securityd/src/AuthorizationRule.h

   1 /*
   2  *  Copyright (c) 2003-2007,2009-2010 Apple Inc. All Rights Reserved.
   3  *
   4  *  @APPLE_LICENSE_HEADER_START@
   5  *
   6  *  This file contains Original Code and/or Modifications of Original Code
   7  *  as defined in and that are subject to the Apple Public Source License
   8  *  Version 2.0 (the 'License'). You may not use this file except in
   9  *  compliance with the License. Please obtain a copy of the License at
  10  *  http://www.opensource.apple.com/apsl/ and read it before using this
  11  *  file.
  12  *
  13  *  The Original Code and all software distributed under the License are
  14  *  distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  *  EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  *  INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  *  FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  *  Please see the License for the specific language governing rights and
  19  *  limitations under the License.
  20  *
  21  *  @APPLE_LICENSE_HEADER_END@
  22  *
  23  *  AuthorizationRule.h
  24  *  Security
  25  *
  26  */
  27
  28 #ifndef _H_AUTHORIZATIONRULE
  29 #define _H_AUTHORIZATIONRULE  1
  30
  31 #include <CoreFoundation/CoreFoundation.h>
  32 #include <security_cdsa_utilities/AuthorizationData.h>
  33 #include "authority.h"
  34 #include "agentclient.h"
  35
  36 namespace Authorization
  37 {
  38
  39 class Rule;
  40
  41 class RuleImpl : public RefCount
  42 {
  43 public:
  44         RuleImpl();
  45         RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
  46
  47         OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
  48                 AuthorizationFlags flags, CFAbsoluteTime now,
  49                 const CredentialSet *inCredentials, CredentialSet &credentials,
  50                 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
  51
  52         string name() const { return mRightName; }
  53         bool extractPassword() const { return mExtractPassword; }
  54
  55 private:
  56 // internal machinery
  57
  58         // evaluate credential for right
  59         OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
  60                                         const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
  61         // evaluate user credential (authentication) for right
  62         OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
  63
  64         OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
  65     AuthItemSet &environmentToClient, AuthorizationFlags flags,
  66         CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
  67         AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
  68
  69         void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
  70
  71         // perform authorization based on running specified mechanisms (see evaluateMechanism)
  72         OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
  73
  74         OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
  75                 AuthItemSet &environmentToClient, AuthorizationFlags flags,
  76                 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
  77                 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
  78
  79         OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const;
  80
  81         // find username hint based on session owner
  82         OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const;
  83
  84         CredentialSet makeCredentials(const AuthorizationToken &auth) const;
  85
  86         map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
  87         map<string,string> localizedButtons() const { return mLocalizedButtons; }
  88
  89
  90 // parsed attributes
  91 private:
  92         enum Type
  93         {
  94                 kDeny,
  95                 kAllow,
  96                 kUser,
  97                 kRuleDelegation,
  98                 kKofN,
  99                 kEvaluateMechanisms,
 100         } mType;
 101
 102         string mRightName;
 103         string mGroupName;
 104         CFTimeInterval mMaxCredentialAge;
 105         bool mShared;
 106         bool mAllowRoot;
 107         vector<string> mEvalDef;
 108         bool mSessionOwner;
 109         vector<Rule> mRuleDef;
 110         uint32_t mKofN;
 111         mutable uint32_t mTries;
 112         bool mExtractPassword;
 113         bool mAuthenticateUser;
 114         map<string,string> mLocalizedPrompts;
 115         map<string,string> mLocalizedButtons;
 116
 117 private:
 118
 119         class Attribute
 120         {
 121         public:
 122                 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
 123                 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
 124                 static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue);
 125                 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
 126                 static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey);
 127         };
 128
 129
 130 // keys
 131         static CFStringRef kUserGroupID;
 132         static CFStringRef kTimeoutID;
 133         static CFStringRef kSharedID;
 134         static CFStringRef kAllowRootID;
 135         static CFStringRef kMechanismsID;
 136         static CFStringRef kSessionOwnerID;
 137         static CFStringRef kKofNID;
 138         static CFStringRef kPromptID;
 139         static CFStringRef kButtonID;
 140     static CFStringRef kTriesID;
 141         static CFStringRef kExtractPasswordID;
 142
 143         static CFStringRef kRuleClassID;
 144         static CFStringRef kRuleAllowID;
 145         static CFStringRef kRuleDenyID;
 146         static CFStringRef kRuleUserID;
 147         static CFStringRef kRuleDelegateID;
 148         static CFStringRef kRuleMechanismsID;
 149         static CFStringRef kRuleAuthenticateUserID;
 150 };
 151
 152 class Rule : public RefPointer<RuleImpl>
 153 {
 154 public:
 155         Rule();
 156         Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
 157 };
 158
 159 }; /* namespace Authorization */
 160
 161 #endif /* ! _H_AUTHORIZATIONRULE */