2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
20 // session - authentication session domains
25 #include "securityserver.h"
27 #include "authority.h"
28 #include <Security/AuthSession.h>
29 #include <Security/utilities.h>
30 #include <Security/handleobject.h>
31 #include <Security/cssmdb.h>
34 #include <ext/hash_map>
35 using __gnu_cxx::hash_map
;
46 // A Session object represents one or more Connections that are known to
47 // belong to the same authentication domain. Informally this means just
48 // about "the same user", for the right definition of "user." The upshot
49 // is that global credentials can be shared by Connections of one Session
50 // with a modicum of security, and so Sessions are the natural nexus of
51 // single-sign-on functionality.
53 class Session
: public HandleObject
{
55 typedef MachPlusPlus::Bootstrap Bootstrap
;
57 Session(Bootstrap bootstrap
, Port servicePort
, SessionAttributeBits attrs
= 0);
60 Bootstrap
bootstrapPort() const { return mBootstrap
; }
61 Port
servicePort() const { return mServicePort
; }
63 void addProcess(Process
*proc
);
64 bool removeProcess(Process
*proc
);
66 virtual void release();
68 void addAuthorization(AuthorizationToken
*auth
);
69 bool removeAuthorization(AuthorizationToken
*auth
);
72 static const SessionAttributeBits settableAttributes
=
73 sessionHasGraphicAccess
| sessionHasTTY
| sessionIsRemote
;
75 SessionAttributeBits
attributes() const { return mAttributes
; }
76 bool attribute(SessionAttributeBits bits
) const { return mAttributes
& bits
; }
78 static void setup(SessionCreationFlags flags
, SessionAttributeBits attrs
);
79 void setupAttributes(SessionAttributeBits attrs
);
82 void setAttributes(SessionAttributeBits attrs
) { mAttributes
|= attrs
; }
85 const CredentialSet
&authCredentials() const { return mSessionCreds
; }
87 OSStatus
authCreate(const RightSet
&rights
, const AuthorizationEnvironment
*environment
,
88 AuthorizationFlags flags
, AuthorizationBlob
&newHandle
);
89 void authFree(const AuthorizationBlob
&auth
, AuthorizationFlags flags
);
90 OSStatus
authGetRights(const AuthorizationBlob
&auth
,
91 const RightSet
&requestedRights
, const AuthorizationEnvironment
*environment
,
92 AuthorizationFlags flags
, MutableRightSet
&grantedRights
);
93 OSStatus
authGetInfo(const AuthorizationBlob
&auth
, const char *tag
, AuthorizationItemSet
*&contextInfo
);
95 OSStatus
authExternalize(const AuthorizationBlob
&auth
, AuthorizationExternalForm
&extForm
);
96 OSStatus
authInternalize(const AuthorizationExternalForm
&extForm
, AuthorizationBlob
&auth
);
99 struct AuthorizationExternalBlob
{
100 AuthorizationBlob blob
;
105 AuthorizationToken
&authorization(const AuthorizationBlob
&blob
);
106 void mergeCredentials(CredentialSet
&creds
);
108 bool clearResources();
111 static Session
&find(Port servPort
);
112 static Session
&find(SecuritySessionId id
);
113 static void eliminate(Port servPort
);
116 mutable Mutex mLock
; // object lock
118 Bootstrap mBootstrap
; // session bootstrap port
119 Port mServicePort
; // SecurityServer service port for this session
120 SessionAttributeBits mAttributes
; // attribute bits (see AuthSession.h)
121 unsigned int mProcessCount
; // number of active processes in session
122 unsigned int mAuthCount
; // number of AuthorizationTokens belonging to us
123 bool mDying
; // session is dying
125 mutable Mutex mCredsLock
; // lock for mSessionCreds
126 CredentialSet mSessionCreds
; // shared session authorization credentials
129 typedef map
<mach_port_t
, Session
*> SessionMap
;
130 static SessionMap sessionMap
;
131 static Mutex sessionMapLock
;
134 typedef SessionMap::iterator Iterator
;
135 static Iterator
begin() { return sessionMap
.begin(); }
136 static Iterator
end() { return sessionMap
.end(); }
141 // The RootSession is the session (i.e. bootstrap dictionary) of system daemons that are
142 // started early and don't belong to anything more restrictive. The RootSession is considered
144 // Currently, telnet sessions et al also default into this session, but this will change
147 class RootSession
: public Session
{
149 RootSession(Port servicePort
, SessionAttributeBits attrs
= 0);
154 // A DynamicSession is the default type of session object. We create one when a new
155 // Connection initializes whose bootstrap port we haven't seen before. These Sessions
156 // are torn down when their bootstrap object disappears (which happens when mach_init
157 // destroys it due to its requestor referent vanishing).
159 class DynamicSession
: private ReceivePort
, public Session
{
161 DynamicSession(const Bootstrap
&bootstrap
);
projects / apple / security.git / blob