2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
20 // authority - authorization manager
25 #include "securityserver.h"
26 #include "AuthorizationEngine.h"
28 using Authorization::Credential
;
29 using Authorization::CredentialSet
;
30 using Authorization::AuthItemSet
;
36 class AuthorizationToken
{
38 AuthorizationToken(Session
&ssn
, const CredentialSet
&base
, const audit_token_t
&auditToken
);
39 ~AuthorizationToken();
43 const AuthorizationBlob
&handle() const { return mHandle
; }
44 const CredentialSet
&baseCreds() const { return mBaseCreds
; }
45 CredentialSet
effectiveCreds() const;
47 typedef CredentialSet::iterator iterator
;
48 iterator
begin() { return mBaseCreds
.begin(); }
49 iterator
end() { return mBaseCreds
.end(); }
51 // add more credential dependencies
52 void mergeCredentials(const CredentialSet
&more
);
54 // maintain process-owning links
55 void addProcess(Process
&proc
);
56 bool endProcess(Process
&proc
);
58 // access control for external representations
59 bool mayExternalize(Process
&proc
) const;
60 bool mayInternalize(Process
&proc
, bool countIt
= true);
62 uid_t
creatorUid() const { return mCreatorUid
; }
63 uid_t
creatorGid() const { return mCreatorGid
; }
64 CodeSigning::OSXCode
*creatorCode() const { return mCreatorCode
; }
65 pid_t
creatorPid() const { return mCreatorPid
; }
67 audit_token_t
creatorAuditToken() const {return mCreatorAuditToken
; }
69 AuthItemSet
infoSet(AuthorizationString tag
= NULL
);
70 void setInfoSet(AuthItemSet
&newInfoSet
);
71 void setCredentialInfo(const Credential
&inCred
);
75 static AuthorizationToken
&find(const AuthorizationBlob
&blob
);
79 Deleter(const AuthorizationBlob
&blob
);
82 operator AuthorizationToken
&() const { return *mAuth
; }
85 AuthorizationToken
*mAuth
;
90 Mutex mLock
; // object lock
91 AuthorizationBlob mHandle
; // official randomized blob marker
92 CredentialSet mBaseCreds
; // credentials we're based on
94 unsigned int mTransferCount
; // number of internalizations remaining
96 typedef set
<Process
*> ProcessSet
;
97 ProcessSet mUsingProcesses
; // set of process objects using this token
99 uid_t mCreatorUid
; // Uid of proccess that created this authorization
100 gid_t mCreatorGid
; // Gid of proccess that created this authorization
101 RefPointer
<OSXCode
> mCreatorCode
; // code id of creator
102 pid_t mCreatorPid
; // Pid of processs that created this authorization
104 audit_token_t mCreatorAuditToken
; // Audit token of the process that created this authorization
106 AuthItemSet mInfoSet
; // Side band info gathered from evaluations in this session
109 typedef map
<AuthorizationBlob
, AuthorizationToken
*> AuthMap
;
110 static AuthMap authMap
; // set of extant authorizations
111 static Mutex authMapLock
; // lock for mAuthorizations (only)
116 // The authority itself. You will usually only have one of these.
118 class Authority
: public Authorization::Engine
{
120 Authority(const char *configFile
);
125 #endif //_H_AUTHORITY
projects / apple / security.git / blob