]> git.saurik.com Git - apple/security.git/blob - SecurityServer/authority.h
Security-54.1.tar.gz
[apple/security.git] / SecurityServer / authority.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // authority - authorization manager
21 //
22 #ifndef _H_AUTHORITY
23 #define _H_AUTHORITY
24
25 #include "securityserver.h"
26 #include "AuthorizationEngine.h"
27
28 using Authorization::Credential;
29 using Authorization::CredentialSet;
30 using Authorization::RightSet;
31 using Authorization::MutableRightSet;
32 using Authorization::AuthItemSet;
33
34 class Process;
35 class Session;
36
37
38 class AuthorizationToken {
39 public:
40 AuthorizationToken(Session &ssn, const CredentialSet &base);
41 ~AuthorizationToken();
42
43 Session &session;
44
45 const AuthorizationBlob &handle() const { return mHandle; }
46 const CredentialSet &baseCreds() const { return mBaseCreds; }
47 CredentialSet effectiveCreds() const;
48
49 typedef CredentialSet::iterator iterator;
50 iterator begin() { return mBaseCreds.begin(); }
51 iterator end() { return mBaseCreds.end(); }
52
53 // add more credential dependencies
54 void mergeCredentials(const CredentialSet &more);
55
56 // maintain process-owning links
57 void addProcess(Process &proc);
58 bool endProcess(Process &proc);
59
60 // access control for external representations
61 bool mayExternalize(Process &proc) const;
62 bool mayInternalize(Process &proc, bool countIt = true);
63
64 uid_t creatorUid() const { return mCreatorUid; }
65 CodeSigning::OSXCode *creatorCode() const { return mCreatorCode; }
66
67 AuthorizationItemSet &infoSet();
68 void setInfoSet(AuthorizationItemSet &newInfoSet);
69 void setCredentialInfo(const Credential &inCred);
70
71 public:
72 static AuthorizationToken &find(const AuthorizationBlob &blob);
73
74 class Deleter {
75 public:
76 Deleter(const AuthorizationBlob &blob);
77
78 void remove();
79 operator AuthorizationToken &() const { return *mAuth; }
80
81 private:
82 AuthorizationToken *mAuth;
83 StLock<Mutex> lock;
84 };
85
86 private:
87 Mutex mLock; // object lock
88 AuthorizationBlob mHandle; // official randomized blob marker
89 CredentialSet mBaseCreds; // credentials we're based on
90
91 unsigned int mTransferCount; // number of internalizations remaining
92
93 typedef set<Process *> ProcessSet;
94 ProcessSet mUsingProcesses; // set of process objects using this token
95
96 uid_t mCreatorUid; // Uid of proccess that created this authorization
97 RefPointer<OSXCode> mCreatorCode; // code id of creator
98
99 AuthorizationItemSet *mInfoSet; // Side band info gathered from evaluations in this session
100
101 private:
102 typedef map<AuthorizationBlob, AuthorizationToken *> AuthMap;
103 static AuthMap authMap; // set of extant authorizations
104 static Mutex authMapLock; // lock for mAuthorizations (only)
105 };
106
107
108 //
109 // The authority itself. You will usually only have one of these.
110 //
111 class Authority : public Authorization::Engine {
112 public:
113 Authority(const char *configFile);
114 ~Authority();
115 };
116
117
118 #endif //_H_AUTHORITY