]> git.saurik.com Git - apple/security.git/blob - SecurityServer/Authorization/AuthorizationRule.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-163.tar.gz
[apple/security.git] / SecurityServer / Authorization / AuthorizationRule.h
1 /*
2 * AuthorizationRule.h
3 * Security
4 *
5 * Created by Conrad Sauerwald on Wed Mar 19 2003.
6 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
7 *
8 */
9
10 #ifndef _H_AUTHORIZATIONRULE
11 #define _H_AUTHORIZATIONRULE 1
12
13 #include <CoreFoundation/CoreFoundation.h>
14 #include "AuthorizationData.h"
15
16 #include "agentquery.h"
17
18
19 namespace Authorization
20 {
21
22 class Rule;
23
24 class RuleImpl : public RefCount
25 {
26 public:
27 RuleImpl();
28 RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
29
30 OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
31 AuthorizationFlags flags, CFAbsoluteTime now,
32 const CredentialSet *inCredentials, CredentialSet &credentials,
33 AuthorizationToken &auth) const;
34
35 string name() const { return mRightName; }
36
37 private:
38 // internal machinery
39
40 // evaluate credential for right
41 OSStatus evaluateCredentialForRight(const AuthItemRef &inRight, const Rule &inRule,
42 const AuthItemSet &environment,
43 CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const;
44
45 // run mechanisms specified for this rule
46 OSStatus evaluateMechanism(const AuthItemRef &inRight, const AuthItemSet &environment, AuthorizationToken &auth, CredentialSet &outCredentials) const;
47
48 OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
49 AuthItemSet &environmentToClient, AuthorizationFlags flags,
50 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
51 AuthorizationToken &auth) const;
52
53 void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
54
55 // perform authorization based on running specified mechanisms (see evaluateMechanism)
56 OSStatus evaluateAuthorization(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
57
58 OSStatus evaluateAuthorizationOld(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
59 OSStatus obtainCredential(QueryAuthorizeByGroup &query, const AuthItemRef &inRight, AuthItemSet &environmentToClient, const char *usernameHint, Credential &outCredential, SecurityAgent::Reason reason) const;
60
61 OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
62 AuthItemSet &environmentToClient, AuthorizationFlags flags,
63 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
64 AuthorizationToken &auth) const;
65
66 OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const;
67
68 // find username hint based on session owner
69 OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, string& usernamehint) const;
70
71
72 string agentNameForAuth(const AuthorizationToken &auth) const;
73 CredentialSet makeCredentials(const AuthItemSet &context) const;
74
75 map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
76
77
78 // parsed attributes
79 private:
80 enum Type
81 {
82 kDeny,
83 kAllow,
84 kUser,
85 kRuleDelegation,
86 kKofN,
87 kEvaluateMechanisms,
88 } mType;
89
90 string mRightName;
91 string mGroupName;
92 CFTimeInterval mMaxCredentialAge;
93 bool mShared;
94 bool mAllowRoot;
95 vector<string> mEvalDef;
96 bool mSessionOwner;
97 vector<Rule> mRuleDef;
98 uint32_t mKofN;
99 mutable uint32_t mTries;
100 map<string,string> mLocalizedPrompts;
101
102 private:
103
104 class Attribute
105 {
106 public:
107 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
108 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
109 static string getString(CFDictionaryRef config, CFStringRef key, bool required, char *defaultValue);
110 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
111 static void setString(CFMutableDictionaryRef config, CFStringRef key, string &value);
112 static void setDouble(CFMutableDictionaryRef config, CFStringRef key, double value);
113 static void setBool(CFMutableDictionaryRef config, CFStringRef key, bool value);
114 static bool getLocalizedPrompts(CFDictionaryRef config, map<string,string> &localizedPrompts);
115 };
116
117
118 // keys
119 static CFStringRef kUserGroupID;
120 static CFStringRef kTimeoutID;
121 static CFStringRef kSharedID;
122 static CFStringRef kAllowRootID;
123 static CFStringRef kMechanismsID;
124 static CFStringRef kSessionOwnerID;
125 static CFStringRef kKofNID;
126 static CFStringRef kPromptID;
127
128 static CFStringRef kRuleClassID;
129 static CFStringRef kRuleAllowID;
130 static CFStringRef kRuleDenyID;
131 static CFStringRef kRuleUserID;
132 static CFStringRef kRuleDelegateID;
133 static CFStringRef kRuleMechanismsID;
134
135 };
136
137 class Rule : public RefPointer<RuleImpl>
138 {
139 public:
140 Rule();
141 Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
142 };
143
144 }; /* namespace Authorization */
145
146 #endif /* ! _H_AUTHORIZATIONRULE */
mirror of Security