SecurityServer/agentquery.h

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // passphrases - canonical code to obtain passphrases
  21 //
  22 #ifndef _H_AGENTQUERY
  23 #define _H_AGENTQUERY
  24
  25 #include "securityserver.h"
  26 #include "xdatabase.h"
  27 #include <Security/utilities.h>
  28 #include "SecurityAgentClient.h"
  29 #include "AuthorizationData.h"
  30
  31 using Authorization::AuthItemSet;
  32
  33 //
  34 // The common machinery of retryable SecurityAgent queries
  35 //
  36 class Session;
  37
  38 class SecurityAgentQuery : protected SecurityAgent::Client {
  39 public:
  40         typedef SecurityAgent::Reason Reason;
  41
  42         static const char defaultName[];
  43
  44         SecurityAgentQuery();
  45         SecurityAgentQuery(uid_t clientUID, Session &clientSession, const char *agentName = defaultName);
  46         virtual ~SecurityAgentQuery();
  47
  48         virtual void activate();
  49         virtual void terminate();
  50
  51 private:
  52         Session &mClientSession;
  53 };
  54
  55
  56 //
  57 // Specialized for "rogue app" alert queries
  58 //
  59 class QueryKeychainUse : public SecurityAgent::Client::KeychainChoice, public SecurityAgentQuery {
  60 public:
  61     QueryKeychainUse(bool needPass)     : needPassphrase(needPass) { }
  62     void queryUser (const Database *db, const char* database, const char *description, AclAuthorization action);
  63         ~QueryKeychainUse();
  64
  65         const bool needPassphrase;
  66 };
  67
  68
  69 //
  70 // Specialized for code signature adjustment queries
  71 //
  72 class QueryCodeCheck : public SecurityAgent::Client::KeychainChoice, public SecurityAgentQuery {
  73 public:
  74     void operator () (const char *aclPath);
  75 };
  76
  77
  78 //
  79 // A query for an existing passphrase
  80 //
  81 class QueryUnlock : public SecurityAgentQuery {
  82         static const int maxTries = kMaximumAuthorizationTries;
  83 public:
  84         QueryUnlock(Database &db) : database(db) { }
  85
  86         Database &database;
  87
  88         Reason operator () ();
  89
  90 protected:
  91         Reason query();
  92         void queryInteractive(CssmOwnedData &passphrase);
  93         void retryInteractive(CssmOwnedData &passphrase, Reason reason);
  94         Reason accept(CssmManagedData &passphrase);
  95 };
  96
  97
  98 //
  99 // A query for a new passphrase
 100 //
 101 class QueryNewPassphrase : public SecurityAgentQuery {
 102         static const int maxTries = 7;
 103 public:
 104         QueryNewPassphrase(Database &db, Reason reason) :
 105             database(db), initialReason(reason),
 106             mPassphrase(CssmAllocator::standard(CssmAllocator::sensitive)),
 107             mPassphraseValid(false) { }
 108
 109         Database &database;
 110
 111         Reason operator () (CssmOwnedData &passphrase);
 112
 113 protected:
 114         Reason query();
 115         void queryInteractive(CssmOwnedData &passphrase, CssmOwnedData &oldPassphrase);
 116         void retryInteractive(CssmOwnedData &passphrase, CssmOwnedData &oldPassphrase, Reason reason);
 117         Reason accept(CssmManagedData &passphrase, CssmData *oldPassphrase);
 118
 119 private:
 120         Reason initialReason;
 121         CssmAutoData mPassphrase;
 122     bool mPassphraseValid;
 123 };
 124
 125
 126 //
 127 // The "give user/passphrase in group" authorization dialog.
 128 // This class is not self-contained, since the AuthorizationEngine wants
 129 // to micro-manage the retry process.
 130 //
 131 class AuthorizationToken;
 132
 133 class QueryAuthorizeByGroup : public SecurityAgentQuery {
 134 public:
 135     QueryAuthorizeByGroup(uid_t clientUID, const AuthorizationToken &auth);
 136
 137     bool operator () (const char *group, const char *candidateUser, char username[SecurityAgent::maxUsernameLength], char passphrase[SecurityAgent::maxPassphraseLength], Reason reason = SecurityAgent::userNotInGroup);
 138     void cancel(Reason reason);
 139     void done();
 140
 141     uid_t uid();
 142
 143     const AuthorizationToken &authorization;
 144
 145 private:
 146     bool mActive;
 147 };
 148
 149
 150 using Authorization::AuthValueVector;
 151
 152 class QueryInvokeMechanism : public SecurityAgentQuery {
 153 public:
 154     QueryInvokeMechanism(uid_t clientUID, const AuthorizationToken &auth, const char *agentName);
 155     bool operator () (const string &inPluginId, const string &inMechanismId, const AuthValueVector &inArguments, AuthItemSet &inHints, AuthItemSet &inContext, AuthorizationResult *outResult);
 156     void terminateAgent();
 157 };
 158
 159 #endif //_H_AGENTQUERY