]>
git.saurik.com Git - apple/security.git/blob - securityd/src/credential.cpp
2 * Copyright (c) 2000-2004,2006-2007,2009,2012 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
24 #include "credential.h"
28 #include <Security/checkpw.h>
29 extern "C" int checkpw_internal( const struct passwd
*pw
, const char* password
);
32 namespace Authorization
{
34 // default credential: invalid for everything, needed as a default session credential
35 CredentialImpl::CredentialImpl() : mShared(false), mRight(false), mUid(0), mName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
39 // only for testing whether this credential is usable
40 CredentialImpl::CredentialImpl(const uid_t uid
, const string
&username
, const string
&realname
, bool shared
) : mShared(shared
), mRight(false), mUid(uid
), mName(username
), mRealName(realname
), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
44 CredentialImpl::CredentialImpl(const string
&username
, const string
&password
, bool shared
) : mShared(shared
), mRight(false), mName(username
), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
46 Server::active().longTermActivity();
47 const char *user
= username
.c_str();
48 struct passwd
*pw
= getpwnam(user
);
52 syslog(LOG_ERR
, "getpwnam() failed for user %s, creating invalid credential", user
);
58 mRealName
= pw
->pw_gecos
;
60 const char *passwd
= password
.c_str();
61 int checkpw_status
= checkpw_internal(pw
, passwd
);
63 if (checkpw_status
!= CHECKPW_SUCCESS
) {
64 syslog(LOG_ERR
, "checkpw() returned %d; failed to authenticate user %s (uid %u).", checkpw_status
, pw
->pw_name
, pw
->pw_uid
);
68 syslog(LOG_INFO
, "checkpw() succeeded, creating%s credential for user %s", mShared
? " shared" : "", user
);
77 // @@@ arguably we don't care about the UID any more and should not
78 // require it in this ctor
79 CredentialImpl::CredentialImpl(const string
&right
, bool shared
) : mShared(shared
), mRight(true), mUid(-2), mName(right
), mRealName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
83 CredentialImpl::~CredentialImpl()
88 CredentialImpl::operator < (const CredentialImpl
&other
) const
90 // all shared creds are placed into mSessionCreds
91 // all non shared creds are placed into AuthorizationToken
93 // There are 2 types of credentials UID and Right
94 // UID = Authenticated Identity
95 // Right = Rights which were previously authenticated by a uid credential
97 // Right Credentials are only used during kAuthorizationFlagLeastPrivileged
98 // operations and should not have a valid uid set
100 // this allows shared and none shared co-exist in the same container
101 // used when processing multiple rights shared vs non-shared during evaluation
102 if (!mShared
&& other
.mShared
)
104 if (!other
.mShared
&& mShared
)
107 // this allows uids and rights co-exist in the same container
108 // used when holding onto Rights inside of the AuthorizationToken
109 if (mRight
&& !other
.mRight
)
111 if (!mRight
&& other
.mRight
)
114 // this is the actual comparision
116 return mName
< other
.mName
;
118 return mUid
< other
.mUid
;
122 // Returns true if this CredentialImpl should be shared.
124 CredentialImpl::isShared() const
131 CredentialImpl::merge(const CredentialImpl
&other
)
133 // try to ensure that the credentials are the same type
134 assert(mRight
== other
.mRight
);
136 assert(mName
== other
.mName
);
138 assert(mUid
== other
.mUid
);
140 if (other
.mValid
&& (!mValid
|| mCreationTime
< other
.mCreationTime
))
142 mCreationTime
= other
.mCreationTime
;
147 // The time at which this credential was obtained.
149 CredentialImpl::creationTime() const
151 return mCreationTime
;
154 // Return true iff this credential is valid.
156 CredentialImpl::isValid() const
162 CredentialImpl::invalidate()
170 Credential::Credential() :
171 RefPointer
<CredentialImpl
>(new CredentialImpl())
175 Credential::Credential(CredentialImpl
*impl
) :
176 RefPointer
<CredentialImpl
>(impl
)
180 Credential::Credential(const uid_t uid
, const string
&username
, const string
&realname
, bool shared
) :
181 RefPointer
<CredentialImpl
>(new CredentialImpl(uid
, username
, realname
, shared
))
185 Credential::Credential(const string
&username
, const string
&password
, bool shared
) : RefPointer
<CredentialImpl
>(new CredentialImpl(username
, password
, shared
))
189 Credential::Credential(const string
&right
, bool shared
) : RefPointer
<CredentialImpl
>(new CredentialImpl(right
, shared
))
193 Credential::~Credential()
198 Credential::operator < (const Credential
&other
) const
206 return (**this) < (*other
);
209 } // end namespace Authorization