]> git.saurik.com Git - apple/security.git/blob - authd/rule.c
Security-55471.14.tar.gz
[apple/security.git] / authd / rule.c
1 /* Copyright (c) 2012 Apple Inc. All rights reserved. */
2
3 #include "rule.h"
4 #include "authutilities.h"
5 #include "mechanism.h"
6 #include "crc.h"
7 #include "debugging.h"
8 #include "authitems.h"
9 #include "process.h"
10
11 #include <Security/AuthorizationDB.h>
12 #include <Security/AuthorizationTagsPriv.h>
13 #include "server.h"
14
15 static void _sql_get_id(rule_t,authdb_connection_t);
16 static RuleClass _get_cf_rule_class(CFTypeRef);
17 static bool _copy_cf_rule_mechanisms(rule_t,CFTypeRef,authdb_connection_t);
18 static bool _copy_cf_rule_delegations(rule_t, CFTypeRef,authdb_connection_t);
19
20 #define kMaximumAuthorizationTries 10000
21
22 #define RULE_ID "id"
23 #define RULE_NAME "name"
24 #define RULE_TYPE "type"
25 #define RULE_CLASS "class"
26 #define RULE_GROUP "group"
27 #define RULE_KOFN "kofn"
28 #define RULE_TIMEOUT "timeout"
29 #define RULE_FLAGS "flags"
30 #define RULE_TRIES "tries"
31 #define RULE_COMMENT "comment"
32 #define RULE_VERSION "version"
33 #define RULE_CREATED "created"
34 #define RULE_MODIFIED "modified"
35 #define RULE_IDENTIFIER "identifier"
36 #define RULE_REQUIREMENT "requirement"
37 #define RULE_HASH "hash"
38
39 struct _rule_s {
40 __AUTH_BASE_STRUCT_HEADER__;
41
42 auth_items_t data;
43 CFMutableArrayRef mechanisms;
44 CFMutableArrayRef delegations;
45
46 CFMutableDictionaryRef loc_prompts;
47 CFMutableDictionaryRef loc_buttons;
48
49 CFDataRef requirement_data;
50 SecRequirementRef requirement;
51 };
52
53 static void
54 _rule_finalize(CFTypeRef value)
55 {
56 rule_t rule = (rule_t)value;
57 CFReleaseSafe(rule->data);
58 CFReleaseSafe(rule->mechanisms);
59 CFReleaseSafe(rule->delegations);
60 CFReleaseSafe(rule->loc_prompts);
61 CFReleaseSafe(rule->loc_buttons);
62 CFReleaseSafe(rule->requirement_data);
63 CFReleaseSafe(rule->requirement);
64 }
65
66 static Boolean
67 _rule_equal(CFTypeRef value1, CFTypeRef value2)
68 {
69 rule_t rule1 = (rule_t)value1;
70 rule_t rule2 = (rule_t)value2;
71
72 return strcasecmp(rule_get_name(rule1), rule_get_name(rule2)) == 0;
73 }
74
75 static CFStringRef
76 _rule_copy_description(CFTypeRef value)
77 {
78 rule_t rule = (rule_t)value;
79 CFMutableStringRef str = CFStringCreateMutable(kCFAllocatorDefault, 0);
80 CFStringRef tmp = CFCopyDescription(rule->data);
81 CFStringAppend(str, tmp);
82 CFReleaseNull(tmp);
83 tmp = CFCopyDescription(rule->mechanisms);
84 CFStringAppend(str, tmp);
85 CFReleaseNull(tmp);
86 tmp = CFCopyDescription(rule->delegations);
87 CFStringAppend(str, tmp);
88 CFReleaseNull(tmp);
89 return str;
90 }
91
92 static CFHashCode
93 _rule_hash(CFTypeRef value)
94 {
95 rule_t rule = (rule_t)value;
96 const char * str = rule_get_name(rule);
97 return crc64(str, strlen(str));
98 }
99
100 AUTH_TYPE_INSTANCE(rule,
101 .init = NULL,
102 .copy = NULL,
103 .finalize = _rule_finalize,
104 .equal = _rule_equal,
105 .hash = _rule_hash,
106 .copyFormattingDesc = NULL,
107 .copyDebugDesc = _rule_copy_description
108 );
109
110 static CFTypeID rule_get_type_id() {
111 static CFTypeID type_id = _kCFRuntimeNotATypeID;
112 static dispatch_once_t onceToken;
113
114 dispatch_once(&onceToken, ^{
115 type_id = _CFRuntimeRegisterClass(&_auth_type_rule);
116 });
117
118 return type_id;
119 }
120
121 static rule_t
122 _rule_create()
123 {
124 rule_t rule = (rule_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, rule_get_type_id(), AUTH_CLASS_SIZE(rule), NULL);
125 require(rule != NULL, done);
126
127 rule->data = auth_items_create();
128 rule->delegations = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
129 rule->mechanisms = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
130
131 done:
132 return rule;
133 }
134
135 static rule_t
136 _rule_create_with_sql(auth_items_t sql)
137 {
138 rule_t rule = NULL;
139 require(sql != NULL, done);
140
141 rule = _rule_create();
142 require(rule != NULL, done);
143
144 auth_items_copy(rule->data, sql);
145
146 done:
147 return rule;
148 }
149
150 rule_t
151 rule_create_default()
152 {
153 rule_t rule = _rule_create();
154 require(rule != NULL, done);
155
156 auth_items_set_int64(rule->data, RULE_TYPE, RT_RIGHT);
157 auth_items_set_string(rule->data, RULE_NAME, "(default)");
158 auth_items_set_int64(rule->data, RULE_CLASS, RC_USER);
159 auth_items_set_string(rule->data, RULE_GROUP, "admin");
160 auth_items_set_int64(rule->data, RULE_TIMEOUT, 300);
161 auth_items_set_int64(rule->data, RULE_TRIES, kMaximumAuthorizationTries);
162 auth_items_set_int64(rule->data, RULE_FLAGS, RuleFlagShared | RuleFlagAuthenticateUser);
163
164 mechanism_t mech = mechanism_create_with_string("builtin:authenticate", NULL);
165 CFArrayAppendValue(rule->mechanisms, mech);
166 CFReleaseNull(mech);
167
168 mech = mechanism_create_with_string("builtin:reset-password,privileged", NULL);
169 CFArrayAppendValue(rule->mechanisms, mech);
170 CFReleaseNull(mech);
171
172 mech = mechanism_create_with_string("builtin:authenticate,privileged", NULL);
173 CFArrayAppendValue(rule->mechanisms, mech);
174 CFReleaseNull(mech);
175
176 mech = mechanism_create_with_string("PKINITMechanism:auth,privileged", NULL);
177 CFArrayAppendValue(rule->mechanisms, mech);
178 CFReleaseNull(mech);
179
180 done:
181 return rule;
182 }
183
184 rule_t
185 rule_create_with_string(const char * str, authdb_connection_t dbconn)
186 {
187 rule_t rule = NULL;
188 require(str != NULL, done);
189
190 rule = _rule_create();
191 require(rule != NULL, done);
192
193 auth_items_set_string(rule->data, RULE_NAME, str);
194
195 if (dbconn) {
196 rule_sql_fetch(rule, dbconn);
197 }
198
199 done:
200 return rule;
201 }
202
203 static void _set_data_string(rule_t rule, const char * key, CFStringRef str)
204 {
205 char * tmpStr = _copy_cf_string(str, NULL);
206
207 if (tmpStr) {
208 auth_items_set_string(rule->data, key, tmpStr);
209 free_safe(tmpStr);
210 }
211 }
212
213 rule_t
214 rule_create_with_plist(RuleType type, CFStringRef name, CFDictionaryRef plist, authdb_connection_t dbconn)
215 {
216 rule_t rule = NULL;
217 require(name != NULL, done);
218 require(plist != NULL, done);
219
220 rule = _rule_create();
221 require(rule != NULL, done);
222
223 _set_data_string(rule, RULE_NAME, name);
224 require_action(rule_get_name(rule) != NULL, done, CFReleaseSafe(rule));
225
226 _sql_get_id(rule, dbconn);
227
228 auth_items_set_int64(rule->data, RULE_TYPE, type);
229
230 auth_items_set_int64(rule->data, RULE_CLASS, _get_cf_rule_class(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleClass))));
231 _set_data_string(rule, RULE_COMMENT, CFDictionaryGetValue(plist, CFSTR(kAuthorizationComment)));
232
233
234 CFTypeRef loc_tmp = CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterDefaultPrompt));
235 if (loc_tmp) {
236 rule->loc_prompts = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, loc_tmp);
237 }
238 loc_tmp = CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterDefaultButton));
239 if (loc_tmp) {
240 rule->loc_buttons = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, loc_tmp);
241 }
242
243 auth_items_set_int64(rule->data, RULE_VERSION, _get_cf_int(CFDictionaryGetValue(plist, CFSTR("version")), 0));
244
245 RuleFlags flags = 0;
246
247 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterEntitled)), false)) {
248 flags |= RuleFlagEntitled;
249 }
250
251 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterRequireAppleSigned)), false)) {
252 flags |= RuleFlagRequireAppleSigned;
253 }
254
255 switch (rule_get_class(rule)) {
256 case RC_USER:
257 _set_data_string(rule, RULE_GROUP, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterGroup)));
258 auth_items_set_int64(rule->data, RULE_TIMEOUT, _get_cf_int(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialTimeout)), INT32_MAX));
259 auth_items_set_int64(rule->data, RULE_TRIES, _get_cf_int(CFDictionaryGetValue(plist, CFSTR("tries")), kMaximumAuthorizationTries));
260
261 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialShared)), false)) {
262 flags |= RuleFlagShared;
263 }
264 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterAllowRoot)), false)) {
265 flags |= RuleFlagAllowRoot;
266 }
267 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialSessionOwner)), false)) {
268 flags |= RuleFlagSessionOwner;
269 }
270 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterAuthenticateUser)), true)) {
271 flags |= RuleFlagAuthenticateUser;
272 }
273 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterExtractPassword)), false)) {
274 flags |= RuleFlagExtractPassword;
275 }
276 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterEntitledAndGroup)), false)) {
277 flags |= RuleFlagEntitledAndGroup;
278 }
279 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterVPNEntitledAndGroup)), false)) {
280 flags |= RuleFlagVPNEntitledAndGroup;
281 }
282
283 _copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
284
285 break;
286 case RC_RULE:
287 auth_items_set_int64(rule->data, RULE_KOFN, _get_cf_int(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterKofN)), 0));
288
289 _copy_cf_rule_delegations(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRightRule)), dbconn);
290 break;
291 case RC_MECHANISM:
292 auth_items_set_int64(rule->data, RULE_TRIES, _get_cf_int(CFDictionaryGetValue(plist, CFSTR("tries")), kMaximumAuthorizationTries));
293 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialShared)), true)) {
294 flags |= RuleFlagShared;
295 }
296 if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterExtractPassword)), false)) {
297 flags |= RuleFlagExtractPassword;
298 }
299
300 _copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
301
302 break;
303 case RC_DENY:
304 break;
305 case RC_ALLOW:
306 break;
307 default:
308 LOGD("rule: invalid rule class");
309 break;
310 }
311
312 auth_items_set_int64(rule->data, RULE_FLAGS, flags);
313
314 done:
315 return rule;
316 }
317
318 static void
319 _sql_get_id(rule_t rule, authdb_connection_t dbconn)
320 {
321 authdb_step(dbconn, "SELECT id,created,identifier,requirement FROM rules WHERE name = ? LIMIT 1",
322 ^(sqlite3_stmt *stmt) {
323 sqlite3_bind_text(stmt, 1, rule_get_name(rule), -1, NULL);
324 }, ^bool(auth_items_t data) {
325 auth_items_copy(rule->data, data);
326 return true;
327 });
328 }
329
330 static bool
331 _copy_cf_rule_delegations(rule_t rule, CFTypeRef value, authdb_connection_t dbconn)
332 {
333 bool result = false;
334 char * tmp_str = NULL;
335 require(value != NULL, done);
336
337 if (CFGetTypeID(value) == CFStringGetTypeID()) {
338 tmp_str = _copy_cf_string(value, NULL);
339 rule_t delegate = rule_create_with_string(tmp_str, dbconn);
340 free_safe(tmp_str);
341 if (delegate) {
342 CFArrayAppendValue(rule->delegations, delegate);
343 CFReleaseSafe(delegate);
344 }
345 } else { //array
346 CFIndex count = CFArrayGetCount(value);
347 for (CFIndex i = 0; i < count; i++) {
348 tmp_str = _copy_cf_string(CFArrayGetValueAtIndex(value,i), NULL);
349 rule_t delegate = rule_create_with_string(tmp_str, dbconn);
350 free_safe(tmp_str);
351 if (delegate) {
352 CFArrayAppendValue(rule->delegations, delegate);
353 CFReleaseSafe(delegate);
354 }
355 }
356 }
357
358 result = true;
359
360 done:
361 return result;
362 }
363
364 static bool
365 _copy_cf_rule_mechanisms(rule_t rule, CFTypeRef array, authdb_connection_t dbconn)
366 {
367 bool result = false;
368 require(array != NULL, done);
369 require(CFGetTypeID(array) == CFArrayGetTypeID(), done);
370
371 CFIndex count = CFArrayGetCount(array);
372 for (CFIndex i = 0; i < count; i++) {
373 mechanism_t mech = NULL;
374 char * string = _copy_cf_string(CFArrayGetValueAtIndex(array, i), NULL);
375
376 if (!string)
377 continue;
378
379 mech = mechanism_create_with_string(string, dbconn);
380 if (mech) {
381 CFArrayAppendValue(rule->mechanisms, mech);
382 CFReleaseSafe(mech);
383 }
384 free(string);
385 }
386
387 result = true;
388
389 done:
390 return result;
391 }
392
393 static RuleClass
394 _get_cf_rule_class(CFTypeRef str)
395 {
396 RuleClass rc = RC_RULE;
397 require(str != NULL, done);
398 require(CFGetTypeID(str) == CFStringGetTypeID(), done);
399
400 if (CFEqual(str, CFSTR(kAuthorizationRuleClassUser)))
401 return RC_USER;
402
403 if (CFEqual(str, CFSTR(kAuthorizationRightRule)))
404 return RC_RULE;
405
406 if (CFEqual(str, CFSTR(kAuthorizationRuleClassMechanisms)))
407 return RC_MECHANISM;
408
409 if (CFEqual(str, CFSTR(kAuthorizationRuleClassDeny)))
410 return RC_DENY;
411
412 if (CFEqual(str, CFSTR(kAuthorizationRuleClassAllow)))
413 return RC_ALLOW;
414
415 done:
416 return rc;
417 }
418
419 static bool
420 _sql_bind(rule_t rule, sqlite3_stmt * stmt)
421 {
422 int64_t n;
423 int32_t rc = 0;
424 require(stmt != NULL, err);
425
426 int32_t column = 1;
427 rc = sqlite3_bind_text(stmt, column++, rule_get_name(rule), -1, NULL);
428 require_noerr(rc, err);
429 rc = sqlite3_bind_int(stmt, column++, rule_get_type(rule));
430 require_noerr(rc, err);
431 rc = sqlite3_bind_int(stmt, column++, rule_get_class(rule));
432 require_noerr(rc, err);
433
434 switch (rule_get_class(rule)) {
435 case RC_USER:
436 rc = sqlite3_bind_text(stmt, column++, rule_get_group(rule), -1, NULL);
437 require_noerr(rc, err);
438 rc = sqlite3_bind_null(stmt, column++); // kofn
439 require_noerr(rc, err);
440 rc = sqlite3_bind_int64(stmt, column++, rule_get_timeout(rule));
441 require_noerr(rc, err);
442 rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
443 require_noerr(rc, err);
444 rc = sqlite3_bind_int64(stmt, column++, rule_get_tries(rule));
445 require_noerr(rc, err);
446 break;
447 case RC_RULE:
448 rc = sqlite3_bind_null(stmt, column++); // group
449 require_noerr(rc, err);
450 n = rule_get_kofn(rule);
451 if (n) {
452 rc = sqlite3_bind_int64(stmt, column++, n);
453 } else {
454 rc = sqlite3_bind_null(stmt, column++);
455 }
456 require_noerr(rc, err);
457 rc = sqlite3_bind_null(stmt, column++); // timeout
458 require_noerr(rc, err);
459 rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
460 require_noerr(rc, err);
461 rc = sqlite3_bind_null(stmt, column++); // tries
462 require_noerr(rc, err);
463 break;
464 case RC_MECHANISM:
465 rc = sqlite3_bind_null(stmt, column++); // group
466 require_noerr(rc, err);
467 rc = sqlite3_bind_null(stmt, column++); // kofn
468 require_noerr(rc, err);
469 rc = sqlite3_bind_null(stmt, column++); // timeout
470 require_noerr(rc, err);
471 rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
472 require_noerr(rc, err);
473 rc = sqlite3_bind_int64(stmt, column++, rule_get_tries(rule));
474 require_noerr(rc, err);
475 break;
476 case RC_DENY:
477 case RC_ALLOW:
478 rc = sqlite3_bind_null(stmt, column++); // group
479 require_noerr(rc, err);
480 rc = sqlite3_bind_null(stmt, column++); // kofn
481 require_noerr(rc, err);
482 rc = sqlite3_bind_null(stmt, column++); // timeout
483 require_noerr(rc, err);
484 rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
485 require_noerr(rc, err);
486 rc = sqlite3_bind_null(stmt, column++); // tries
487 require_noerr(rc, err);
488 break;
489 default:
490 LOGD("rule: sql bind, invalid rule class");
491 break;
492 }
493
494 rc = sqlite3_bind_int64(stmt, column++, rule_get_version(rule)); // version
495 require_noerr(rc, err);
496 rc = sqlite3_bind_double(stmt, column++, rule_get_created(rule)); // created
497 require_noerr(rc, err);
498 rc = sqlite3_bind_double(stmt, column++, rule_get_modified(rule)); // modified
499 require_noerr(rc, err);
500 rc = sqlite3_bind_null(stmt, column++); // hash
501 require_noerr(rc, err);
502 rc = sqlite3_bind_text(stmt, column++, rule_get_identifier(rule), -1, NULL);
503 require_noerr(rc, err);
504
505 CFDataRef data = rule_get_requirment_data(rule);
506 if (data) {
507 rc = sqlite3_bind_blob(stmt, column++, CFDataGetBytePtr(data), (int32_t)CFDataGetLength(data), NULL);
508 } else {
509 rc = sqlite3_bind_null(stmt, column++);
510 }
511 require_noerr(rc, err);
512
513 rc = sqlite3_bind_text(stmt, column++, rule_get_comment(rule), -1, NULL);
514 require_noerr(rc, err);
515
516 return true;
517
518 err:
519 LOGD("rule: sql bind, error %i", rc);
520 return false;
521 }
522
523 static void
524 _get_sql_mechanisms(rule_t rule, authdb_connection_t dbconn)
525 {
526 CFArrayRemoveAllValues(rule->mechanisms);
527
528 authdb_step(dbconn, "SELECT mechanisms.* " \
529 "FROM mechanisms " \
530 "JOIN mechanisms_map ON mechanisms.id = mechanisms_map.m_id " \
531 "WHERE mechanisms_map.r_id = ? ORDER BY mechanisms_map.ord ASC",
532 ^(sqlite3_stmt *stmt) {
533 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
534 }, ^bool(auth_items_t data) {
535 mechanism_t mechanism = mechanism_create_with_sql(data);
536 CFArrayAppendValue(rule->mechanisms, mechanism);
537 CFReleaseSafe(mechanism);
538 return true;
539 });
540 }
541
542 static void
543 _get_sql_delegates(rule_t rule, authdb_connection_t dbconn)
544 {
545 CFArrayRemoveAllValues(rule->delegations);
546
547 authdb_step(dbconn, "SELECT rules.* " \
548 "FROM rules " \
549 "JOIN delegates_map ON rules.id = delegates_map.d_id " \
550 "WHERE delegates_map.r_id = ? ORDER BY delegates_map.ord ASC",
551 ^(sqlite3_stmt *stmt) {
552 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
553 }, ^bool(auth_items_t data) {
554 rule_t delegate = _rule_create_with_sql(data);
555 if (delegate) {
556 _get_sql_mechanisms(delegate, dbconn);
557
558 if (rule_get_class(rule) == RC_RULE) {
559 _get_sql_delegates(delegate, dbconn);
560 }
561
562 CFArrayAppendValue(rule->delegations, delegate);
563 CFReleaseSafe(delegate);
564 }
565 return true;
566 });
567 }
568
569 bool
570 rule_sql_fetch(rule_t rule, authdb_connection_t dbconn)
571 {
572 __block bool result = false;
573
574 authdb_step(dbconn, "SELECT * FROM rules WHERE name = ? LIMIT 1",
575 ^(sqlite3_stmt *stmt) {
576 sqlite3_bind_text(stmt, 1, rule_get_name(rule), -1, NULL);
577 }, ^bool(auth_items_t data) {
578 result = true;
579 auth_items_copy(rule->data, data);
580 return true;
581 });
582
583 if (rule_get_id(rule) != 0) {
584 _get_sql_mechanisms(rule,dbconn);
585
586 if (rule_get_class(rule) == RC_RULE) {
587 _get_sql_delegates(rule, dbconn);
588 }
589 }
590
591 return result;
592 }
593
594 static bool
595 _sql_update(rule_t rule, authdb_connection_t dbconn)
596 {
597 bool result = false;
598
599 result = authdb_step(dbconn, "UPDATE rules " \
600 "SET name=?,type=?,class=?,'group'=?,kofn=?,timeout=?,flags=?,tries=?,version=?,created=?,modified=?,hash=?,identifier=?,requirement=?,comment=? " \
601 "WHERE id = ?",
602 ^(sqlite3_stmt *stmt) {
603 _sql_bind(rule, stmt);
604 sqlite3_bind_int64(stmt, sqlite3_bind_parameter_count(stmt), rule_get_id(rule));
605 }, NULL);
606 return result;
607 }
608
609 static bool
610 _sql_insert(rule_t rule, authdb_connection_t dbconn)
611 {
612 bool result = false;
613
614 result = authdb_step(dbconn, "INSERT INTO rules VALUES (NULL,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)",
615 ^(sqlite3_stmt *stmt) {
616 _sql_bind(rule, stmt);
617 }, NULL);
618 return result;
619 }
620
621 static bool
622 _sql_commit_mechanisms_map(rule_t rule, authdb_connection_t dbconn)
623 {
624 bool result = false;
625
626 result = authdb_step(dbconn, "DELETE FROM mechanisms_map WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
627 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
628 }, NULL);
629 require(result == true, done);
630
631 CFIndex count = CFArrayGetCount(rule->mechanisms);
632 for(CFIndex i = 0; i < count; i++) {
633 mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
634 result = authdb_step(dbconn, "INSERT INTO mechanisms_map VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
635 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
636 sqlite3_bind_int64(stmt, 2, mechanism_get_id(mech));
637 sqlite3_bind_int64(stmt, 3, i);
638 }, NULL);
639 require(result == true, done);
640 }
641
642 done:
643 return result;
644 }
645
646 static bool
647 _sql_commit_delegates_map(rule_t rule, authdb_connection_t dbconn)
648 {
649 bool result = false;
650
651 result = authdb_step(dbconn, "DELETE FROM delegates_map WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
652 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
653 }, NULL);
654 require(result == true, done);
655
656 CFIndex count = CFArrayGetCount(rule->delegations);
657 for(CFIndex i = 0; i < count; i++) {
658 rule_t delegate = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
659 result = authdb_step(dbconn, "INSERT INTO delegates_map VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
660 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
661 sqlite3_bind_int64(stmt, 2, rule_get_id(delegate));
662 sqlite3_bind_int64(stmt, 3, i);
663 }, NULL);
664 require(result == true, done);
665 }
666
667 done:
668 return result;
669 }
670
671 static void
672 _sql_commit_localization(rule_t rule, authdb_connection_t dbconn)
673 {
674
675 authdb_step(dbconn, "DELETE FROM prompts WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
676 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
677 }, NULL);
678
679 authdb_step(dbconn, "DELETE FROM buttons WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
680 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
681 }, NULL);
682
683 if (rule->loc_prompts) {
684 _cf_dictionary_iterate(rule->loc_prompts, ^bool(CFTypeRef key, CFTypeRef value) {
685 char * lang = _copy_cf_string(key, NULL);
686 char * str = _copy_cf_string(value, NULL);
687
688 authdb_step(dbconn, "INSERT INTO prompts VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
689 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
690 sqlite3_bind_text(stmt, 2, lang, -1, NULL);
691 sqlite3_bind_text(stmt, 3, str, -1, NULL);
692 }, NULL);
693
694 free_safe(lang);
695 free_safe(str);
696
697 return true;
698 });
699 }
700
701 if (rule->loc_buttons) {
702 _cf_dictionary_iterate(rule->loc_buttons, ^bool(CFTypeRef key, CFTypeRef value) {
703 char * lang = _copy_cf_string(key, NULL);
704 char * str = _copy_cf_string(value, NULL);
705
706 authdb_step(dbconn, "INSERT INTO buttons VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
707 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
708 sqlite3_bind_text(stmt, 2, lang, -1, NULL);
709 sqlite3_bind_text(stmt, 3, str, -1, NULL);
710 }, NULL);
711
712 free_safe(lang);
713 free_safe(str);
714 return true;
715 });
716 }
717
718 }
719
720 bool
721 rule_sql_commit(rule_t rule, authdb_connection_t dbconn, CFAbsoluteTime modified, process_t proc)
722 {
723 bool result = false;
724 // type and class required else rule is name only?
725 RuleClass rule_class = rule_get_class(rule);
726 require(rule_get_type(rule) != 0, done);
727 require(rule_class != 0, done);
728
729 CFIndex mechCount = 0;
730 if (rule_class == RC_USER || rule_class == RC_MECHANISM) {
731 // Validate mechanisms
732 mechCount = CFArrayGetCount(rule->mechanisms);
733 for (CFIndex i = 0; i < mechCount; i++) {
734 mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
735 if (mechanism_get_id(mech) == 0) {
736 if (!mechanism_sql_fetch(mech, dbconn)) {
737 mechanism_sql_commit(mech, dbconn);
738 mechanism_sql_fetch(mech, dbconn);
739 }
740 }
741 if (!mechanism_exists(mech)) {
742 LOGE("Warning mechanism not found on disk %s during import of %s", mechanism_get_string(mech), rule_get_name(rule));
743 }
744 require_action(mechanism_get_id(mech) != 0, done, LOGE("rule: commit, invalid mechanism %s:%s for %s", mechanism_get_plugin(mech), mechanism_get_param(mech), rule_get_name(rule)));
745 }
746 }
747
748 CFIndex delegateCount = 0;
749 if (rule_class == RC_RULE) {
750 // Validate delegates
751 delegateCount = CFArrayGetCount(rule->delegations);
752 for (CFIndex i = 0; i < delegateCount; i++) {
753 rule_t delegate = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
754 if (rule_get_id(delegate) == 0) {
755 rule_sql_fetch(delegate, dbconn);
756 }
757 require_action(rule_get_id(delegate) != 0, done, LOGE("rule: commit, missing delegate %s for %s", rule_get_name(delegate), rule_get_name(rule)));
758 }
759 }
760
761 auth_items_set_double(rule->data, RULE_MODIFIED, modified);
762
763 result = authdb_transaction(dbconn, AuthDBTransactionNormal, ^bool{
764 bool update = false;
765
766 if (rule_get_id(rule)) {
767 update = _sql_update(rule, dbconn);
768 } else {
769 if (proc) {
770 const char * ident = process_get_identifier(proc);
771 if (ident) {
772 auth_items_set_string(rule->data, RULE_IDENTIFIER, ident);
773 }
774 CFDataRef req = process_get_requirement_data(proc);
775 if (req) {
776 auth_items_set_data(rule->data, RULE_REQUIREMENT, CFDataGetBytePtr(req), (size_t)CFDataGetLength(req));
777 }
778 }
779 auth_items_set_double(rule->data, RULE_CREATED, modified);
780 update = _sql_insert(rule, dbconn);
781 _sql_get_id(rule, dbconn);
782 }
783
784 _sql_commit_localization(rule, dbconn);
785
786 if (update) {
787 update = _sql_commit_mechanisms_map(rule, dbconn);
788 }
789
790 if (update) {
791 update = _sql_commit_delegates_map(rule,dbconn);
792 }
793
794 return update;
795 });
796
797
798 done:
799 if (!result) {
800 LOGV("rule: commit, failed for %s (%llu)", rule_get_name(rule), rule_get_id(rule));
801 }
802 return result;
803 }
804
805 bool
806 rule_sql_remove(rule_t rule, authdb_connection_t dbconn)
807 {
808 bool result = false;
809 int64_t id = rule_get_id(rule);
810
811 if (id == 0) {
812 rule_sql_fetch(rule, dbconn);
813 id = rule_get_id(rule);
814 require(id != 0, done);
815 }
816
817 result = authdb_step(dbconn, "DELETE FROM rules WHERE id = ?",
818 ^(sqlite3_stmt *stmt) {
819 sqlite3_bind_int64(stmt, 1, id);
820 }, NULL);
821 done:
822 return result;
823 }
824
825 CFMutableDictionaryRef
826 rule_copy_to_cfobject(rule_t rule, authdb_connection_t dbconn) {
827 CFMutableDictionaryRef dict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
828
829 CFTypeRef tmp = NULL;
830 CFMutableArrayRef array = NULL;
831 CFIndex count = 0;
832 CFIndex i = 0;
833 int64_t n;
834 double d;
835
836 const char * comment = rule_get_comment(rule);
837 if (comment) {
838 tmp = CFStringCreateWithCString(kCFAllocatorDefault, comment, kCFStringEncodingUTF8);
839 CFDictionarySetValue(dict, CFSTR(kAuthorizationComment), tmp);
840 CFReleaseSafe(tmp);
841 }
842
843 n = rule_get_version(rule);
844 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
845 CFDictionarySetValue(dict, CFSTR(RULE_VERSION), tmp);
846 CFReleaseSafe(tmp);
847
848 d = rule_get_created(rule);
849 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberFloat64Type, &d);
850 CFDictionarySetValue(dict, CFSTR(RULE_CREATED), tmp);
851 CFReleaseSafe(tmp);
852
853 d = rule_get_modified(rule);
854 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberFloat64Type, &d);
855 CFDictionarySetValue(dict, CFSTR(RULE_MODIFIED), tmp);
856 CFReleaseSafe(tmp);
857
858 const char * identifier = rule_get_identifier(rule);
859 if (identifier) {
860 tmp = CFStringCreateWithCString(kCFAllocatorDefault, identifier, kCFStringEncodingUTF8);
861 CFDictionarySetValue(dict, CFSTR(RULE_IDENTIFIER), tmp);
862 CFReleaseSafe(tmp);
863 }
864
865 SecRequirementRef req = rule_get_requirment(rule);
866 if (req) {
867 CFStringRef reqStr = NULL;
868 SecRequirementCopyString(req, kSecCSDefaultFlags, &reqStr);
869 if (reqStr) {
870 CFDictionarySetValue(dict, CFSTR(RULE_REQUIREMENT), reqStr);
871 CFReleaseSafe(reqStr);
872 }
873 }
874
875 if (rule_check_flags(rule, RuleFlagEntitled)) {
876 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterEntitled), kCFBooleanTrue);
877 }
878
879 if (rule_check_flags(rule, RuleFlagRequireAppleSigned)) {
880 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterRequireAppleSigned), kCFBooleanTrue);
881 }
882
883 if (rule_get_type(rule) == RT_RIGHT) {
884 CFMutableDictionaryRef prompts = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
885 authdb_step(dbconn, "SELECT * FROM prompts WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
886 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
887 }, ^bool(auth_items_t data) {
888 CFStringRef key = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "lang"), kCFStringEncodingUTF8);
889 CFStringRef value = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "value"), kCFStringEncodingUTF8);
890 CFDictionaryAddValue(prompts, key, value);
891 CFReleaseSafe(key);
892 CFReleaseSafe(value);
893 return true;
894 });
895
896 if (CFDictionaryGetCount(prompts)) {
897 CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterDefaultPrompt), prompts);
898 }
899 CFReleaseSafe(prompts);
900
901 CFMutableDictionaryRef buttons = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
902 authdb_step(dbconn, "SELECT * FROM buttons WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
903 sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
904 }, ^bool(auth_items_t data) {
905 CFStringRef key = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "lang"), kCFStringEncodingUTF8);
906 CFStringRef value = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "value"), kCFStringEncodingUTF8);
907 CFDictionaryAddValue(buttons, key, value);
908 CFReleaseSafe(key);
909 CFReleaseSafe(value);
910 return true;
911 });
912
913 if (CFDictionaryGetCount(buttons)) {
914 CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterDefaultButton), buttons);
915 }
916 CFReleaseSafe(buttons);
917 }
918
919 switch (rule_get_class(rule)) {
920 case RC_USER:
921 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassUser));
922
923 const char * group = rule_get_group(rule);
924 if (group) {
925 tmp = CFStringCreateWithCString(kCFAllocatorDefault, group, kCFStringEncodingUTF8);
926 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterGroup), tmp);
927 CFReleaseSafe(tmp);
928 }
929
930 n = rule_get_timeout(rule);
931 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
932 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialTimeout), tmp);
933 CFReleaseSafe(tmp);
934
935 n = rule_get_tries(rule);
936 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
937 CFDictionarySetValue(dict, CFSTR("tries"), tmp);
938 CFReleaseSafe(tmp);
939
940 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialShared), rule_get_shared(rule) ? kCFBooleanTrue : kCFBooleanFalse);
941 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterAllowRoot), rule_get_allow_root(rule) ? kCFBooleanTrue : kCFBooleanFalse);
942 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialSessionOwner), rule_get_session_owner(rule) ? kCFBooleanTrue : kCFBooleanFalse);
943 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterAuthenticateUser), rule_get_authenticate_user(rule) ? kCFBooleanTrue : kCFBooleanFalse);
944 if (rule_check_flags(rule, RuleFlagEntitledAndGroup)) {
945 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterEntitledAndGroup), kCFBooleanTrue);
946 }
947 if (rule_check_flags(rule, RuleFlagVPNEntitledAndGroup)) {
948 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterVPNEntitledAndGroup), kCFBooleanTrue);
949 }
950 if (rule_get_extract_password(rule)) {
951 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterExtractPassword), kCFBooleanTrue);
952 }
953
954 count = CFArrayGetCount(rule->mechanisms);
955 if (count) {
956 array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
957 for (i = 0; i < count; i++) {
958 mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
959 tmp = CFStringCreateWithCString(kCFAllocatorDefault, mechanism_get_string(mech), kCFStringEncodingUTF8);
960 CFArrayAppendValue(array, tmp);
961 CFReleaseSafe(tmp);
962 }
963 CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterMechanisms), array);
964 CFRelease(array);
965 }
966 break;
967 case RC_RULE:
968 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRightRule));
969 int64_t kofn = rule_get_kofn(rule);
970 if (kofn) {
971 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &kofn);
972 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterKofN), tmp);
973 CFReleaseSafe(tmp);
974 }
975
976 count = CFArrayGetCount(rule->delegations);
977 if (count) {
978 array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
979 for (i = 0; i < count; i++) {
980 rule_t delegate = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
981 tmp = CFStringCreateWithCString(kCFAllocatorDefault, rule_get_name(delegate), kCFStringEncodingUTF8);
982 CFArrayAppendValue(array, tmp);
983 CFReleaseSafe(tmp);
984 }
985 CFDictionaryAddValue(dict, CFSTR(kAuthorizationRightRule), array);
986 CFRelease(array);
987 }
988 break;
989 case RC_MECHANISM:
990 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassMechanisms));
991
992 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialShared), rule_get_shared(rule) ? kCFBooleanTrue : kCFBooleanFalse);
993 if (rule_get_extract_password(rule)) {
994 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterExtractPassword), kCFBooleanTrue);
995 }
996
997 n = rule_get_tries(rule);
998 tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
999 CFDictionarySetValue(dict, CFSTR("tries"), tmp);
1000 CFReleaseSafe(tmp);
1001
1002 count = CFArrayGetCount(rule->mechanisms);
1003 if (count) {
1004 array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
1005 for (i = 0; i < count; i++) {
1006 mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
1007 tmp = CFStringCreateWithCString(kCFAllocatorDefault, mechanism_get_string(mech), kCFStringEncodingUTF8);
1008 CFArrayAppendValue(array, tmp);
1009 CFReleaseSafe(tmp);
1010 }
1011 CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterMechanisms), array);
1012 CFRelease(array);
1013 }
1014 break;
1015 case RC_DENY:
1016 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassDeny));
1017 break;
1018 case RC_ALLOW:
1019 CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassAllow));
1020 break;
1021 default:
1022 break;
1023 }
1024
1025 return dict;
1026 }
1027
1028
1029 CFArrayRef
1030 rule_get_mechanisms(rule_t rule)
1031 {
1032 return rule->mechanisms;
1033 }
1034
1035 size_t
1036 rule_get_mechanisms_count(rule_t rule)
1037 {
1038 return (size_t)CFArrayGetCount(rule->mechanisms);
1039 }
1040
1041 bool
1042 rule_mechanisms_iterator(rule_t rule, mechanism_iterator_t iter)
1043 {
1044 bool result = false;
1045
1046 CFIndex count = CFArrayGetCount(rule->mechanisms);
1047 for (CFIndex i = 0; i < count; i++) {
1048 mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
1049 result = iter(mech);
1050 if (!result) {
1051 break;
1052 }
1053 }
1054
1055 return result;
1056 }
1057
1058 size_t
1059 rule_get_delegates_count(rule_t rule)
1060 {
1061 return (size_t)CFArrayGetCount(rule->delegations);
1062 }
1063
1064 bool
1065 rule_delegates_iterator(rule_t rule, delegate_iterator_t iter)
1066 {
1067 bool result = false;
1068
1069 CFIndex count = CFArrayGetCount(rule->delegations);
1070 for (CFIndex i = 0; i < count; i++) {
1071 rule_t tmp = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
1072 result = iter(tmp);
1073 if (!result) {
1074 break;
1075 }
1076 }
1077
1078 return result;
1079 }
1080
1081 int64_t
1082 rule_get_id(rule_t rule)
1083 {
1084 return auth_items_get_int64(rule->data, RULE_ID);
1085 }
1086
1087 const char *
1088 rule_get_name(rule_t rule)
1089 {
1090 return auth_items_get_string(rule->data, RULE_NAME);
1091 }
1092
1093 RuleType
1094 rule_get_type(rule_t rule)
1095 {
1096 return (RuleType)auth_items_get_int64(rule->data, RULE_TYPE);
1097 }
1098
1099 RuleClass
1100 rule_get_class(rule_t rule)
1101 {
1102 return (RuleClass)auth_items_get_int64(rule->data, RULE_CLASS);
1103 }
1104
1105 const char *
1106 rule_get_group(rule_t rule)
1107 {
1108 return auth_items_get_string(rule->data, RULE_GROUP);
1109 }
1110
1111 int64_t
1112 rule_get_kofn(rule_t rule)
1113 {
1114 return auth_items_get_int64(rule->data, RULE_KOFN);
1115 }
1116
1117 int64_t
1118 rule_get_timeout(rule_t rule)
1119 {
1120 return auth_items_get_int64(rule->data, RULE_TIMEOUT);
1121 }
1122
1123 bool
1124 rule_check_flags(rule_t rule, RuleFlags flags)
1125 {
1126 return (auth_items_get_int64(rule->data, RULE_FLAGS) & flags) != 0;
1127 }
1128
1129 bool
1130 rule_get_shared(rule_t rule)
1131 {
1132 return rule_check_flags(rule, RuleFlagShared);
1133 }
1134
1135 bool
1136 rule_get_allow_root(rule_t rule)
1137 {
1138 return rule_check_flags(rule, RuleFlagAllowRoot);
1139 }
1140
1141 bool
1142 rule_get_session_owner(rule_t rule)
1143 {
1144 return rule_check_flags(rule, RuleFlagSessionOwner);
1145 }
1146
1147 bool
1148 rule_get_authenticate_user(rule_t rule)
1149 {
1150 return rule_check_flags(rule, RuleFlagAuthenticateUser);
1151 }
1152
1153 bool
1154 rule_get_extract_password(rule_t rule)
1155 {
1156 return rule_check_flags(rule, RuleFlagExtractPassword);
1157 }
1158
1159 int64_t
1160 rule_get_tries(rule_t rule)
1161 {
1162 return auth_items_get_int64(rule->data, RULE_TRIES);
1163 }
1164
1165 const char *
1166 rule_get_comment(rule_t rule)
1167 {
1168 return auth_items_get_string(rule->data, RULE_COMMENT);
1169 }
1170
1171 int64_t
1172 rule_get_version(rule_t rule)
1173 {
1174 return auth_items_get_int64(rule->data, RULE_VERSION);
1175 }
1176
1177 double rule_get_created(rule_t rule)
1178 {
1179 return auth_items_get_double(rule->data, RULE_CREATED);
1180 }
1181
1182 double rule_get_modified(rule_t rule)
1183 {
1184 return auth_items_get_double(rule->data, RULE_MODIFIED);
1185 }
1186
1187 const char * rule_get_identifier(rule_t rule)
1188 {
1189 return auth_items_get_string(rule->data, RULE_IDENTIFIER);
1190 }
1191
1192 CFDataRef rule_get_requirment_data(rule_t rule)
1193 {
1194 if (!rule->requirement_data && auth_items_exist(rule->data, RULE_REQUIREMENT)) {
1195 size_t len;
1196 const void * data = auth_items_get_data(rule->data, RULE_REQUIREMENT, &len);
1197 rule->requirement_data = CFDataCreate(kCFAllocatorDefault, data, (CFIndex)len);
1198 }
1199
1200 return rule->requirement_data;
1201 }
1202
1203 SecRequirementRef rule_get_requirment(rule_t rule)
1204 {
1205 if (!rule->requirement) {
1206 CFDataRef data = rule_get_requirment_data(rule);
1207 if (data) {
1208 SecRequirementCreateWithData(data, kSecCSDefaultFlags, &rule->requirement);
1209 }
1210 }
1211
1212 return rule->requirement;
1213 }