]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_authorization/lib/AuthorizationDB.h
Security-57336.1.9.tar.gz
[apple/security.git] / OSX / libsecurity_authorization / lib / AuthorizationDB.h
1 /*
2 * Copyright (c) 2003,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * AuthorizationDB.h -- APIs for managing the authorization policy database
26 * and daemons.
27 */
28
29 #ifndef _SECURITY_AUTHORIZATIONDB_H_
30 #define _SECURITY_AUTHORIZATIONDB_H_
31
32 #include <Security/Authorization.h>
33 #include <CoreFoundation/CoreFoundation.h>
34
35 #if defined(__cplusplus)
36 extern "C" {
37 #endif
38
39 CF_ASSUME_NONNULL_BEGIN
40
41 /*!
42 @header AuthorizationDB
43 Version 1.0
44
45 This API allows for any programs to get, modify, delete and add new right definitions to the policy database. Meta-rights specify whether and what authorization is required to make these modifications.
46
47 AuthorizationRightSet(authRef, "com.ifoo.ifax.send", CFSTR(kRuleIsAdmin), CFSTR("You must authenticate to send a fax."), NULL, NULL)
48
49 add a rule for letting admins send faxes using a canned rule, delegating to a pre-specified rule that authorizes everyone who is an admin.
50
51 AuthorizationRightSet(authRef, "com.ifoo.ifax.send", [[CFSTR(kRightRule), CFSTR(kRuleIsAdmin)], [CFSTR(kRightComment), CFSTR("authorizes sending of 1 fax message")]], CFSTR("Authorize sending of a fax"), NULL, NULL)
52
53 add identical rule, but specify additional attributes this time.
54
55 Keep in mind while specifying a comment to be specific about what you need to authorize for (1 fax), in terms of a general message for user. The means of proof required for kRuleIsAdmin (enter username/password for example) should not be included here, since it could be configured differently. Also note that the "authRef" variable used in each of the above examples must be a vaild AuthorizationRef obtained from AuthorizationCreate().
56
57 */
58
59 /*! @define kRightRule
60 rule delegation key. Instead of specifying exact behavior some canned rules
61 are shipped that may be switched by configurable security.
62 */
63 #define kAuthorizationRightRule "rule"
64
65 /*! @defined kRuleIsAdmin
66 canned rule values for use with rule delegation definitions: require user to be an admin.
67 */
68 #define kAuthorizationRuleIsAdmin "is-admin"
69
70 /*! @defined kRuleAuthenticateAsSessionUser
71 canned rule value for use with rule delegation definitions: require user to authenticate as the session owner (logged-in user).
72 */
73 #define kAuthorizationRuleAuthenticateAsSessionUser "authenticate-session-owner"
74
75 /*! @defined kRuleAuthenticateAsAdmin
76 Canned rule value for use with rule delegation definitions: require user to authenticate as admin.
77 */
78 #define kAuthorizationRuleAuthenticateAsAdmin "authenticate-admin"
79
80 /*! @defined kAuthorizationRuleClassAllow
81 Class that allows anything.
82 */
83 #define kAuthorizationRuleClassAllow "allow"
84
85 /*! @defined kAuthorizationRuleClassDeny
86 Class that denies anything.
87 */
88 #define kAuthorizationRuleClassDeny "deny"
89
90 /*! @defined kAuthorizationComment
91 comments for the administrator on what is being customized here;
92 as opposed to (localized) descriptions presented to the user.
93 */
94 #define kAuthorizationComment "comment"
95
96
97
98 /*!
99 @function AuthorizationRightGet
100
101 Retrieves a right definition as a dictionary. There are no restrictions to keep anyone from retrieving these definitions.
102
103 @param rightName (input) the rightname (ASCII). Wildcard rightname definitions are okay.
104 @param rightDefinition (output/optional) the dictionary with all keys defining the right. See documented keys. Passing in NULL will just check if there is a definition. The caller is responsible for releasing the returned dictionary.
105
106 @result errAuthorizationSuccess 0 No error.
107
108 errAuthorizationDenied -60005 No definition found.
109
110 */
111 OSStatus AuthorizationRightGet(const char *rightName,
112 CFDictionaryRef * __nullable CF_RETURNS_RETAINED rightDefinition);
113
114 /*!
115 @function AuthorizationRightSet
116
117 Create or update a right entry. Only normal rights can be registered (wildcard rights are denied); wildcard rights are considered to be put in by an administrator putting together a site configuration.
118
119 @param authRef (input) authRef to authorize modifications.
120 @param rightName (input) the rightname (ASCII). Wildcard rightnames are not okay.
121 @param rightDefinition (input) a CFString of the name of a rule to use (delegate) or CFDictionary containing keys defining one.
122 @param descriptionKey (input/optional) a CFString to use as a key for looking up localized descriptions. If no localization is found this will be the description itself.
123 @param bundle (input/optional) a bundle to get localizations from if not the main bundle.
124 @param localeTableName (input/optional) stringtable name to get localizations from.
125
126 @result errAuthorizationSuccess 0 added right definition successfully.
127
128 errAuthorizationDenied -60005 Unable to create or update right definition.
129
130 errAuthorizationCanceled -60006 Authorization was canceled by user.
131
132 errAuthorizationInteractionNotAllowed -60007 Interaction was required but not possible.
133
134 */
135 OSStatus AuthorizationRightSet(AuthorizationRef authRef,
136 const char *rightName,
137 CFTypeRef rightDefinition,
138 CFStringRef __nullable descriptionKey,
139 CFBundleRef __nullable bundle,
140 CFStringRef __nullable localeTableName);
141
142
143
144 /*!
145 @function AuthorizationRightRemove
146
147 Request to remove a right from the policy database.
148
149 @param authRef (input) authRef, to be used to authorize this action.
150 @param rightName (input) the rightname (ASCII). Wildcard rightnames are not okay.
151
152 */
153 OSStatus AuthorizationRightRemove(AuthorizationRef authRef,
154 const char *rightName);
155
156 CF_ASSUME_NONNULL_END
157
158 #if defined(__cplusplus)
159 }
160 #endif
161
162 #endif /* !_SECURITY_AUTHORIZATIONDB_H_ */
163