securityd/src/session.h

   1 /*
   2  * Copyright (c) 2000-2010,2012-2013 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // session - authentication session domains
  27 //
  28 #ifndef _H_SESSION
  29 #define _H_SESSION
  30
  31 #include "structure.h"
  32 #include "acls.h"
  33 #include "authhost.h"
  34 #include <Security/AuthSession.h>
  35 #include <security_utilities/casts.h>
  36 #include <security_utilities/ccaudit.h>
  37 #include <security_cdsa_utilities/handletemplates_defs.h>
  38 #include <security_cdsa_utilities/u32handleobject.h>
  39 #include <security_cdsa_utilities/cssmdb.h>
  40 #include <bsm/audit.h>
  41 #include <bsm/audit_session.h>
  42 #include <sys/event.h>
  43 #include "securityd_service/securityd_service/securityd_service_client.h"
  44
  45 class Key;
  46 class Connection;
  47 class Server;
  48 class AuthHostInstance;
  49
  50 enum {
  51     session_keybag_locked           = 0,
  52     session_keybag_unlocked         = 1 << 0,
  53     session_keybag_check_master_key = 1 << 1,
  54     session_keybag_loaded           = 1 << 2,
  55 };
  56
  57 //
  58 // A Session object represents one or more Connections that are known to
  59 // belong to the same authentication domain. Informally this means just
  60 // about "the same user", for the right definition of "user." The upshot
  61 // is that global credentials can be shared by Connections of one Session
  62 // with a modicum of security, and so Sessions are the natural nexus of
  63 // single-sign-on functionality.
  64 //
  65 class Session : public PerSession {
  66 public:
  67         typedef au_asid_t SessionId;                    // internal session identifier (audit session id)
  68
  69     Session(const CommonCriteria::AuditInfo &audit, Server &server);
  70         virtual ~Session();
  71
  72         Server &server() const;
  73
  74         SessionId sessionId() const { return mAudit.sessionId(); }
  75         CommonCriteria::AuditInfo &auditInfo() { return mAudit; }
  76
  77         IFDUMP(virtual void dumpNode());
  78
  79 public:
  80     static const SessionAttributeBits settableAttributes =
  81         sessionHasGraphicAccess | sessionHasTTY | sessionIsRemote | AU_SESSION_FLAG_HAS_AUTHENTICATED;
  82
  83     SessionAttributeBits attributes() const                     { updateAudit(); return int_cast<au_asflgs_t,SessionAttributeBits>(mAudit.ai_flags); }
  84     bool attribute(SessionAttributeBits bits) const     { return attributes() & bits; }
  85         void setAttributes(SessionAttributeBits bits);
  86
  87     virtual void setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs);
  88
  89         virtual uid_t originatorUid();
  90
  91         static const char kUsername[];
  92     static const char kRealname[];
  93
  94 protected:
  95         void updateAudit() const;
  96
  97 public:
  98     void invalidateSessionAuthHosts();      // invalidate auth hosts in this session
  99     static void invalidateAuthHosts();      // invalidate auth hosts in all sessions
 100
 101         static void processSystemSleep();
 102         void processLockAll();
 103
 104         RefPointer<AuthHostInstance> authhost(const bool restart = false);
 105
 106 protected:
 107         mutable CommonCriteria::AuditInfo mAudit;
 108
 109         mutable Mutex mAuthHostLock;
 110         AuthHostInstance *mSecurityAgent;
 111
 112         void kill();
 113
 114 public:
 115     void verifyKeyStorePassphrase(int32_t retries, bool useForACLFallback = false, const char *itemname = NULL);
 116     void changeKeyStorePassphrase();
 117     void resetKeyStorePassphrase(const CssmData &passphrase);
 118     service_context_t get_current_service_context();
 119     void keybagClearState(int state);
 120     void keybagSetState(int state);
 121     bool keybagGetState(int state);
 122 private:
 123     int mKeybagState;
 124
 125 public:
 126         static Session &find(SessionId id, bool create);        // find and optionally create
 127     template <class SessionType> static SessionType &find(SecuritySessionId id);
 128         static void destroy(SessionId id);
 129
 130 protected:
 131         typedef std::map<SessionId, RefPointer<Session> > SessionMap;
 132         static SessionMap mSessions;
 133         static Mutex mSessionLock;
 134 };
 135
 136
 137 template <class SessionType>
 138 SessionType &Session::find(SecuritySessionId id)
 139 {
 140         if (SessionType *ssn = dynamic_cast<SessionType *>(&find(id, false)))
 141                 return *ssn;
 142         else
 143                 MacOSError::throwMe(errSessionInvalidId);
 144 }
 145
 146
 147 //
 148 // The RootSession is the session of all code that originates from system startup processing
 149 // and does not belong to any particular login origin. (Or, if you prefer, whose login origin
 150 // is the system itself.)
 151 //
 152 class RootSession : public Session {
 153 public:
 154     RootSession(uint64_t attributes, Server &server);
 155 };
 156
 157
 158 #endif //_H_SESSION