 13 | * The Original Code and all software distributed under the License are | |
| 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
| 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
| 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
| 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
| 18 | * Please see the License for the specific language governing rights and | |
| 19 | * limitations under the License. | |
| 20 | * | |
| 21 | * @APPLE_LICENSE_HEADER_END@ | |
| 22 | * | |
| 23 | * AuthorizationRule.h | |
| 24 | * Security | |
| 25 | * | |
| 26 | */ | |
| 27 | ||
| 28 | #ifndef _H_AUTHORIZATIONRULE | |
| 29 | #define _H_AUTHORIZATIONRULE 1 | |
| 30 | ||
| 31 | #include <CoreFoundation/CoreFoundation.h> | |
| 32 | #include <security_cdsa_utilities/AuthorizationData.h> | |
| 33 | #include "authority.h" | |
| 5c19dc3a | 34 | #include "agentclient.h" |
| d8f41ccd A |
35 | |
| 36 | namespace Authorization | |
| 37 | { | |
| 38 | ||
| 39 | class Rule; | |
| 40 | ||
| 41 | class RuleImpl : public RefCount | |
| 42 | { | |
| 43 | public: | |
| 44 | RuleImpl(); | |
| 45 | RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules); | |
| 46 | ||
| 47 | OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, | |
| 48 | AuthorizationFlags flags, CFAbsoluteTime now, | |
| 49 | const CredentialSet *inCredentials, CredentialSet &credentials, | |
| 50 | AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; | |
| 51 | ||
| 52 | string name() const { return mRightName; } | |
| 53 | bool extractPassword() const { return mExtractPassword; } | |
| 54 | ||
| 55 | private: | |
| 56 | // internal machinery | |
| 57 | ||
| 58 | // evaluate credential for right | |
| 59 | OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, | |
| 60 | const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const; | |
| 61 | // evaluate user credential (authentication) for right | |
| 62 | OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const; | |
| 63 | ||
| 64 | OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule, | |
| 65 | AuthItemSet &environmentToClient, AuthorizationFlags flags, | |
| 66 | CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, | |
| 67 | AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; | |
| 68 | ||
| 69 | void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const; | |
| 70 | ||
| 71 | // perform authorization based on running specified mechanisms (see evaluateMechanism) | |
| 72 | OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; | |
| 73 | ||
| 74 | OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule, | |
| 75 | AuthItemSet &environmentToClient, AuthorizationFlags flags, | |
| 76 | CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, | |
| 77 | AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; | |
| 78 | ||
| 79 | OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const; | |
| 80 | ||
| 81 | // find username hint based on session owner | |
| 82 | OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const; | |
| 83 | ||
| 84 | CredentialSet makeCredentials(const AuthorizationToken &auth) const; | |
| 85 | ||
| 86 | map<string,string> localizedPrompts() const { return mLocalizedPrompts; } | |
| 87 | map<string,string> localizedButtons() const { return mLocalizedButtons; } | |
| 88 | ||
| 89 | ||
| 90 | // parsed attributes | |
| 91 | private: | |
| 92 | enum Type | |
| 93 | { | |
| 94 | kDeny, | |
| 95 | kAllow, | |
| 96 | kUser, | |
| 97 | kRuleDelegation, | |
| 98 | kKofN, | |
| 99 | kEvaluateMechanisms, | |
| 100 | } mType; | |
| 101 | ||
| 102 | string mRightName; | |
| 103 | string mGroupName; | |
| 104 | CFTimeInterval mMaxCredentialAge; | |
| 105 | bool mShared; | |
| 106 | bool mAllowRoot; | |
| 107 | vector<string> mEvalDef; | |
| 108 | bool mSessionOwner; | |
| 109 | vector<Rule> mRuleDef; | |
| 110 | uint32_t mKofN; | |
| 111 | mutable uint32_t mTries; | |
| 112 | bool mExtractPassword; | |
| 113 | bool mAuthenticateUser; | |
| 114 | map<string,string> mLocalizedPrompts; | |
| 115 | map<string,string> mLocalizedButtons; | |
| 116 | ||
| 117 | private: | |
| 118 | ||
| 119 | class Attribute | |
| 120 | { | |
| 121 | public: | |
| 122 | static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue); | |
| 123 | static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue); | |
| 124 | static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue); | |
| 125 | static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required); | |
| 126 | static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey); | |
| 127 | }; | |
| 128 | ||
| 129 | ||
| 130 | // keys | |
| 131 | static CFStringRef kUserGroupID; | |
| 132 | static CFStringRef kTimeoutID; | |
| 133 | static CFStringRef kSharedID; | |
| 134 | static CFStringRef kAllowRootID; | |
| 135 | static CFStringRef kMechanismsID; | |
| 136 | static CFStringRef kSessionOwnerID; | |
| 137 | static CFStringRef kKofNID; | |
| 138 | static CFStringRef kPromptID; | |
| 139 | static CFStringRef kButtonID; | |
| 140 | static CFStringRef kTriesID; | |
| 141 | static CFStringRef kExtractPasswordID; | |
| 142 | ||
| 143 | static CFStringRef kRuleClassID; | |
| 144 | static CFStringRef kRuleAllowID; | |
| 145 | static CFStringRef kRuleDenyID; | |
| 146 | static CFStringRef kRuleUserID; | |
| 147 | static CFStringRef kRuleDelegateID; | |
| 148 | static CFStringRef kRuleMechanismsID; | |
| 149 | static CFStringRef kRuleAuthenticateUserID; | |
| 150 | }; | |
| 151 | ||
| 152 | class Rule : public RefPointer<RuleImpl> | |
| 153 | { | |
| 154 | public: | |
| 155 | Rule(); | |
| 156 | Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules); | |
| 157 | }; | |
| 158 | ||
| 159 | }; /* namespace Authorization */ | |
| 160 | ||
| 161 | #endif /* ! _H_AUTHORIZATIONRULE */ |