[apple/security.git] / Security / libsecurity_authorization / lib / AuthorizationPlugin.h

/*
 * Copyright (c) 2001-2002,2004,2011-2012,2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


/*
 *  AuthorizationPlugin.h
 *  AuthorizationPlugin -- APIs for implementing authorization plugins.
 */

#ifndef _SECURITY_AUTHORIZATIONPLUGIN_H_
#define _SECURITY_AUTHORIZATIONPLUGIN_H_

#include <Security/Authorization.h>

#if defined(__cplusplus)
extern "C" {
#endif


/*!
	@header AuthorizationPlugin
	
	The AuthorizationPlugin API allows the creation of plugins that can participate
	in authorization decisions.  Using the AuthorizationDB API the system can be configured
	to use these plugins.  Plugins are loaded into a separate process, the pluginhost, to 
	isolate the process of authorization from the client.  There are two types of pluginhosts.
	One runs as an anonymous user and can be used to communicate with the user, for example
	to ask for a password.  Another one runs with root privileges to perform privileged
	operations that may be required.

    A typical use is to implement additional policies that cannot be expressed in the
    authorization configuration.
    
    Plugins implement a handshake function called AuthorizationPluginCreate with which
    their interface (AuthorizationPluginInterface) and the engine's interface
    (AuthorizationCallbacks) are exchanged.  Plugins are asked to create 
    Mechanisms, which are the basic element as authorizations are performed.  
    
    Mechanisms are invoked when it is time for them to make a decision.  A decision is 
    made by setting a single result (AuthorizationResult).  Mechanisms in the 
    authorization can communicate auxiliary information by setting and/or getting hints 
    and setting and/or getting context data.  Hints are advisory and don't need to be
    looked at, nor are they preserved as part of the authorization result. Context data
    becomes part of the result of the authorization.
    
    Context data is tagged with a flag that describes whether the information is returned
    to the authorization client upon request (AuthorizationCopyInfo() in Authorization.h)
    or whether it's private to the mechanisms making a decision.
    
*/


/*!
	@typedef AuthorizationValue
    Auxiliary data is passed between the engine and the mechanism as AuthorizationValues
*/
typedef struct AuthorizationValue
{
    size_t length;
    void *data;
} AuthorizationValue;

/*!
    @typedef AuthorizationValueVector
    A vector of AuthorizationValues.  Used to communicate arguments passed from the 
    configuration file <code>authorization(5)</code>.
*/
typedef struct AuthorizationValueVector
{
	UInt32 count;
	AuthorizationValue *values;
} AuthorizationValueVector;

/*!
    @typedef
    Data produced as context during the authorization evaluation is tagged.  
    If data is set to be extractable (kAuthorizationContextFlagExtractable), it will be possible for the client of authorization to obtain the value of this attribute using AuthorizationCopyInfo().
    If data is marked as volatile (kAuthorizationContextFlagVolatile), this value will not be remembered in the AuthorizationRef.
    Sticky data (kAuthorizationContextFlagSticky) persists through a failed or interrupted evaluation. It can be used to propagate an error condition from a downstream plugin to an upstream one. It is not remembered in the AuthorizationRef.
*/
typedef UInt32 AuthorizationContextFlags;
enum
{
    kAuthorizationContextFlagExtractable = (1 << 0),
    kAuthorizationContextFlagVolatile = (1 << 1),
    kAuthorizationContextFlagSticky = (1 << 2)
};


/*!
	@typedef AuthorizationMechanismId
    The mechanism id specified in the configuration is passed to the plugin to create the appropriate mechanism.
*/
typedef const AuthorizationString AuthorizationMechanismId;

/*!
    @typedef AuthorizationPluginId
	Not used by plugin writers.  Loaded plugins are identified by their name.
 */
typedef const AuthorizationString AuthorizationPluginId;

/*!
	@typedef AuthorizationPluginRef
	Handle passed back by the plugin writer when creating a plugin.  Any pluginhost will only instantiate one instance.  The handle is used when creating mechanisms.
*/
typedef void *AuthorizationPluginRef;

/*!
	@typedef AuthorizationMechanismRef
	Handle passed back by the plugin writer when creating an an instance of a mechanism in a plugin.  One instance will be created for any authorization.
*/
typedef void *AuthorizationMechanismRef;

/*!
	@typedef AuthorizationEngineRef
	Handle passed from the engine to an instance of a mechanism in a plugin (corresponds to a particular AuthorizationMechanismRef).
*/
typedef struct __OpaqueAuthorizationEngine *AuthorizationEngineRef;

/*!
	@typedef AuthorizationSessionId
	A unique value for an AuthorizationSession being evaluated, provided by the authorization engine.
    A session is represented by a top level call to an Authorization API.
*/
typedef void *AuthorizationSessionId;

/*!
	@typedef AuthorizationResult
	Type for SetResult().  See AuthorizationResultConstants for all allowed values.
*/
typedef UInt32 AuthorizationResult;

/*!
    @enum AuthorizationResultConstants
	Possible values for SetResult() in AuthorizationCallbacks.
    
    @constant kAuthorizationResultAllow the operation succeeded and authorization should be granted as far as this mechanism is concerned.
    @constant kAuthorizationResultDeny the operation succeeded but authorization should be denied as far as this mechanism is concerned.
    @constant kAuthorizationResultUndefined the operation failed for some reason and should not be retried for this session.
    @constant kAuthorizationResultUserCanceled the user has requested that the evaluation be terminated.
*/
enum {
    kAuthorizationResultAllow,
    kAuthorizationResultDeny,
    kAuthorizationResultUndefined,
    kAuthorizationResultUserCanceled,
};

/*!
    @enum
    Version of the interface (AuthorizationPluginInterface) implemented by the plugin.
    The value is matched to the definition in this file.
*/
enum {
    kAuthorizationPluginInterfaceVersion = 0
};

/*!
    @enum
    Version of the callback structure (AuthorizationCallbacks) passed to the plugin.
    The value is matched to the definition in this file.  The engine may provide a newer
    interface.
*/
enum {
    kAuthorizationCallbacksVersion = 1
};


/*!
    @struct
    Callback API provided by the AuthorizationEngine. 
    
    @field version      Engine callback version.
    @field SetResult    Set a result after a call to AuthorizationSessionInvoke.
    @field RequestInterrupt Request authorization engine to interrupt all mechamisms invoked after this mechamism has called SessionSetResult and then call AuthorizationSessionInvoke again.
    @field DidDeactivate    Respond to the Deactivate request.
    @field GetContextValue  Read value from context.  AuthorizationValue does not own data.
    @field SetContextValue  Write value to context.  AuthorizationValue and data are copied.
    @field GetHintValue     Read value from hints. AuthorizationValue does not own data.
    @field SetHintValue     Write value to hints.  AuthorizationValue and data are copied.
    @field GetArguments     Read arguments passed.  AuthorizationValueVector does not own data.
    @field GetSessionId     Read SessionId.
*/
typedef struct AuthorizationCallbacks {

    /* Engine callback version. */
    UInt32 version;

    /* Set a result after a call to AuthorizationSessionInvoke. */
    OSStatus (*SetResult)(AuthorizationEngineRef inEngine, AuthorizationResult inResult);

    /* Request authorization engine to interrupt all mechamisms invoked after 
        this mechamism has called SessionSetResult and then call 
        AuthorizationSessionInvoke again. */
    OSStatus (*RequestInterrupt)(AuthorizationEngineRef inEngine);
    
    /* Respond to the Deactivate request. */
    OSStatus (*DidDeactivate)(AuthorizationEngineRef inEngine);

    /* Read value from context.  AuthorizationValue does not own data. */
    OSStatus (*GetContextValue)(AuthorizationEngineRef inEngine,
        AuthorizationString inKey,
        AuthorizationContextFlags *outContextFlags,
        const AuthorizationValue **outValue);

    /* Write value to context.  AuthorizationValue and data are copied. */
    OSStatus (*SetContextValue)(AuthorizationEngineRef inEngine,
        AuthorizationString inKey,
        AuthorizationContextFlags inContextFlags,
        const AuthorizationValue *inValue);

    /* Read value from hints. AuthorizationValue does not own data. */
    OSStatus (*GetHintValue)(AuthorizationEngineRef inEngine,
        AuthorizationString inKey,
        const AuthorizationValue **outValue);

    /* Write value to hints.  AuthorizationValue and data are copied. */
    OSStatus (*SetHintValue)(AuthorizationEngineRef inEngine,
        AuthorizationString inKey,
        const AuthorizationValue *inValue);

    /* Read arguments passed.  AuthorizationValueVector does not own data. */
    OSStatus (*GetArguments)(AuthorizationEngineRef inEngine,
        const AuthorizationValueVector **outArguments);

    /* Read SessionId. */
    OSStatus (*GetSessionId)(AuthorizationEngineRef inEngine,
        AuthorizationSessionId *outSessionId);

    /* Read value from hints. AuthorizationValue does not own data. */
    OSStatus (*GetImmutableHintValue)(AuthorizationEngineRef inEngine,
        AuthorizationString inKey,
        const AuthorizationValue **outValue);

} AuthorizationCallbacks;


/*!
    @struct
    Interface that must be implemented by each plugin. 
    
    @field version  Must be set to kAuthorizationPluginInterfaceVersion
    @field PluginDestroy    Plugin should clean up and release any resources it is holding.
    @field MechanismCreate  The plugin should create a mechanism named mechanismId.  The mechanism needs to use the AuthorizationEngineRef for the callbacks and pass back a   AuthorizationMechanismRef for itself.  MechanismDestroy will be called when it is no longer needed.
    @field MechanismInvoke  Invoke an instance of a mechanism.  It should call SetResult during or after returning from this function.
    @field MechanismDeactivate  Mechanism should respond with a DidDeactivate as soon as possible
    @field MechanismDestroy Mechanism should clean up and release any resources it is holding
*/
typedef struct AuthorizationPluginInterface
{
    /* Must be set to kAuthorizationPluginInterfaceVersion. */
    UInt32 version;

    /* Notify a plugin that it is about to be unloaded so it get a chance to clean up and release any resources it is holding.  */
    OSStatus (*PluginDestroy)(AuthorizationPluginRef inPlugin);

    /* The plugin should create a mechanism named mechanismId.  The mechanism needs to use the
        AuthorizationEngineRef for the callbacks and pass back an AuthorizationMechanismRef for
        itself.  MechanismDestroy will be called when it is no longer needed. */
    OSStatus (*MechanismCreate)(AuthorizationPluginRef inPlugin,
        AuthorizationEngineRef inEngine,
        AuthorizationMechanismId mechanismId,
        AuthorizationMechanismRef *outMechanism);

    /* Invoke an instance of a mechanism.  It should call SetResult during or after returning from this function.  */
    OSStatus (*MechanismInvoke)(AuthorizationMechanismRef inMechanism);

    /* Mechanism should respond with a DidDeactivate as soon as possible. */
    OSStatus (*MechanismDeactivate)(AuthorizationMechanismRef inMechanism);

    /* Mechanism should clean up and release any resources it is holding. */
    OSStatus (*MechanismDestroy)(AuthorizationMechanismRef inMechanism);

} AuthorizationPluginInterface;


/*!
    @function AuthorizationPluginCreate

    Initialize a plugin after it gets loaded.  This is the main entry point to a plugin.  This function will only be called once.  
    After all Mechanism instances have been destroyed outPluginInterface->PluginDestroy will be called.

    @param callbacks (input) A pointer to an AuthorizationCallbacks which contains the callbacks implemented by the AuthorizationEngine.
    @param outPlugin (output) On successful completion should contain a valid AuthorizationPluginRef.  This will be passed in to any subsequent calls the engine makes to  outPluginInterface->MechanismCreate and outPluginInterface->PluginDestroy.
    @param outPluginInterface (output) On successful completion should contain a pointer to a AuthorizationPluginInterface that will stay valid until outPluginInterface->PluginDestroy is called. */
OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callbacks,
    AuthorizationPluginRef *outPlugin,
    const AuthorizationPluginInterface **outPluginInterface);

#if defined(__cplusplus)
}
#endif

#endif /* _SECURITY_AUTHORIZATIONPLUGIN_H_ */
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2001-2002,2004,2011-2012,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	/*
	26	* AuthorizationPlugin.h
	27	* AuthorizationPlugin -- APIs for implementing authorization plugins.
	28	*/
	29
	30	#ifndef _SECURITY_AUTHORIZATIONPLUGIN_H_
	31	#define _SECURITY_AUTHORIZATIONPLUGIN_H_
	32
	33	#include <Security/Authorization.h>
	34
	35	#if defined(__cplusplus)
	36	extern "C" {
	37	#endif
	38
	39
	40	/*!
	41	@header AuthorizationPlugin
	42
	43	The AuthorizationPlugin API allows the creation of plugins that can participate
	44	in authorization decisions. Using the AuthorizationDB API the system can be configured
	45	to use these plugins. Plugins are loaded into a separate process, the pluginhost, to
	46	isolate the process of authorization from the client. There are two types of pluginhosts.
	47	One runs as an anonymous user and can be used to communicate with the user, for example
	48	to ask for a password. Another one runs with root privileges to perform privileged
	49	operations that may be required.
	50
	51	A typical use is to implement additional policies that cannot be expressed in the
	52	authorization configuration.
	53
	54	Plugins implement a handshake function called AuthorizationPluginCreate with which
	55	their interface (AuthorizationPluginInterface) and the engine's interface
	56	(AuthorizationCallbacks) are exchanged. Plugins are asked to create
	57	Mechanisms, which are the basic element as authorizations are performed.
	58
	59	Mechanisms are invoked when it is time for them to make a decision. A decision is
	60	made by setting a single result (AuthorizationResult). Mechanisms in the
	61	authorization can communicate auxiliary information by setting and/or getting hints
	62	and setting and/or getting context data. Hints are advisory and don't need to be
	63	looked at, nor are they preserved as part of the authorization result. Context data
	64	becomes part of the result of the authorization.
	65
	66	Context data is tagged with a flag that describes whether the information is returned
67	to the authorization client upon request (AuthorizationCopyInfo() in Authorization.h)
68	or whether it's private to the mechanisms making a decision.
69
70	*/
71
72
73	/*!
74	@typedef AuthorizationValue
75	Auxiliary data is passed between the engine and the mechanism as AuthorizationValues
76	*/
77	typedef struct AuthorizationValue
78	{
79	size_t length;
80	void *data;
81	} AuthorizationValue;
82
83	/*!
84	@typedef AuthorizationValueVector
85	A vector of AuthorizationValues. Used to communicate arguments passed from the
86	configuration file <code>authorization(5)</code>.
87	*/
88	typedef struct AuthorizationValueVector
89	{
90	UInt32 count;
91	AuthorizationValue *values;
92	} AuthorizationValueVector;
93
94	/*!
95	@typedef
96	Data produced as context during the authorization evaluation is tagged.
97	If data is set to be extractable (kAuthorizationContextFlagExtractable), it will be possible for the client of authorization to obtain the value of this attribute using AuthorizationCopyInfo().
98	If data is marked as volatile (kAuthorizationContextFlagVolatile), this value will not be remembered in the AuthorizationRef.
99	Sticky data (kAuthorizationContextFlagSticky) persists through a failed or interrupted evaluation. It can be used to propagate an error condition from a downstream plugin to an upstream one. It is not remembered in the AuthorizationRef.
100	*/
101	typedef UInt32 AuthorizationContextFlags;
102	enum
103	{
104	kAuthorizationContextFlagExtractable = (1 << 0),
105	kAuthorizationContextFlagVolatile = (1 << 1),
106	kAuthorizationContextFlagSticky = (1 << 2)
107	};
108
109
110	/*!
111	@typedef AuthorizationMechanismId
112	The mechanism id specified in the configuration is passed to the plugin to create the appropriate mechanism.
113	*/
114	typedef const AuthorizationString AuthorizationMechanismId;
115
116	/*!
117	@typedef AuthorizationPluginId
118	Not used by plugin writers. Loaded plugins are identified by their name.
119	*/
120	typedef const AuthorizationString AuthorizationPluginId;
121
122	/*!
123	@typedef AuthorizationPluginRef
124	Handle passed back by the plugin writer when creating a plugin. Any pluginhost will only instantiate one instance. The handle is used when creating mechanisms.
125	*/
126	typedef void *AuthorizationPluginRef;
127
128	/*!
129	@typedef AuthorizationMechanismRef
130	Handle passed back by the plugin writer when creating an an instance of a mechanism in a plugin. One instance will be created for any authorization.
131	*/
132	typedef void *AuthorizationMechanismRef;
133
134	/*!
135	@typedef AuthorizationEngineRef
136	Handle passed from the engine to an instance of a mechanism in a plugin (corresponds to a particular AuthorizationMechanismRef).
137	*/
138	typedef struct __OpaqueAuthorizationEngine *AuthorizationEngineRef;
139
140	/*!
141	@typedef AuthorizationSessionId
142	A unique value for an AuthorizationSession being evaluated, provided by the authorization engine.
143	A session is represented by a top level call to an Authorization API.
144	*/
145	typedef void *AuthorizationSessionId;
146
147	/*!
148	@typedef AuthorizationResult
149	Type for SetResult(). See AuthorizationResultConstants for all allowed values.
150	*/
151	typedef UInt32 AuthorizationResult;
152
153	/*!
154	@enum AuthorizationResultConstants
155	Possible values for SetResult() in AuthorizationCallbacks.
156
157	@constant kAuthorizationResultAllow the operation succeeded and authorization should be granted as far as this mechanism is concerned.
158	@constant kAuthorizationResultDeny the operation succeeded but authorization should be denied as far as this mechanism is concerned.
159	@constant kAuthorizationResultUndefined the operation failed for some reason and should not be retried for this session.
160	@constant kAuthorizationResultUserCanceled the user has requested that the evaluation be terminated.
161	*/
162	enum {
163	kAuthorizationResultAllow,
164	kAuthorizationResultDeny,
165	kAuthorizationResultUndefined,
166	kAuthorizationResultUserCanceled,
167	};
168
169	/*!
170	@enum
171	Version of the interface (AuthorizationPluginInterface) implemented by the plugin.
172	The value is matched to the definition in this file.
173	*/
174	enum {
175	kAuthorizationPluginInterfaceVersion = 0
176	};
177
178	/*!
179	@enum
180	Version of the callback structure (AuthorizationCallbacks) passed to the plugin.
181	The value is matched to the definition in this file. The engine may provide a newer
182	interface.
183	*/
184	enum {
427c49bc	185	kAuthorizationCallbacksVersion = 1
b1ab9ed8 A	186	};
	187
	188
	189	/*!
	190	@struct
	191	Callback API provided by the AuthorizationEngine.
	192
	193	@field version Engine callback version.
	194	@field SetResult Set a result after a call to AuthorizationSessionInvoke.
	195	@field RequestInterrupt Request authorization engine to interrupt all mechamisms invoked after this mechamism has called SessionSetResult and then call AuthorizationSessionInvoke again.
	196	@field DidDeactivate Respond to the Deactivate request.
	197	@field GetContextValue Read value from context. AuthorizationValue does not own data.
	198	@field SetContextValue Write value to context. AuthorizationValue and data are copied.
	199	@field GetHintValue Read value from hints. AuthorizationValue does not own data.
	200	@field SetHintValue Write value to hints. AuthorizationValue and data are copied.
	201	@field GetArguments Read arguments passed. AuthorizationValueVector does not own data.
	202	@field GetSessionId Read SessionId.
	203	*/
	204	typedef struct AuthorizationCallbacks {
	205
	206	/* Engine callback version. */
	207	UInt32 version;
	208
	209	/* Set a result after a call to AuthorizationSessionInvoke. */
	210	OSStatus (*SetResult)(AuthorizationEngineRef inEngine, AuthorizationResult inResult);
	211
	212	/* Request authorization engine to interrupt all mechamisms invoked after
	213	this mechamism has called SessionSetResult and then call
	214	AuthorizationSessionInvoke again. */
	215	OSStatus (*RequestInterrupt)(AuthorizationEngineRef inEngine);
	216
	217	/* Respond to the Deactivate request. */
	218	OSStatus (*DidDeactivate)(AuthorizationEngineRef inEngine);
	219
	220	/* Read value from context. AuthorizationValue does not own data. */
	221	OSStatus (*GetContextValue)(AuthorizationEngineRef inEngine,
	222	AuthorizationString inKey,
	223	AuthorizationContextFlags *outContextFlags,
	224	const AuthorizationValue **outValue);
	225
	226	/* Write value to context. AuthorizationValue and data are copied. */
	227	OSStatus (*SetContextValue)(AuthorizationEngineRef inEngine,
	228	AuthorizationString inKey,
	229	AuthorizationContextFlags inContextFlags,
	230	const AuthorizationValue *inValue);
	231
	232	/* Read value from hints. AuthorizationValue does not own data. */
	233	OSStatus (*GetHintValue)(AuthorizationEngineRef inEngine,
	234	AuthorizationString inKey,
	235	const AuthorizationValue **outValue);
	236
	237	/* Write value to hints. AuthorizationValue and data are copied. */
	238	OSStatus (*SetHintValue)(AuthorizationEngineRef inEngine,
	239	AuthorizationString inKey,
	240	const AuthorizationValue *inValue);
	241
	242	/* Read arguments passed. AuthorizationValueVector does not own data. */
	243	OSStatus (*GetArguments)(AuthorizationEngineRef inEngine,
	244	const AuthorizationValueVector **outArguments);
	245
	246	/* Read SessionId. */
	247	OSStatus (*GetSessionId)(AuthorizationEngineRef inEngine,
	248	AuthorizationSessionId *outSessionId);
	249
427c49bc A	250	/* Read value from hints. AuthorizationValue does not own data. */
	251	OSStatus (*GetImmutableHintValue)(AuthorizationEngineRef inEngine,
	252	AuthorizationString inKey,
	253	const AuthorizationValue **outValue);
	254
b1ab9ed8 A	255	} AuthorizationCallbacks;
	256
	257
	258	/*!
	259	@struct
	260	Interface that must be implemented by each plugin.
	261
	262	@field version Must be set to kAuthorizationPluginInterfaceVersion
	263	@field PluginDestroy Plugin should clean up and release any resources it is holding.
	264	@field MechanismCreate The plugin should create a mechanism named mechanismId. The mechanism needs to use the AuthorizationEngineRef for the callbacks and pass back a AuthorizationMechanismRef for itself. MechanismDestroy will be called when it is no longer needed.
	265	@field MechanismInvoke Invoke an instance of a mechanism. It should call SetResult during or after returning from this function.
	266	@field MechanismDeactivate Mechanism should respond with a DidDeactivate as soon as possible
	267	@field MechanismDestroy Mechanism should clean up and release any resources it is holding
	268	*/
	269	typedef struct AuthorizationPluginInterface
	270	{
	271	/* Must be set to kAuthorizationPluginInterfaceVersion. */
	272	UInt32 version;
	273
	274	/* Notify a plugin that it is about to be unloaded so it get a chance to clean up and release any resources it is holding. */
	275	OSStatus (*PluginDestroy)(AuthorizationPluginRef inPlugin);
	276
	277	/* The plugin should create a mechanism named mechanismId. The mechanism needs to use the
	278	AuthorizationEngineRef for the callbacks and pass back an AuthorizationMechanismRef for
	279	itself. MechanismDestroy will be called when it is no longer needed. */
	280	OSStatus (*MechanismCreate)(AuthorizationPluginRef inPlugin,
	281	AuthorizationEngineRef inEngine,
	282	AuthorizationMechanismId mechanismId,
	283	AuthorizationMechanismRef *outMechanism);
	284
	285	/* Invoke an instance of a mechanism. It should call SetResult during or after returning from this function. */
	286	OSStatus (*MechanismInvoke)(AuthorizationMechanismRef inMechanism);
	287
	288	/* Mechanism should respond with a DidDeactivate as soon as possible. */
	289	OSStatus (*MechanismDeactivate)(AuthorizationMechanismRef inMechanism);
	290
	291	/* Mechanism should clean up and release any resources it is holding. */
	292	OSStatus (*MechanismDestroy)(AuthorizationMechanismRef inMechanism);
	293
	294	} AuthorizationPluginInterface;
	295
	296
	297	/*!
	298	@function AuthorizationPluginCreate
	299
	300	Initialize a plugin after it gets loaded. This is the main entry point to a plugin. This function will only be called once.
	301	After all Mechanism instances have been destroyed outPluginInterface->PluginDestroy will be called.
	302
	303	@param callbacks (input) A pointer to an AuthorizationCallbacks which contains the callbacks implemented by the AuthorizationEngine.
	304	@param outPlugin (output) On successful completion should contain a valid AuthorizationPluginRef. This will be passed in to any subsequent calls the engine makes to outPluginInterface->MechanismCreate and outPluginInterface->PluginDestroy.
	305	@param outPluginInterface (output) On successful completion should contain a pointer to a AuthorizationPluginInterface that will stay valid until outPluginInterface->PluginDestroy is called. */
	306	OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callbacks,
	307	AuthorizationPluginRef *outPlugin,
	308	const AuthorizationPluginInterface **outPluginInterface);
	309
	310	#if defined(__cplusplus)
	311	}
	312	#endif
	313
	314	#endif /* _SECURITY_AUTHORIZATIONPLUGIN_H_ */