Security-28.tar.gz

[apple/security.git] / SecurityServer / acl_keychain.cpp

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


//
// acl_keychain - a subject type for the protected-path
//                                keychain prompt interaction model.
//
// Arguments in list form:
//      list[1] = CssmData: Descriptive String (presented to user in protected dialogs)
//
// Some notes on Acl Update Triggers:
// When the user checks the "don't ask me again" checkbox in the access confirmation
// dialog, we respond by returning the informational error code
// CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT, and setting a count-down trigger
// in the connection. The caller is entitled to bypass our dialog (it succeeds
// automatically) within the next few (Connection::aclUpdateTriggerLimit == 2)
// requests, in order to update the object's ACL as requested. It must then retry
// the original access operation (which will presumably pass because of that edit).
// These are the rules: for the trigger to apply, the access must be to the same
// object, from the same connection, and within the next two accesses.
// (Currently, these are for a "get acl" and the "change acl" calls.)
// Damage Control Department: The worst this mechanism could do, if subverted, is
// to bypass our confirmation dialog (making it appear to succeed to the ACL validation).
// But that is exactly what the "don't ask me again" checkbox is meant to do, so any
// subversion would be based on a (perhaps intentional) miscommunication between user 
// and client process as to what the user consents not to be asked about (any more).
// The user can always examine the resulting ACL (in Keychain Access or elsewhere), and
// edit it to suit her needs.
//
#ifdef __MWERKS__
#define _CPP_ACL_KEYCHAIN
#endif

#include "acl_keychain.h"
#include "agentquery.h"
#include "acls.h"
#include "connection.h"
#include "xdatabase.h"
#include "server.h"
#include <Security/debugging.h>
#include <algorithm>


//
// Validate a credential set against this subject.
//
bool KeychainPromptAclSubject::validate(const AclValidationContext &context,
    const TypedList &sample) const
{
    SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>();
    if (env) {
                // check for special ACL-update override
                if (context.authorization() == CSSM_ACL_AUTHORIZATION_CHANGE_ACL
                                && Server::connection().aclWasSetForUpdateTrigger(env->acl)) {
                        debug("kcacl", "honoring acl update trigger for %p(%s)", 
                &env->acl, description.c_str());
                        return true;
                }

        // ask the user
                QueryKeychainUse query;
                const Database *db = env->database();
                query((db ? db->dbName() : NULL), description.c_str(), context.authorization());
                if (query.continueGrantingToCaller) {
                        // mark for special ACL-update override (really soon) later
                        Server::connection().setAclUpdateTrigger(env->acl);
                        debug("kcacl", "setting acl update trigger for %p(%s)", 
                &env->acl, description.c_str());
                        // fail with prejudice (caller will retry)
                        CssmError::throwMe(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
                }
                return query.allowAccess;
    }
        return false;        // default to deny without prejudice
}


//
// Make a copy of this subject in CSSM_LIST form
//
CssmList KeychainPromptAclSubject::toList(CssmAllocator &alloc) const
{
        return TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT,
        new(alloc) ListElement(alloc, description));
}


//
// Create a PasswordAclSubject
//
KeychainPromptAclSubject *KeychainPromptAclSubject::Maker::make(const TypedList &list) const
{
    ListElement *params[1];
        crack(list, 1, params, CSSM_LIST_ELEMENT_DATUM);
        return new KeychainPromptAclSubject(*params[0]);
}

KeychainPromptAclSubject *KeychainPromptAclSubject::Maker::make(Reader &pub, Reader &) const
{
    const char *description; pub(description);
        return new KeychainPromptAclSubject(description);
}

KeychainPromptAclSubject::KeychainPromptAclSubject(string descr)
: SimpleAclSubject(CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT),
  description(descr)
{
}


//
// Export the subject to a memory blob
//
void KeychainPromptAclSubject::exportBlob(Writer::Counter &pub, Writer::Counter &priv)
{
    pub.insert(description.size() + 1);
}

void KeychainPromptAclSubject::exportBlob(Writer &pub, Writer &priv)
{
    pub(description.c_str());
}


#ifdef DEBUGDUMP

void KeychainPromptAclSubject::debugDump() const
{
        Debug::dump("KeychainPrompt:%s", description.c_str());
}

#endif //DEBUGDUMP