]> git.saurik.com Git - apple/security.git/blob - SecurityServer/authority.h
Security-163.tar.gz
[apple/security.git] / SecurityServer / authority.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // authority - authorization manager
21 //
22 #ifndef _H_AUTHORITY
23 #define _H_AUTHORITY
24
25 #include "securityserver.h"
26 #include "AuthorizationEngine.h"
27
28 using Authorization::Credential;
29 using Authorization::CredentialSet;
30 using Authorization::AuthItemSet;
31
32 class Process;
33 class Session;
34
35
36 class AuthorizationToken {
37 public:
38 AuthorizationToken(Session &ssn, const CredentialSet &base, const security_token_t &securityToken);
39 ~AuthorizationToken();
40
41 Session &session;
42
43 const AuthorizationBlob &handle() const { return mHandle; }
44 const CredentialSet &baseCreds() const { return mBaseCreds; }
45 CredentialSet effectiveCreds() const;
46
47 typedef CredentialSet::iterator iterator;
48 iterator begin() { return mBaseCreds.begin(); }
49 iterator end() { return mBaseCreds.end(); }
50
51 // add more credential dependencies
52 void mergeCredentials(const CredentialSet &more);
53
54 // maintain process-owning links
55 void addProcess(Process &proc);
56 bool endProcess(Process &proc);
57
58 // access control for external representations
59 bool mayExternalize(Process &proc) const;
60 bool mayInternalize(Process &proc, bool countIt = true);
61
62 uid_t creatorUid() const { return mCreatorUid; }
63 CodeSigning::OSXCode *creatorCode() const { return mCreatorCode; }
64 pid_t creatorPid() const { return mCreatorPid; }
65
66 AuthItemSet infoSet(AuthorizationString tag = NULL);
67 void setInfoSet(AuthItemSet &newInfoSet);
68 void setCredentialInfo(const Credential &inCred);
69
70 public:
71 static AuthorizationToken &find(const AuthorizationBlob &blob);
72
73 class Deleter {
74 public:
75 Deleter(const AuthorizationBlob &blob);
76
77 void remove();
78 operator AuthorizationToken &() const { return *mAuth; }
79
80 private:
81 AuthorizationToken *mAuth;
82 StLock<Mutex> lock;
83 };
84
85 private:
86 Mutex mLock; // object lock
87 AuthorizationBlob mHandle; // official randomized blob marker
88 CredentialSet mBaseCreds; // credentials we're based on
89
90 unsigned int mTransferCount; // number of internalizations remaining
91
92 typedef set<Process *> ProcessSet;
93 ProcessSet mUsingProcesses; // set of process objects using this token
94
95 uid_t mCreatorUid; // Uid of proccess that created this authorization
96 RefPointer<OSXCode> mCreatorCode; // code id of creator
97 pid_t mCreatorPid; // Pid of processs that created this authorization
98
99 AuthItemSet mInfoSet; // Side band info gathered from evaluations in this session
100
101 private:
102 typedef map<AuthorizationBlob, AuthorizationToken *> AuthMap;
103 static AuthMap authMap; // set of extant authorizations
104 static Mutex authMapLock; // lock for mAuthorizations (only)
105 };
106
107
108 //
109 // The authority itself. You will usually only have one of these.
110 //
111 class Authority : public Authorization::Engine {
112 public:
113 Authority(const char *configFile);
114 ~Authority();
115 };
116
117
118 #endif //_H_AUTHORITY