]> git.saurik.com Git - apple/security.git/blob - SecurityServer/authority.h
Security-28.tar.gz
[apple/security.git] / SecurityServer / authority.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // authority - authorization manager
21 //
22 #ifndef _H_AUTHORITY
23 #define _H_AUTHORITY
24
25 #include "securityserver.h"
26 #include "AuthorizationEngine.h"
27
28
29 using Authorization::CredentialSet;
30 using Authorization::RightSet;
31 using Authorization::MutableRightSet;
32
33
34 class Process;
35 class Session;
36
37
38 class AuthorizationToken {
39 public:
40 AuthorizationToken(Session &ssn, const CredentialSet &base);
41 ~AuthorizationToken();
42
43 Session &session;
44
45 const AuthorizationBlob &handle() const { return mHandle; }
46 const CredentialSet &baseCreds() const { return mBaseCreds; }
47 CredentialSet effectiveCreds() const;
48
49 typedef CredentialSet::iterator iterator;
50 iterator begin() { return mBaseCreds.begin(); }
51 iterator end() { return mBaseCreds.end(); }
52
53 // add more credential dependencies
54 void mergeCredentials(const CredentialSet &more);
55
56 // maintain process-owning links
57 void addProcess(Process &proc);
58 bool endProcess(Process &proc);
59
60 // access control for external representations
61 bool mayExternalize(Process &proc) const;
62 bool mayInternalize(Process &proc, bool countIt = true);
63
64 uid_t creatorUid() const;
65 public:
66 static AuthorizationToken &find(const AuthorizationBlob &blob);
67
68 class Deleter {
69 public:
70 Deleter(const AuthorizationBlob &blob);
71
72 void remove();
73 operator AuthorizationToken &() const { return *mAuth; }
74
75 private:
76 AuthorizationToken *mAuth;
77 StLock<Mutex> lock;
78 };
79
80 private:
81 Mutex mLock; // object lock
82 AuthorizationBlob mHandle; // official randomized blob marker
83 CredentialSet mBaseCreds; // credentials we're based on
84
85 unsigned int mTransferCount; // number of internalizations remaining
86
87 typedef set<Process *> ProcessSet;
88 ProcessSet mUsingProcesses; // set of process objects using this token
89
90 uid_t mCreatorUid; // Uid of proccess that created this authorization
91
92 private:
93 typedef map<AuthorizationBlob, AuthorizationToken *> AuthMap;
94 static AuthMap authMap; // set of extant authorizations
95 static Mutex authMapLock; // lock for mAuthorizations (only)
96 };
97
98
99 //
100 // The authority itself. You will usually only have one of these.
101 //
102 class Authority : public Authorization::Engine {
103 public:
104 Authority(const char *configFile);
105 virtual ~Authority();
106
107 OSStatus authorize(const RightSet &inRights, const AuthorizationEnvironment *environment,
108 AuthorizationFlags flags, const CredentialSet *inCredentials, CredentialSet *outCredentials,
109 MutableRightSet *outRights, const AuthorizationToken &auth);
110
111 private:
112 Mutex mLock; // force-single-thread lock for authorize()
113 };
114
115
116 #endif //_H_AUTHORITY