]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/ACL.h
Security-58286.270.3.0.1.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / ACL.h
1 /*
2 * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // ACL.h - ACL control wrappers
26 //
27 #ifndef _SECURITY_ACL_H_
28 #define _SECURITY_ACL_H_
29
30 #include <Security/SecACL.h>
31 #include <security_cdsa_utilities/cssmaclpod.h>
32 #include <security_cdsa_client/aclclient.h>
33 #include <security_cdsa_utilities/cssmdata.h>
34 #include <security_utilities/seccfobject.h>
35 #include "SecCFTypes.h"
36
37 #include <vector>
38
39 namespace Security {
40 namespace KeychainCore {
41
42 using CssmClient::AclBearer;
43
44 class Access;
45 class TrustedApplication;
46
47
48 //
49 // An ACL Entry for an Access object
50 //
51 class ACL : public SecCFObject {
52 NOCOPY(ACL)
53 public:
54 SECCFFUNCTIONS(ACL, SecACLRef, errSecInvalidItemRef, gTypes().ACL)
55
56 // Query AclBearer for ACL entry matching tag. Will throw if there is not exactly 1 entry.
57 ACL(const AclBearer &aclBearer, const char *selectionTag,
58 Allocator &alloc = Allocator::standard());
59 // create from CSSM layer ACL entry
60 ACL(const AclEntryInfo &info,
61 Allocator &alloc = Allocator::standard());
62 // create from CSSM layer owner prototype
63 ACL(const AclOwnerPrototype &owner,
64 Allocator &alloc = Allocator::standard());
65 // create an "any" ACL
66 ACL(Allocator &alloc = Allocator::standard());
67 // create from "standard form" arguments (with empty application list)
68 ACL(string description, const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR &promptSelector,
69 Allocator &alloc = Allocator::standard());
70 // create an "integrity" ACL
71 ACL(const CssmData &digest, Allocator &alloc = Allocator::standard());
72
73 virtual ~ACL();
74
75 Allocator &allocator;
76
77 enum State {
78 unchanged, // unchanged from source
79 inserted, // new
80 modified, // was changed (replace)
81 deleted // was deleted (now invalid)
82 };
83 State state() const { return mState; }
84
85 enum Form {
86 invalidForm, // invalid
87 customForm, // not a recognized format (but valid)
88 allowAllForm, // indiscriminate
89 appListForm, // list of apps + prompt confirm
90 integrityForm // hashed integrity of item attributes
91 };
92 Form form() const { return mForm; }
93 void form(Form f) { mForm = f; }
94
95 void setIntegrity(const CssmData& integrity);
96 const CssmData& integrity();
97
98 public:
99 AclAuthorizationSet &authorizations() { return mAuthorizations; }
100 bool authorizes(AclAuthorization right);
101 bool authorizesSpecifically(AclAuthorization right);
102 void setAuthorization(CSSM_ACL_AUTHORIZATION_TAG auth)
103 { mAuthorizations.clear(); mAuthorizations.insert(auth); }
104
105 typedef vector< SecPointer<TrustedApplication> > ApplicationList;
106 ApplicationList &applications()
107 { assert(form() == appListForm); return mAppList; }
108 void addApplication(TrustedApplication *app);
109
110 CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR &promptSelector() { return mPromptSelector; }
111 string &promptDescription() { return mPromptDescription; }
112
113 CSSM_ACL_HANDLE entryHandle() const { return mCssmHandle; }
114
115 static const CSSM_ACL_HANDLE ownerHandle = 0xff0e2743; // pseudo-handle for owner ACL
116 bool isOwner() const { return mCssmHandle == ownerHandle; }
117 void makeOwner() { mCssmHandle = ownerHandle; }
118
119 void modify(); // mark modified (update on commit)
120 void remove(); // mark removed (delete on commit)
121
122 // produce chunk copies of CSSM forms; caller takes ownership
123 void copyAclEntry(AclEntryPrototype &proto, Allocator &alloc = Allocator::standard());
124 void copyAclOwner(AclOwnerPrototype &proto, Allocator &alloc = Allocator::standard());
125
126 public:
127 void setAccess(AclBearer &target, bool update = false,
128 const AccessCredentials *cred = NULL);
129
130 public:
131 struct ParseError { };
132
133 public:
134 static const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR defaultSelector;
135
136 private:
137 void parse(const TypedList &subject);
138 void parsePrompt(const TypedList &subject);
139 void makeSubject();
140 void clearSubjects(Form newForm);
141
142 private:
143 State mState; // change state
144 Form mForm; // format type
145
146 // AclEntryPrototype fields (minus subject, which is virtually constructed)
147 CSSM_ACL_HANDLE mCssmHandle; // CSSM entry handle (for updates)
148 string mEntryTag; // CSSM entry tag (64 bytes or so, they say)
149 bool mDelegate; // CSSM delegate flag
150 AclAuthorizationSet mAuthorizations; // rights for this ACL entry
151
152 // composite AclEntryPrototype (constructed when needed)
153 TypedList *mSubjectForm;
154
155 // following values valid only if form() == appListForm
156 ApplicationList mAppList; // list of trusted applications
157 CssmAutoData mIntegrity; // digest for integrityForm ACL entries
158 CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR mPromptSelector; // selector field of PROMPT subject
159 string mPromptDescription; // description field of PROMPT subject
160 Mutex mMutex;
161 };
162
163
164 } // end namespace KeychainCore
165 } // end namespace Security
166
167 #endif // !_SECURITY_ACL_H_