]> git.saurik.com Git - apple/security.git/blob - Security/authd/credential.c
Security-57031.40.6.tar.gz
[apple/security.git] / Security / authd / credential.c
1 /* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */
2
3 #include "credential.h"
4 #include "authutilities.h"
5 #include "debugging.h"
6 #include "crc.h"
7
8 #include <pwd.h>
9 #include <membership.h>
10 #include <membershipPriv.h>
11
12 struct _credential_s {
13 __AUTH_BASE_STRUCT_HEADER__;
14
15 bool right; // is least-privileged credential
16
17 uid_t uid;
18 char * name;
19 char * realName;
20
21 CFAbsoluteTime creationTime;
22 bool valid;
23 bool shared;
24
25 CFMutableSetRef cachedGroups;
26 };
27
28 static void
29 _credential_finalize(CFTypeRef value)
30 {
31 credential_t cred = (credential_t)value;
32
33 free_safe(cred->name);
34 free_safe(cred->realName);
35 CFReleaseSafe(cred->cachedGroups);
36 }
37
38 static CFStringRef
39 _credential_copy_description(CFTypeRef value)
40 {
41 credential_t cred = (credential_t)value;
42 CFStringRef str = NULL;
43 CFTimeZoneRef sys_tz = CFTimeZoneCopySystem();
44 CFGregorianDate date = CFAbsoluteTimeGetGregorianDate(cred->creationTime, sys_tz);
45 CFReleaseSafe(sys_tz);
46 if (cred->right) {
47 str = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("credential: right=%s, shared=%i, creation=%01i:%01i:%01i, valid=%i"), cred->name, cred->shared, date.hour,date.minute,(int32_t)date.second, cred->valid);
48 } else {
49 str = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("credential: uid=%i, name=%s, shared=%i, creation=%01i:%01i:%01i valid=%i"), cred->uid, cred->name, cred->shared, date.hour,date.minute,(int32_t)date.second, cred->valid);
50 }
51 return str;
52 }
53
54 static CFHashCode
55 _credential_hash(CFTypeRef value)
56 {
57 credential_t cred = (credential_t)value;
58 uint64_t crc = crc64_init();
59 if (cred->right) {
60 crc = crc64_update(crc, cred->name, strlen(cred->name));
61 } else {
62 crc = crc64_update(crc, &cred->uid, sizeof(cred->uid));
63 }
64 crc = crc64_update(crc, &cred->shared, sizeof(cred->shared));
65 crc = crc64_final(crc);
66
67 return crc;
68 }
69
70 static Boolean
71 _credential_equal(CFTypeRef value1, CFTypeRef value2)
72 {
73 credential_t cred1 = (credential_t)value1;
74 credential_t cred2 = (credential_t)value2;
75
76 return _credential_hash(cred1) == _credential_hash(cred2);
77 }
78
79 AUTH_TYPE_INSTANCE(credential,
80 .init = NULL,
81 .copy = NULL,
82 .finalize = _credential_finalize,
83 .equal = _credential_equal,
84 .hash = _credential_hash,
85 .copyFormattingDesc = NULL,
86 .copyDebugDesc = _credential_copy_description
87 );
88
89 static CFTypeID credential_get_type_id() {
90 static CFTypeID type_id = _kCFRuntimeNotATypeID;
91 static dispatch_once_t onceToken;
92
93 dispatch_once(&onceToken, ^{
94 type_id = _CFRuntimeRegisterClass(&_auth_type_credential);
95 });
96
97 return type_id;
98 }
99
100 static credential_t
101 _credential_create()
102 {
103 credential_t cred = NULL;
104
105 cred = (credential_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, credential_get_type_id(), AUTH_CLASS_SIZE(credential), NULL);
106 require(cred != NULL, done);
107
108 cred->creationTime = CFAbsoluteTimeGetCurrent();
109 cred->cachedGroups = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);;
110
111 done:
112 return cred;
113 }
114
115 credential_t
116 credential_create(uid_t uid)
117 {
118 credential_t cred = NULL;
119
120 cred = _credential_create();
121 require(cred != NULL, done);
122
123 struct passwd *pw = getpwuid(uid);
124 if (pw != NULL) {
125 // avoid hinting a locked account
126 if ( (pw->pw_passwd == NULL) || strcmp(pw->pw_passwd, "*") ) {
127 cred->uid = pw->pw_uid;
128 cred->name = _copy_string(pw->pw_name);
129 cred->realName = _copy_string(pw->pw_gecos);
130 cred->valid = true;
131 } else {
132 cred->uid = (uid_t)-2;
133 cred->valid = false;
134 }
135 endpwent();
136 }
137
138 done:
139 return cred;
140 }
141
142 credential_t
143 credential_create_with_credential(credential_t srcCred, bool shared)
144 {
145 credential_t cred = NULL;
146
147 cred = _credential_create();
148 require(cred != NULL, done);
149
150 cred->uid = srcCred->uid;
151 cred->name = _copy_string(srcCred->name);
152 cred->realName = _copy_string(srcCred->realName);
153 cred->valid = srcCred->valid;
154 cred->right = srcCred->right;
155 cred->shared = shared;
156
157 done:
158 return cred;
159 }
160
161 credential_t
162 credential_create_with_right(const char * right)
163 {
164 credential_t cred = NULL;
165
166 cred = _credential_create();
167 require(cred != NULL, done);
168
169 cred->right = true;
170 cred->name = _copy_string(right);
171 cred->uid = (uid_t)-2;
172 cred->valid = true;
173
174 done:
175 return cred;
176 }
177
178 uid_t
179 credential_get_uid(credential_t cred)
180 {
181 return cred->uid;
182 }
183
184 const char *
185 credential_get_name(credential_t cred)
186 {
187 return cred->name;
188 }
189
190 const char *
191 credential_get_realname(credential_t cred)
192 {
193 return cred->realName;
194 }
195
196 CFAbsoluteTime
197 credential_get_creation_time(credential_t cred)
198 {
199 return cred->creationTime;
200 }
201
202 bool
203 credential_get_valid(credential_t cred)
204 {
205 return cred->valid;
206 }
207
208 bool
209 credential_get_shared(credential_t cred)
210 {
211 return cred->shared;
212 }
213
214 bool
215 credential_is_right(credential_t cred)
216 {
217 return cred->right;
218 }
219
220 bool
221 credential_check_membership(credential_t cred,const char* group)
222 {
223 bool result = false;
224 CFStringRef cachedGroup = NULL;
225 require(group != NULL, done);
226 require(cred->uid != 0 || cred->uid != (uid_t)-2, done);
227 require(cred->right != true, done);
228
229 cachedGroup = CFStringCreateWithCString(kCFAllocatorDefault, group, kCFStringEncodingUTF8);
230 require(cachedGroup != NULL, done);
231
232 if (CFSetGetValue(cred->cachedGroups, cachedGroup) != NULL) {
233 result = true;
234 goto done;
235 }
236
237 int rc, ismember;
238 uuid_t group_uuid, user_uuid;
239 rc = mbr_group_name_to_uuid(group, group_uuid);
240 require_noerr(rc, done);
241
242 rc = mbr_uid_to_uuid(cred->uid, user_uuid);
243 require_noerr(rc, done);
244
245 rc = mbr_check_membership(user_uuid, group_uuid, &ismember);
246 require_noerr(rc, done);
247
248 result = ismember;
249
250 if (ismember) {
251 CFSetSetValue(cred->cachedGroups, cachedGroup);
252 }
253
254 done:
255 CFReleaseSafe(cachedGroup);
256 return result;
257 }
258
259 void
260 credential_invalidate(credential_t cred)
261 {
262 cred->valid = false;
263 }