SecurityServer/acls.cpp

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // acls - SecurityServer ACL implementation
  21 //
  22 #include "acls.h"
  23 #include "connection.h"
  24 #include "server.h"
  25 #include "SecurityAgentClient.h"
  26 #include <Security/acl_any.h>
  27 #include <Security/acl_password.h>
  28 #include <Security/acl_threshold.h>
  29
  30
  31 //
  32 // SecurityServerAcl is virtual
  33 //
  34 SecurityServerAcl::~SecurityServerAcl()
  35 { }
  36
  37
  38 //
  39 // Each SecurityServerAcl type must provide some indication of a database
  40 // it is associated with. The default, naturally, is "none".
  41 //
  42 const Database *SecurityServerAcl::relatedDatabase() const
  43 { return NULL; }
  44
  45
  46 //
  47 // Provide environmental information to get/change-ACL calls.
  48 // Also make them virtual so our children can override them.
  49 //
  50 void SecurityServerAcl::cssmGetAcl(const char *tag, uint32 &count, AclEntryInfo * &acls)
  51 {
  52         instantiateAcl();
  53         return ObjectAcl::cssmGetAcl(tag, count, acls);
  54 }
  55
  56 void SecurityServerAcl::cssmGetOwner(AclOwnerPrototype &owner)
  57 {
  58         instantiateAcl();
  59         return ObjectAcl::cssmGetOwner(owner);
  60 }
  61
  62 void SecurityServerAcl::cssmChangeAcl(const AclEdit &edit, const AccessCredentials *cred)
  63 {
  64         instantiateAcl();
  65         SecurityServerEnvironment env(*this);
  66         ObjectAcl::cssmChangeAcl(edit, cred, &env);
  67         noticeAclChange();
  68 }
  69
  70 void SecurityServerAcl::cssmChangeOwner(const AclOwnerPrototype &newOwner,
  71         const AccessCredentials *cred)
  72 {
  73         instantiateAcl();
  74         SecurityServerEnvironment env(*this);
  75         ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
  76         noticeAclChange();
  77 }
  78
  79
  80 //
  81 // Modified validate() methods to connect all the conduits...
  82 //
  83 void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred) const
  84 {
  85         instantiateAcl();
  86     SecurityServerEnvironment env(*this);
  87     ObjectAcl::validate(auth, cred, &env);
  88 }
  89
  90 void SecurityServerAcl::validate(AclAuthorization auth, const Context &context) const
  91 {
  92         validate(auth,
  93                 context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS));
  94 }
  95
  96
  97 //
  98 // This function decodes the "special passphrase samples" that provide passphrases
  99 // to the SecurityServer through ACL sample blocks. Essentially, it trolls a credentials
 100 // structure's samples for the special markers, resolves anything that contains
 101 // passphrases outright (and returns true), or returns false if the normal interactive
 102 // procedures are to be followed.
 103 // (This doesn't strongly belong to the SecurityServerAcl class, but doesn't really have
 104 // a better home elsewhere.)
 105 //
 106 bool SecurityServerAcl::getBatchPassphrase(const AccessCredentials *cred,
 107         CSSM_SAMPLE_TYPE neededSampleType, CssmOwnedData &passphrase)
 108 {
 109     if (cred) {
 110                 // check all top-level samples
 111         const SampleGroup &samples = cred->samples();
 112         for (uint32 n = 0; n < samples.length(); n++) {
 113             TypedList sample = samples[n];
 114             if (!sample.isProper())
 115                 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 116             if (sample.type() == neededSampleType) {
 117                 sample.snip();
 118                 if (!sample.isProper())
 119                     CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 120                 switch (sample.type()) {
 121                 case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
 122                     return false;
 123                 case CSSM_SAMPLE_TYPE_PASSWORD:
 124                                         if (sample.length() != 2)
 125                                                 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 126                                         passphrase = sample[1];
 127                     return true;
 128                 default:
 129                     CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 130                 }
 131             }
 132         }
 133     }
 134         return false;
 135 }
 136
 137
 138 //
 139 // Implement our environment object
 140 //
 141 uid_t SecurityServerEnvironment::getuid() const
 142 {
 143     return Server::connection().process.uid();
 144 }
 145
 146 gid_t SecurityServerEnvironment::getgid() const
 147 {
 148     return Server::connection().process.gid();
 149 }
 150
 151 pid_t SecurityServerEnvironment::getpid() const
 152 {
 153     return Server::connection().process.pid();
 154 }
 155
 156 bool SecurityServerEnvironment::verifyCodeSignature(const CodeSigning::Signature *signature)
 157 {
 158         return Server::connection().process.verifyCodeSignature(signature);
 159 }