OSX/libsecurity_authorization/lib/AuthorizationPlugin.h

   1 /*
   2  * Copyright (c) 2001-2002,2004,2011-2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 /*
  26  *  AuthorizationPlugin.h
  27  *  AuthorizationPlugin -- APIs for implementing authorization plugins.
  28  */
  29
  30 #ifndef _SECURITY_AUTHORIZATIONPLUGIN_H_
  31 #define _SECURITY_AUTHORIZATIONPLUGIN_H_
  32
  33 #include <Security/Authorization.h>
  34
  35 #if defined(__cplusplus)
  36 extern "C" {
  37 #endif
  38
  39 CF_ASSUME_NONNULL_BEGIN
  40
  41 /*!
  42         @header AuthorizationPlugin
  43
  44         The AuthorizationPlugin API allows the creation of plugins that can participate
  45         in authorization decisions.  Using the AuthorizationDB API the system can be configured
  46         to use these plugins.  Plugins are loaded into a separate process, the pluginhost, to
  47         isolate the process of authorization from the client.  There are two types of pluginhosts.
  48         One runs as an anonymous user and can be used to communicate with the user, for example
  49         to ask for a password.  Another one runs with root privileges to perform privileged
  50         operations that may be required.
  51
  52     A typical use is to implement additional policies that cannot be expressed in the
  53     authorization configuration.
  54
  55     Plugins implement a handshake function called AuthorizationPluginCreate with which
  56     their interface (AuthorizationPluginInterface) and the engine's interface
  57     (AuthorizationCallbacks) are exchanged.  Plugins are asked to create
  58     Mechanisms, which are the basic element as authorizations are performed.
  59
  60     Mechanisms are invoked when it is time for them to make a decision.  A decision is
  61     made by setting a single result (AuthorizationResult).  Mechanisms in the
  62     authorization can communicate auxiliary information by setting and/or getting hints
  63     and setting and/or getting context data.  Hints are advisory and don't need to be
  64     looked at, nor are they preserved as part of the authorization result. Context data
  65     becomes part of the result of the authorization.
  66
  67     Context data is tagged with a flag that describes whether the information is returned
  68     to the authorization client upon request (AuthorizationCopyInfo() in Authorization.h)
  69     or whether it's private to the mechanisms making a decision.
  70
  71 */
  72
  73
  74 /*!
  75         @typedef AuthorizationValue
  76     Auxiliary data is passed between the engine and the mechanism as AuthorizationValues
  77 */
  78 typedef struct AuthorizationValue
  79 {
  80     size_t length;
  81     void *data;
  82 } AuthorizationValue;
  83
  84 /*!
  85     @typedef AuthorizationValueVector
  86     A vector of AuthorizationValues.  Used to communicate arguments passed from the
  87     configuration file <code>authorization(5)</code>.
  88 */
  89 typedef struct AuthorizationValueVector
  90 {
  91         UInt32 count;
  92         AuthorizationValue *values;
  93 } AuthorizationValueVector;
  94
  95 /*!
  96     @typedef
  97     Data produced as context during the authorization evaluation is tagged.
  98     If data is set to be extractable (kAuthorizationContextFlagExtractable), it will be possible for the client of authorization to obtain the value of this attribute using AuthorizationCopyInfo().
  99     If data is marked as volatile (kAuthorizationContextFlagVolatile), this value will not be remembered in the AuthorizationRef.
 100     Sticky data (kAuthorizationContextFlagSticky) persists through a failed or interrupted evaluation. It can be used to propagate an error condition from a downstream plugin to an upstream one. It is not remembered in the AuthorizationRef.
 101 */
 102 typedef CF_OPTIONS(UInt32, AuthorizationContextFlags)
 103 {
 104     kAuthorizationContextFlagExtractable = (1 << 0),
 105     kAuthorizationContextFlagVolatile = (1 << 1),
 106     kAuthorizationContextFlagSticky = (1 << 2)
 107 };
 108
 109
 110 /*!
 111         @typedef AuthorizationMechanismId
 112     The mechanism id specified in the configuration is passed to the plugin to create the appropriate mechanism.
 113 */
 114 typedef const AuthorizationString AuthorizationMechanismId;
 115
 116 /*!
 117     @typedef AuthorizationPluginId
 118         Not used by plugin writers.  Loaded plugins are identified by their name.
 119  */
 120 typedef const AuthorizationString AuthorizationPluginId;
 121
 122 /*!
 123         @typedef AuthorizationPluginRef
 124         Handle passed back by the plugin writer when creating a plugin.  Any pluginhost will only instantiate one instance.  The handle is used when creating mechanisms.
 125 */
 126 typedef void *AuthorizationPluginRef;
 127
 128 /*!
 129         @typedef AuthorizationMechanismRef
 130         Handle passed back by the plugin writer when creating an an instance of a mechanism in a plugin.  One instance will be created for any authorization.
 131 */
 132 typedef void *AuthorizationMechanismRef;
 133
 134 /*!
 135         @typedef AuthorizationEngineRef
 136         Handle passed from the engine to an instance of a mechanism in a plugin (corresponds to a particular AuthorizationMechanismRef).
 137 */
 138 typedef struct __OpaqueAuthorizationEngine *AuthorizationEngineRef;
 139
 140 /*!
 141         @typedef AuthorizationSessionId
 142         A unique value for an AuthorizationSession being evaluated, provided by the authorization engine.
 143     A session is represented by a top level call to an Authorization API.
 144 */
 145 typedef void *AuthorizationSessionId;
 146
 147 /*!
 148     @enum AuthorizationResult
 149         Possible values for SetResult() in AuthorizationCallbacks.
 150
 151     @constant kAuthorizationResultAllow the operation succeeded and authorization should be granted as far as this mechanism is concerned.
 152     @constant kAuthorizationResultDeny the operation succeeded but authorization should be denied as far as this mechanism is concerned.
 153     @constant kAuthorizationResultUndefined the operation failed for some reason and should not be retried for this session.
 154     @constant kAuthorizationResultUserCanceled the user has requested that the evaluation be terminated.
 155 */
 156 typedef CF_ENUM(UInt32, AuthorizationResult) {
 157     kAuthorizationResultAllow,
 158     kAuthorizationResultDeny,
 159     kAuthorizationResultUndefined,
 160     kAuthorizationResultUserCanceled,
 161 };
 162
 163 /*!
 164     @enum
 165     Version of the interface (AuthorizationPluginInterface) implemented by the plugin.
 166     The value is matched to the definition in this file.
 167 */
 168 enum {
 169     kAuthorizationPluginInterfaceVersion = 0
 170 };
 171
 172 /*!
 173     @enum
 174     Version of the callback structure (AuthorizationCallbacks) passed to the plugin.
 175     The value is matched to the definition in this file.  The engine may provide a newer
 176     interface.
 177 */
 178 enum {
 179     kAuthorizationCallbacksVersion = 1
 180 };
 181
 182
 183 /*!
 184     @struct
 185     Callback API provided by the AuthorizationEngine.
 186
 187     @field version      Engine callback version.
 188     @field SetResult    Set a result after a call to AuthorizationSessionInvoke.
 189     @field RequestInterrupt Request authorization engine to interrupt all mechamisms invoked after this mechamism has called SessionSetResult and then call AuthorizationSessionInvoke again.
 190     @field DidDeactivate    Respond to the Deactivate request.
 191     @field GetContextValue  Read value from context.  AuthorizationValue does not own data.
 192     @field SetContextValue  Write value to context.  AuthorizationValue and data are copied.
 193     @field GetHintValue     Read value from hints. AuthorizationValue does not own data.
 194     @field SetHintValue     Write value to hints.  AuthorizationValue and data are copied.
 195     @field GetArguments     Read arguments passed.  AuthorizationValueVector does not own data.
 196     @field GetSessionId     Read SessionId.
 197 */
 198 typedef struct AuthorizationCallbacks {
 199
 200     /* Engine callback version. */
 201     UInt32 version;
 202
 203     /* Set a result after a call to AuthorizationSessionInvoke. */
 204     OSStatus (*SetResult)(AuthorizationEngineRef inEngine, AuthorizationResult inResult);
 205
 206     /* Request authorization engine to interrupt all mechamisms invoked after
 207         this mechamism has called SessionSetResult and then call
 208         AuthorizationSessionInvoke again. */
 209     OSStatus (*RequestInterrupt)(AuthorizationEngineRef inEngine);
 210
 211     /* Respond to the Deactivate request. */
 212     OSStatus (*DidDeactivate)(AuthorizationEngineRef inEngine);
 213
 214     /* Read value from context.  AuthorizationValue does not own data. */
 215     OSStatus (*GetContextValue)(AuthorizationEngineRef inEngine,
 216         AuthorizationString inKey,
 217         AuthorizationContextFlags * __nullable outContextFlags,
 218         const AuthorizationValue * __nullable * __nullable outValue);
 219
 220     /* Write value to context.  AuthorizationValue and data are copied. */
 221     OSStatus (*SetContextValue)(AuthorizationEngineRef inEngine,
 222         AuthorizationString inKey,
 223         AuthorizationContextFlags inContextFlags,
 224         const AuthorizationValue *inValue);
 225
 226     /* Read value from hints. AuthorizationValue does not own data. */
 227     OSStatus (*GetHintValue)(AuthorizationEngineRef inEngine,
 228         AuthorizationString inKey,
 229         const AuthorizationValue * __nullable * __nullable outValue);
 230
 231     /* Write value to hints.  AuthorizationValue and data are copied. */
 232     OSStatus (*SetHintValue)(AuthorizationEngineRef inEngine,
 233         AuthorizationString inKey,
 234         const AuthorizationValue *inValue);
 235
 236     /* Read arguments passed.  AuthorizationValueVector does not own data. */
 237     OSStatus (*GetArguments)(AuthorizationEngineRef inEngine,
 238         const AuthorizationValueVector * __nullable * __nonnull outArguments);
 239
 240     /* Read SessionId. */
 241     OSStatus (*GetSessionId)(AuthorizationEngineRef inEngine,
 242         AuthorizationSessionId __nullable * __nullable outSessionId);
 243
 244     /* Read value from hints. AuthorizationValue does not own data. */
 245     OSStatus (*GetImmutableHintValue)(AuthorizationEngineRef inEngine,
 246         AuthorizationString inKey,
 247         const AuthorizationValue * __nullable * __nullable outValue);
 248
 249 } AuthorizationCallbacks;
 250
 251
 252 /*!
 253     @struct
 254     Interface that must be implemented by each plugin.
 255
 256     @field version  Must be set to kAuthorizationPluginInterfaceVersion
 257     @field PluginDestroy    Plugin should clean up and release any resources it is holding.
 258     @field MechanismCreate  The plugin should create a mechanism named mechanismId.  The mechanism needs to use the AuthorizationEngineRef for the callbacks and pass back a   AuthorizationMechanismRef for itself.  MechanismDestroy will be called when it is no longer needed.
 259     @field MechanismInvoke  Invoke an instance of a mechanism.  It should call SetResult during or after returning from this function.
 260     @field MechanismDeactivate  Mechanism should respond with a DidDeactivate as soon as possible
 261     @field MechanismDestroy Mechanism should clean up and release any resources it is holding
 262 */
 263 typedef struct AuthorizationPluginInterface
 264 {
 265     /* Must be set to kAuthorizationPluginInterfaceVersion. */
 266     UInt32 version;
 267
 268     /* Notify a plugin that it is about to be unloaded so it get a chance to clean up and release any resources it is holding.  */
 269     OSStatus (*PluginDestroy)(AuthorizationPluginRef inPlugin);
 270
 271     /* The plugin should create a mechanism named mechanismId.  The mechanism needs to use the
 272         AuthorizationEngineRef for the callbacks and pass back an AuthorizationMechanismRef for
 273         itself.  MechanismDestroy will be called when it is no longer needed. */
 274     OSStatus (*MechanismCreate)(AuthorizationPluginRef inPlugin,
 275         AuthorizationEngineRef inEngine,
 276         AuthorizationMechanismId mechanismId,
 277         AuthorizationMechanismRef __nullable * __nonnull outMechanism);
 278
 279     /* Invoke an instance of a mechanism.  It should call SetResult during or after returning from this function.  */
 280     OSStatus (*MechanismInvoke)(AuthorizationMechanismRef inMechanism);
 281
 282     /* Mechanism should respond with a DidDeactivate as soon as possible. */
 283     OSStatus (*MechanismDeactivate)(AuthorizationMechanismRef inMechanism);
 284
 285     /* Mechanism should clean up and release any resources it is holding. */
 286     OSStatus (*MechanismDestroy)(AuthorizationMechanismRef inMechanism);
 287
 288 } AuthorizationPluginInterface;
 289
 290
 291 /*!
 292     @function AuthorizationPluginCreate
 293
 294     Initialize a plugin after it gets loaded.  This is the main entry point to a plugin.  This function will only be called once.
 295     After all Mechanism instances have been destroyed outPluginInterface->PluginDestroy will be called.
 296
 297     @param callbacks (input) A pointer to an AuthorizationCallbacks which contains the callbacks implemented by the AuthorizationEngine.
 298     @param outPlugin (output) On successful completion should contain a valid AuthorizationPluginRef.  This will be passed in to any subsequent calls the engine makes to  outPluginInterface->MechanismCreate and outPluginInterface->PluginDestroy.
 299     @param outPluginInterface (output) On successful completion should contain a pointer to a AuthorizationPluginInterface that will stay valid until outPluginInterface->PluginDestroy is called. */
 300 OSStatus AuthorizationPluginCreate(const AuthorizationCallbacks *callbacks,
 301     AuthorizationPluginRef __nullable * __nonnull outPlugin,
 302     const AuthorizationPluginInterface * __nullable * __nonnull outPluginInterface);
 303
 304 CF_ASSUME_NONNULL_END
 305
 306 #if defined(__cplusplus)
 307 }
 308 #endif
 309
 310 #endif /* _SECURITY_AUTHORIZATIONPLUGIN_H_ */