OSX/libsecurity_keychain/lib/Access.h

   1 /*
   2  * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // Access.h - Access control wrappers
  26 //
  27 #ifndef _SECURITY_ACCESS_H_
  28 #define _SECURITY_ACCESS_H_
  29
  30 #include <security_keychain/ACL.h>
  31 #include <security_utilities/trackingallocator.h>
  32 #include <security_cdsa_utilities/cssmaclpod.h>
  33 #include <security_cdsa_utilities/cssmacl.h>
  34 #include <security_cdsa_client/aclclient.h>
  35 #include <security_keychain/TrustedApplication.h>
  36 #include <map>
  37
  38 namespace Security {
  39 namespace KeychainCore {
  40
  41 using CssmClient::AclBearer;
  42
  43
  44 class Access : public SecCFObject {
  45         NOCOPY(Access)
  46 public:
  47         SECCFFUNCTIONS(Access, SecAccessRef, errSecInvalidItemRef, gTypes().Access)
  48
  49         class Maker {
  50                 NOCOPY(Maker)
  51                 static const size_t keySize = 16;       // number of (random) bytes
  52                 friend class Access;
  53         public:
  54                 enum MakerType {kStandardMakerType, kAnyMakerType};
  55
  56                 Maker(Allocator &alloc = Allocator::standard(), MakerType makerType = kStandardMakerType);
  57
  58                 void initialOwner(ResourceControlContext &ctx, const AccessCredentials *creds = NULL);
  59                 const AccessCredentials *cred();
  60
  61                 TrackingAllocator allocator;
  62
  63                 static const char creationEntryTag[];
  64
  65                 MakerType makerType() {return mMakerType;}
  66
  67         private:
  68                 CssmAutoData mKey;
  69                 AclEntryInput mInput;
  70                 AutoCredentials mCreds;
  71                 MakerType mMakerType;
  72         };
  73
  74 public:
  75         // make default forms
  76     Access(const string &description);
  77     Access(const string &description, const ACL::ApplicationList &trusted);
  78     Access(const string &description, const ACL::ApplicationList &trusted,
  79                 const AclAuthorizationSet &limitedRights, const AclAuthorizationSet &freeRights);
  80
  81         // make a completely open Access (anyone can do anything)
  82         Access();
  83
  84         // retrieve from an existing AclBearer
  85         Access(AclBearer &source);
  86
  87         // make from CSSM layer information (presumably retrieved by caller)
  88         Access(const CSSM_ACL_OWNER_PROTOTYPE &owner,
  89                 uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls);
  90     virtual ~Access();
  91
  92 public:
  93         CFArrayRef copySecACLs() const;
  94         CFArrayRef copySecACLs(CSSM_ACL_AUTHORIZATION_TAG action) const;
  95
  96         void add(ACL *newAcl);
  97         void addOwner(ACL *newOwnerAcl);
  98
  99         void setAccess(AclBearer &target, bool update = false);
 100         void setAccess(AclBearer &target, Maker &maker);
 101
 102         template <class Container>
 103         void findAclsForRight(AclAuthorization right, Container &cont)
 104         {
 105                 cont.clear();
 106                 for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); it++)
 107                         if (it->second->authorizes(right))
 108                                 cont.push_back(it->second);
 109         }
 110
 111         std::string promptDescription() const;  // from any one of the ACLs contained
 112
 113         void addApplicationToRight(AclAuthorization right, TrustedApplication *app);
 114
 115         void copyOwnerAndAcl(CSSM_ACL_OWNER_PROTOTYPE * &owner,
 116                 uint32 &aclCount, CSSM_ACL_ENTRY_INFO * &acls);
 117
 118 protected:
 119     void makeStandard(const string &description, const ACL::ApplicationList &trusted,
 120                 const AclAuthorizationSet &limitedRights = AclAuthorizationSet(),
 121                 const AclAuthorizationSet &freeRights = AclAuthorizationSet());
 122     void compile(const CSSM_ACL_OWNER_PROTOTYPE &owner,
 123         uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls);
 124
 125         void editAccess(AclBearer &target, bool update, const AccessCredentials *cred);
 126
 127 private:
 128         static const CSSM_ACL_HANDLE ownerHandle = ACL::ownerHandle;
 129         typedef map<CSSM_ACL_HANDLE, SecPointer<ACL> > Map;
 130
 131         Map mAcls;                      // set of ACL entries
 132         Mutex mMutex;
 133 };
 134
 135
 136 } // end namespace KeychainCore
 137 } // end namespace Security
 138
 139 #endif // !_SECURITY_ACCESS_H_