2 * Copyright (c) 2003-2007,2009-2010 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
28 #ifndef _H_AUTHORIZATIONRULE
29 #define _H_AUTHORIZATIONRULE 1
31 #include <CoreFoundation/CoreFoundation.h>
32 #include <security_cdsa_utilities/AuthorizationData.h>
33 #include "authority.h"
35 namespace Authorization
40 class RuleImpl
: public RefCount
44 RuleImpl(const string
&inRightName
, CFDictionaryRef cfRight
, CFDictionaryRef cfRules
);
46 OSStatus
evaluate(const AuthItemRef
&inRight
, const Rule
&inRule
, AuthItemSet
&environmentToClient
,
47 AuthorizationFlags flags
, CFAbsoluteTime now
,
48 const CredentialSet
*inCredentials
, CredentialSet
&credentials
,
49 AuthorizationToken
&auth
, SecurityAgent::Reason
&reason
, bool savePassword
) const;
51 string
name() const { return mRightName
; }
52 bool extractPassword() const { return mExtractPassword
; }
57 // evaluate credential for right
58 OSStatus
evaluateCredentialForRight(const AuthorizationToken
&auth
, const AuthItemRef
&inRight
, const Rule
&inRule
,
59 const AuthItemSet
&environment
, CFAbsoluteTime now
, const Credential
&credential
, bool ignoreShared
, SecurityAgent::Reason
&reason
) const;
60 // evaluate user credential (authentication) for right
61 OSStatus
evaluateUserCredentialForRight(const AuthorizationToken
&auth
, const AuthItemRef
&inRight
, const Rule
&inRule
, const AuthItemSet
&environment
, CFAbsoluteTime now
, const Credential
&credential
, bool ignoreShared
, SecurityAgent::Reason
&reason
) const;
63 OSStatus
evaluateRules(const AuthItemRef
&inRight
, const Rule
&inRule
,
64 AuthItemSet
&environmentToClient
, AuthorizationFlags flags
,
65 CFAbsoluteTime now
, const CredentialSet
*inCredentials
, CredentialSet
&credentials
,
66 AuthorizationToken
&auth
, SecurityAgent::Reason
&reason
, bool savePassword
) const;
68 void setAgentHints(const AuthItemRef
&inRight
, const Rule
&inTopLevelRule
, AuthItemSet
&environmentToClient
, AuthorizationToken
&auth
) const;
70 // perform authorization based on running specified mechanisms (see evaluateMechanism)
71 OSStatus
evaluateAuthentication(const AuthItemRef
&inRight
, const Rule
&inRule
, AuthItemSet
&environmentToClient
, AuthorizationFlags flags
, CFAbsoluteTime now
, const CredentialSet
*inCredentials
, CredentialSet
&credentials
, AuthorizationToken
&auth
, SecurityAgent::Reason
&reason
, bool savePassword
) const;
73 OSStatus
evaluateUser(const AuthItemRef
&inRight
, const Rule
&inRule
,
74 AuthItemSet
&environmentToClient
, AuthorizationFlags flags
,
75 CFAbsoluteTime now
, const CredentialSet
*inCredentials
, CredentialSet
&credentials
,
76 AuthorizationToken
&auth
, SecurityAgent::Reason
&reason
, bool savePassword
) const;
78 OSStatus
evaluateMechanismOnly(const AuthItemRef
&inRight
, const Rule
&inRule
, AuthItemSet
&environmentToClient
, AuthorizationToken
&auth
, CredentialSet
&outCredentials
, bool savePassword
) const;
80 // find username hint based on session owner
81 OSStatus
evaluateSessionOwner(const AuthItemRef
&inRight
, const Rule
&inRule
, const AuthItemSet
&environment
, const CFAbsoluteTime now
, const AuthorizationToken
&auth
, Credential
&credential
, SecurityAgent::Reason
&reason
) const;
83 CredentialSet
makeCredentials(const AuthorizationToken
&auth
) const;
85 map
<string
,string
> localizedPrompts() const { return mLocalizedPrompts
; }
86 map
<string
,string
> localizedButtons() const { return mLocalizedButtons
; }
103 CFTimeInterval mMaxCredentialAge
;
106 vector
<string
> mEvalDef
;
108 vector
<Rule
> mRuleDef
;
110 mutable uint32_t mTries
;
111 bool mExtractPassword
;
112 bool mAuthenticateUser
;
113 map
<string
,string
> mLocalizedPrompts
;
114 map
<string
,string
> mLocalizedButtons
;
121 static bool getBool(CFDictionaryRef config
, CFStringRef key
, bool required
, bool defaultValue
);
122 static double getDouble(CFDictionaryRef config
, CFStringRef key
, bool required
, double defaultValue
);
123 static string
getString(CFDictionaryRef config
, CFStringRef key
, bool required
, const char *defaultValue
);
124 static vector
<string
> getVector(CFDictionaryRef config
, CFStringRef key
, bool required
);
125 static bool getLocalizedText(CFDictionaryRef config
, map
<string
,string
> &localizedPrompts
, CFStringRef dictKey
, const char *descriptionKey
);
130 static CFStringRef kUserGroupID
;
131 static CFStringRef kTimeoutID
;
132 static CFStringRef kSharedID
;
133 static CFStringRef kAllowRootID
;
134 static CFStringRef kMechanismsID
;
135 static CFStringRef kSessionOwnerID
;
136 static CFStringRef kKofNID
;
137 static CFStringRef kPromptID
;
138 static CFStringRef kButtonID
;
139 static CFStringRef kTriesID
;
140 static CFStringRef kExtractPasswordID
;
142 static CFStringRef kRuleClassID
;
143 static CFStringRef kRuleAllowID
;
144 static CFStringRef kRuleDenyID
;
145 static CFStringRef kRuleUserID
;
146 static CFStringRef kRuleDelegateID
;
147 static CFStringRef kRuleMechanismsID
;
148 static CFStringRef kRuleAuthenticateUserID
;
151 class Rule
: public RefPointer
<RuleImpl
>
155 Rule(const string
&inRightName
, CFDictionaryRef cfRight
, CFDictionaryRef cfRules
);
158 }; /* namespace Authorization */
160 #endif /* ! _H_AUTHORIZATIONRULE */