]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/Access.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.140.5.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / Access.h
1 /*
2 * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // Access.h - Access control wrappers
26 //
27 #ifndef _SECURITY_ACCESS_H_
28 #define _SECURITY_ACCESS_H_
29
30 #include <security_keychain/ACL.h>
31 #include <security_utilities/trackingallocator.h>
32 #include <security_cdsa_utilities/cssmaclpod.h>
33 #include <security_cdsa_utilities/cssmacl.h>
34 #include <security_cdsa_client/aclclient.h>
35 #include <security_keychain/TrustedApplication.h>
36 #include <map>
37
38 namespace Security {
39 namespace KeychainCore {
40
41 using CssmClient::AclBearer;
42
43
44 class Access : public SecCFObject {
45 NOCOPY(Access)
46 public:
47 SECCFFUNCTIONS(Access, SecAccessRef, errSecInvalidItemRef, gTypes().Access)
48
49 class Maker {
50 NOCOPY(Maker)
51 static const size_t keySize = 16; // number of (random) bytes
52 friend class Access;
53 public:
54 enum MakerType {kStandardMakerType, kAnyMakerType};
55
56 Maker(Allocator &alloc = Allocator::standard(), MakerType makerType = kStandardMakerType);
57
58 void initialOwner(ResourceControlContext &ctx, const AccessCredentials *creds = NULL);
59 const AccessCredentials *cred();
60
61 TrackingAllocator allocator;
62
63 static const char creationEntryTag[];
64
65 MakerType makerType() {return mMakerType;}
66
67 private:
68 CssmAutoData mKey;
69 AclEntryInput mInput;
70 AutoCredentials mCreds;
71 MakerType mMakerType;
72 };
73
74 public:
75 // make default forms
76 Access(const string &description);
77 Access(const string &description, const ACL::ApplicationList &trusted);
78 Access(const string &description, const ACL::ApplicationList &trusted,
79 const AclAuthorizationSet &limitedRights, const AclAuthorizationSet &freeRights);
80
81 // make a completely open Access (anyone can do anything)
82 Access();
83
84 // retrieve from an existing AclBearer
85 Access(AclBearer &source);
86
87 // make from CSSM layer information (presumably retrieved by caller)
88 Access(const CSSM_ACL_OWNER_PROTOTYPE &owner,
89 uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls);
90 virtual ~Access();
91
92 public:
93 CFArrayRef copySecACLs() const;
94 CFArrayRef copySecACLs(CSSM_ACL_AUTHORIZATION_TAG action) const;
95
96 void add(ACL *newAcl);
97 void addOwner(ACL *newOwnerAcl);
98
99 void setAccess(AclBearer &target, bool update = false);
100 void setAccess(AclBearer &target, Maker &maker);
101
102 void editAccess(AclBearer &target, bool update, const AccessCredentials *cred);
103
104 template <class Container>
105 void findAclsForRight(AclAuthorization right, Container &cont)
106 {
107 cont.clear();
108 for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); it++)
109 if (it->second->authorizes(right))
110 cont.push_back(it->second);
111 }
112
113 // findAclsForRight may return ACLs that have an empty authorization list (and thus "authorize everything")
114 // or CSSM_ACL_AUTHORIZATION_ANY, but sometimes you need positive confirmation of a right.
115 template <class Container>
116 void findSpecificAclsForRight(AclAuthorization right, Container &cont)
117 {
118 cont.clear();
119 for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); it++)
120 if (it->second->authorizesSpecifically(right))
121 cont.push_back(it->second);
122 }
123
124 // Remove all acl entries that refer to this right.
125 void removeAclsForRight(AclAuthorization right);
126
127 std::string promptDescription() const; // from any one of the ACLs contained
128
129 void addApplicationToRight(AclAuthorization right, TrustedApplication *app);
130
131 void copyOwnerAndAcl(CSSM_ACL_OWNER_PROTOTYPE * &owner,
132 uint32 &aclCount, CSSM_ACL_ENTRY_INFO * &acls);
133
134 protected:
135 void makeStandard(const string &description, const ACL::ApplicationList &trusted,
136 const AclAuthorizationSet &limitedRights = AclAuthorizationSet(),
137 const AclAuthorizationSet &freeRights = AclAuthorizationSet());
138 void compile(const CSSM_ACL_OWNER_PROTOTYPE &owner,
139 uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls);
140
141
142 private:
143 static const CSSM_ACL_HANDLE ownerHandle = ACL::ownerHandle;
144 typedef map<CSSM_ACL_HANDLE, SecPointer<ACL> > Map;
145
146 Map mAcls; // set of ACL entries
147 Mutex mMutex;
148 };
149
150
151 } // end namespace KeychainCore
152 } // end namespace Security
153
154 #endif // !_SECURITY_ACCESS_H_
mirror of Security