]> git.saurik.com Git - apple/security.git/blob - SecurityServer/Authorization/AuthorizationRule.h
Security-177.tar.gz
[apple/security.git] / SecurityServer / Authorization / AuthorizationRule.h
1 /*
2 * AuthorizationRule.h
3 * Security
4 *
5 * Created by Conrad Sauerwald on Wed Mar 19 2003.
6 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
7 *
8 */
9
10 #ifndef _H_AUTHORIZATIONRULE
11 #define _H_AUTHORIZATIONRULE 1
12
13 #include <CoreFoundation/CoreFoundation.h>
14 #include "AuthorizationData.h"
15
16 #include "agentquery.h"
17
18
19 namespace Authorization
20 {
21
22 class Rule;
23
24 class RuleImpl : public RefCount
25 {
26 public:
27 RuleImpl();
28 RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
29
30 OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
31 AuthorizationFlags flags, CFAbsoluteTime now,
32 const CredentialSet *inCredentials, CredentialSet &credentials,
33 AuthorizationToken &auth) const;
34
35 string name() const { return mRightName; }
36
37 private:
38 // internal machinery
39
40 // evaluate credential for right
41 OSStatus evaluateCredentialForRight(const AuthItemRef &inRight, const Rule &inRule,
42 const AuthItemSet &environment,
43 CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const;
44
45 // run mechanisms specified for this rule
46 OSStatus evaluateMechanism(const AuthItemRef &inRight, const AuthItemSet &environment, AuthorizationToken &auth, CredentialSet &outCredentials) const;
47
48 OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
49 AuthItemSet &environmentToClient, AuthorizationFlags flags,
50 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
51 AuthorizationToken &auth) const;
52
53 void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
54
55 // perform authorization based on running specified mechanisms (see evaluateMechanism)
56 OSStatus evaluateAuthorization(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
57
58 OSStatus evaluateAuthorizationOld(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
59 OSStatus obtainCredential(QueryAuthorizeByGroup &query, const AuthItemRef &inRight, AuthItemSet &environmentToClient, const char *usernameHint, Credential &outCredential, SecurityAgent::Reason reason) const;
60
61 OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
62 AuthItemSet &environmentToClient, AuthorizationFlags flags,
63 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
64 AuthorizationToken &auth) const;
65
66 OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const;
67
68 // find username hint based on session owner
69 OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, string& usernamehint) const;
70
71
72 string agentNameForAuth(const AuthorizationToken &auth) const;
73 CredentialSet makeCredentials(const AuthItemSet &context) const;
74
75 map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
76
77 // parsed attributes
78 private:
79 enum Type
80 {
81 kDeny,
82 kAllow,
83 kUser,
84 kRuleDelegation,
85 kKofN,
86 kEvaluateMechanisms,
87 } mType;
88
89 string mRightName;
90 string mGroupName;
91 CFTimeInterval mMaxCredentialAge;
92 bool mShared;
93 bool mAllowRoot;
94 vector<string> mEvalDef;
95 bool mSessionOwner;
96 vector<Rule> mRuleDef;
97 uint32_t mKofN;
98 mutable uint32_t mTries;
99 map<string,string> mLocalizedPrompts;
100
101 private:
102
103 class Attribute
104 {
105 public:
106 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
107 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
108 static string getString(CFDictionaryRef config, CFStringRef key, bool required, char *defaultValue);
109 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
110 static void setString(CFMutableDictionaryRef config, CFStringRef key, string &value);
111 static void setDouble(CFMutableDictionaryRef config, CFStringRef key, double value);
112 static void setBool(CFMutableDictionaryRef config, CFStringRef key, bool value);
113 static bool getLocalizedPrompts(CFDictionaryRef config, map<string,string> &localizedPrompts);
114 };
115
116
117 // keys
118 static CFStringRef kUserGroupID;
119 static CFStringRef kTimeoutID;
120 static CFStringRef kSharedID;
121 static CFStringRef kAllowRootID;
122 static CFStringRef kMechanismsID;
123 static CFStringRef kSessionOwnerID;
124 static CFStringRef kKofNID;
125 static CFStringRef kPromptID;
126
127 static CFStringRef kRuleClassID;
128 static CFStringRef kRuleAllowID;
129 static CFStringRef kRuleDenyID;
130 static CFStringRef kRuleUserID;
131 static CFStringRef kRuleDelegateID;
132 static CFStringRef kRuleMechanismsID;
133
134 };
135
136 class Rule : public RefPointer<RuleImpl>
137 {
138 public:
139 Rule();
140 Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
141 };
142
143 }; /* namespace Authorization */
144
145 #endif /* ! _H_AUTHORIZATIONRULE */