SecurityServer/acls.cpp

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // acls - SecurityServer ACL implementation
  21 //
  22 #include "acls.h"
  23 #include "connection.h"
  24 #include "server.h"
  25 #include "SecurityAgentClient.h"
  26 #include <Security/acl_any.h>
  27 #include <Security/acl_password.h>
  28 #include <Security/acl_threshold.h>
  29
  30
  31 //
  32 // SecurityServerAcl is virtual
  33 //
  34 SecurityServerAcl::~SecurityServerAcl()
  35 { }
  36
  37
  38 //
  39 // Each SecurityServerAcl type must provide some indication of a database
  40 // it is associated with. The default, naturally, is "none".
  41 //
  42 const Database *SecurityServerAcl::relatedDatabase() const
  43 { return NULL; }
  44
  45
  46 //
  47 // Provide environmental information to get/change-ACL calls.
  48 // Also make them virtual so our children can override them.
  49 //
  50 void SecurityServerAcl::cssmGetAcl(const char *tag, uint32 &count, AclEntryInfo * &acls)
  51 {
  52         instantiateAcl();
  53         return ObjectAcl::cssmGetAcl(tag, count, acls);
  54 }
  55
  56 void SecurityServerAcl::cssmGetOwner(AclOwnerPrototype &owner)
  57 {
  58         instantiateAcl();
  59         return ObjectAcl::cssmGetOwner(owner);
  60 }
  61
  62 void SecurityServerAcl::cssmChangeAcl(const AclEdit &edit, const AccessCredentials *cred)
  63 {
  64         instantiateAcl();
  65         SecurityServerEnvironment env(*this);
  66         ObjectAcl::cssmChangeAcl(edit, cred, &env);
  67         noticeAclChange();
  68 }
  69
  70 void SecurityServerAcl::cssmChangeOwner(const AclOwnerPrototype &newOwner,
  71         const AccessCredentials *cred)
  72 {
  73         instantiateAcl();
  74         SecurityServerEnvironment env(*this);
  75         ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
  76         noticeAclChange();
  77 }
  78
  79
  80 //
  81 // Modified validate() methods to connect all the conduits...
  82 //
  83 void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred) const
  84 {
  85     SecurityServerEnvironment env(*this);
  86     ObjectAcl::validate(auth, cred, &env);
  87 }
  88
  89 void SecurityServerAcl::validate(AclAuthorization auth, const Context &context) const
  90 {
  91         validate(auth,
  92                 context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS));
  93 }
  94
  95
  96 //
  97 // This function decodes the "special passphrase samples" that provide passphrases
  98 // to the SecurityServer through ACL sample blocks. Essentially, it trolls a credentials
  99 // structure's samples for the special markers, resolves anything that contains
 100 // passphrases outright (and returns true), or returns false if the normal interactive
 101 // procedures are to be followed.
 102 // (This doesn't strongly belong to the SecurityServerAcl class, but doesn't really have
 103 // a better home elsewhere.)
 104 //
 105 bool SecurityServerAcl::getBatchPassphrase(const AccessCredentials *cred,
 106         CSSM_SAMPLE_TYPE neededSampleType, CssmOwnedData &passphrase)
 107 {
 108     if (cred) {
 109                 // check all top-level samples
 110         const SampleGroup &samples = cred->samples();
 111         for (uint32 n = 0; n < samples.length(); n++) {
 112             TypedList sample = samples[n];
 113             if (!sample.isProper())
 114                 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 115             if (sample.type() == neededSampleType) {
 116                 sample.snip();
 117                 if (!sample.isProper())
 118                     CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 119                 switch (sample.type()) {
 120                 case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
 121                     return false;
 122                 case CSSM_SAMPLE_TYPE_PASSWORD:
 123                                         if (sample.length() != 2)
 124                                                 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 125                                         passphrase = sample[1];
 126                     return true;
 127                 default:
 128                     CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
 129                 }
 130             }
 131         }
 132     }
 133         return false;
 134 }
 135
 136
 137 //
 138 // Implement our environment object
 139 //
 140 uid_t SecurityServerEnvironment::getuid() const
 141 {
 142     return Server::connection().process.uid();
 143 }
 144
 145 gid_t SecurityServerEnvironment::getgid() const
 146 {
 147     return Server::connection().process.gid();
 148 }
 149
 150 pid_t SecurityServerEnvironment::getpid() const
 151 {
 152     return Server::connection().process.pid();
 153 }
 154
 155 bool SecurityServerEnvironment::verifyCodeSignature(const CodeSigning::Signature *signature)
 156 {
 157         return Server::connection().process.verifyCodeSignature(signature);
 158 }