]> git.saurik.com Git - apple/security.git/blob - SecurityServer/Authorization/AuthorizationEngine.h
Security-54.1.9.tar.gz
[apple/security.git] / SecurityServer / Authorization / AuthorizationEngine.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 * AuthorizationEngine.h
21 * Authorization
22 *
23 * Copyright: (c) 2000 by Apple Computer, Inc., all rights reserved
24 *
25 */
26
27 #ifndef _H_AUTHORIZATIONENGINE
28 #define _H_AUTHORIZATIONENGINE 1
29
30 #include <Security/Authorization.h>
31 #include <Security/AuthorizationPlugin.h>
32 #include "AuthorizationData.h"
33
34 #include <Security/refcount.h>
35 #include <Security/threading.h>
36 #include <Security/osxsigning.h>
37 #include "agentquery.h"
38
39 #include <CoreFoundation/CFDate.h>
40 #include <CoreFoundation/CFDictionary.h>
41 #include <sys/stat.h>
42 #include <sys/types.h>
43
44 #include <map>
45 #include <set>
46 #include <string>
47
48 class AuthorizationToken;
49
50 namespace Authorization
51 {
52
53 class Error : public CssmCommonError {
54 protected:
55 Error(int err);
56 public:
57 const int error;
58 virtual CSSM_RETURN cssmError() const throw();
59 virtual OSStatus osStatus() const throw();
60 virtual const char *what () const throw();
61 // @@@ Default value should be internal error.
62 static void throwMe(int err = -1) __attribute((noreturn));
63 };
64
65
66 /* Credentials are less than comparable so they can be put in sets or maps. */
67 class CredentialImpl : public RefCount
68 {
69 public:
70 CredentialImpl(const string &username, const uid_t uid, gid_t gid, bool shared);
71 CredentialImpl(const string &username, const string &password, bool shared);
72 ~CredentialImpl();
73
74 bool operator < (const CredentialImpl &other) const;
75
76 // Returns true if this credential should be shared.
77 bool isShared() const;
78
79 // Merge with other
80 void merge(const CredentialImpl &other);
81
82 // The time at which this credential was obtained.
83 CFAbsoluteTime creationTime() const;
84
85 // Return true iff this credential is valid.
86 bool isValid() const;
87
88 // Make this credential invalid.
89 void invalidate();
90
91 // We could make Rule a friend but instead we just expose this for now
92 inline const string& username() const { return mUsername; }
93 inline const uid_t uid() const { return mUid; }
94 inline const gid_t gid() const { return mGid; }
95
96
97 private:
98 // The username of the user that provided his password.
99 // This and mShared are what make this credential unique.
100 // @@@ We do not deal with the domain as of yet.
101 string mUsername;
102
103 // True iff this credential is shared.
104 bool mShared;
105
106 // Fields below are not used by less than operator
107
108 // cached pw-data as returned by getpwnam(mUsername)
109 uid_t mUid;
110 gid_t mGid;
111
112 CFAbsoluteTime mCreationTime;
113 bool mValid;
114 };
115
116
117 /* Credentials are less than comparable so they can be put in sets or maps. */
118 class Credential : public RefPointer<CredentialImpl>
119 {
120 public:
121 Credential();
122 Credential(CredentialImpl *impl);
123 Credential(const string &username, const uid_t uid, gid_t gid, bool shared);
124 Credential(const string &username, const string &password, bool shared);
125 ~Credential();
126
127 bool operator < (const Credential &other) const;
128 };
129
130
131 typedef set<Credential> CredentialSet;
132
133
134 class Rule
135 {
136 public:
137 Rule();
138 Rule(CFTypeRef cfRule);
139 Rule(const Rule &other);
140 Rule &operator = (const Rule &other);
141 ~Rule();
142
143 OSStatus evaluate(const Right &inRight, const AuthorizationEnvironment *environment,
144 AuthorizationFlags flags, CFAbsoluteTime now,
145 const CredentialSet *inCredentials, CredentialSet &credentials,
146 AuthorizationToken &auth);
147
148 private:
149 OSStatus evaluate(const Right &inRight, const AuthorizationEnvironment *environment,
150 CFAbsoluteTime now, const Credential &credential, bool ignoreShared);
151 OSStatus obtainCredential(QueryAuthorizeByGroup &client, const Right &inRight,
152 const AuthorizationEnvironment *environment, const char *usernameHint,
153 Credential &outCredential, SecurityAgent::Reason reason);
154 OSStatus evaluateMechanism(const AuthorizationEnvironment *environment, AuthorizationToken &auth, CredentialSet &outCredentials);
155
156
157 enum Type
158 {
159 kDeny,
160 kAllow,
161 kUserInGroup,
162 kEvalMech
163 } mType;
164
165 string mGroupName;
166 CFTimeInterval mMaxCredentialAge;
167 bool mShared;
168 bool mAllowRoot;
169 string mEvalDef;
170
171 static CFStringRef kUserInGroupID;
172 static CFStringRef kTimeoutID;
173 static CFStringRef kSharedID;
174 static CFStringRef kAllowRootID;
175 static CFStringRef kDenyID;
176 static CFStringRef kAllowID;
177 static CFStringRef kEvalMechID;
178
179 };
180
181
182 /* The engine which performs the actual authentication and authorization computations.
183
184 The implementation of a typical call to AuthorizationCreate would look like:
185
186 Get the current shared CredentialSet for this session.
187 Call authorizedRights() with inRights and the shared CredentialSet.
188 Compute the difference set between the rights requested and the rights returned from authorizedRights().
189 Call credentialIds() with the rights computed above (for which we have no credentials yet).
190 Call aquireCredentials() for the credentialIds returned from credentialIds()
191 For each credential returned place it in the session (replacing when needed) if shared() returns true.
192 The authorization returned to the user should now refer to the credentials in the session and the non shared ones returned by aquireCredentials().
193
194 When a call to AuthorizationCopyRights() is made, just call authorizedRights() using the union of the session credentials and the credentials tied to the authorization specified.
195
196 When a call to AuthorizationCopyInfo() is made, ask the Credential specified by tag for it info and return it.
197
198 When a call to AuthorizationFree() is made, delete all the non-shared credentials ascociated with the authorization specified. If the kAuthorizationFreeFlagDestroy is set. Also delete the shared credentials ascociated with the authorization specified.
199 */
200 class Engine
201 {
202 public:
203 Engine(const char *configFile);
204 ~Engine();
205
206 OSStatus authorize(const RightSet &inRights, const AuthorizationEnvironment *environment,
207 AuthorizationFlags flags, const CredentialSet *inCredentials, CredentialSet *outCredentials,
208 MutableRightSet *outRights, AuthorizationToken &auth);
209 private:
210 void updateRules(CFAbsoluteTime now);
211 void readRules();
212 void parseRules(CFDictionaryRef rules);
213 static void parseRuleCallback(const void *key, const void *value, void *context);
214 void parseRule(CFStringRef right, CFTypeRef rule);
215
216 Rule getRule(const Right &inRight) const;
217
218 char *mRulesFileName;
219 CFAbsoluteTime mLastChecked;
220 struct timespec mRulesFileMtimespec;
221
222 typedef map<string, Rule> RuleMap;
223
224 RuleMap mRules;
225 mutable Mutex mLock;
226 };
227
228 }; // namespace Authorization
229
230 #endif /* ! _H_AUTHORIZATIONENGINE */