securityd/src/AuthorizationRule.cpp

   1 /*
   2  *  Copyright (c) 2003-2010,2012 Apple Inc. All Rights Reserved.
   3  *
   4  *  @APPLE_LICENSE_HEADER_START@
   5  *
   6  *  This file contains Original Code and/or Modifications of Original Code
   7  *  as defined in and that are subject to the Apple Public Source License
   8  *  Version 2.0 (the 'License'). You may not use this file except in
   9  *  compliance with the License. Please obtain a copy of the License at
  10  *  http://www.opensource.apple.com/apsl/ and read it before using this
  11  *  file.
  12  *
  13  *  The Original Code and all software distributed under the License are
  14  *  distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  *  EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  *  INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  *  FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  *  Please see the License for the specific language governing rights and
  19  *  limitations under the License.
  20  *
  21  *  @APPLE_LICENSE_HEADER_END@
  22  *
  23  *  AuthorizationRule.cpp
  24  *  Security
  25  *
  26  */
  27
  28 #include "AuthorizationRule.h"
  29 #include <Security/AuthorizationTags.h>
  30 #include <Security/AuthorizationTagsPriv.h>
  31 #include <Security/AuthorizationDB.h>
  32 #include <Security/AuthorizationPriv.h>
  33 #include <security_utilities/logging.h>
  34 #include <bsm/audit_uevents.h>
  35 #include "ccaudit_extensions.h"
  36 #include "authority.h"
  37 #include "server.h"
  38 #include "process.h"
  39 #include "agentquery.h"
  40 #include "AuthorizationMechEval.h"
  41
  42 #include <asl.h>
  43 #include <pwd.h>
  44 #include <grp.h>
  45 #include <unistd.h>
  46 #include <membership.h>
  47
  48 extern "C" {
  49 #include <membershipPriv.h>
  50 }
  51
  52 using namespace CommonCriteria::Securityd;
  53
  54 //
  55 // Rule class
  56 //
  57 namespace Authorization {
  58
  59 CFStringRef RuleImpl::kUserGroupID = CFSTR(kAuthorizationRuleParameterGroup);
  60 CFStringRef RuleImpl::kTimeoutID = CFSTR(kAuthorizationRuleParameterCredentialTimeout);
  61 CFStringRef RuleImpl::kSharedID = CFSTR(kAuthorizationRuleParameterCredentialShared);
  62 CFStringRef RuleImpl::kAllowRootID = CFSTR(kAuthorizationRuleParameterAllowRoot);
  63 CFStringRef RuleImpl::kMechanismsID = CFSTR(kAuthorizationRuleParameterMechanisms);
  64 CFStringRef RuleImpl::kSessionOwnerID = CFSTR(kAuthorizationRuleParameterCredentialSessionOwner);
  65 CFStringRef RuleImpl::kKofNID = CFSTR(kAuthorizationRuleParameterKofN);
  66 CFStringRef RuleImpl::kPromptID = CFSTR(kAuthorizationRuleParameterDefaultPrompt);
  67 CFStringRef RuleImpl::kButtonID = CFSTR(kAuthorizationRuleParameterDefaultButton);
  68 CFStringRef RuleImpl::kTriesID = CFSTR("tries"); // XXX/cs move to AuthorizationTagsPriv.h
  69 CFStringRef RuleImpl::kExtractPasswordID = CFSTR(kAuthorizationRuleParameterExtractPassword);
  70
  71 CFStringRef RuleImpl::kRuleClassID = CFSTR(kAuthorizationRuleClass);
  72 CFStringRef RuleImpl::kRuleAllowID = CFSTR(kAuthorizationRuleClassAllow);
  73 CFStringRef RuleImpl::kRuleDenyID = CFSTR(kAuthorizationRuleClassDeny);
  74 CFStringRef RuleImpl::kRuleUserID = CFSTR(kAuthorizationRuleClassUser);
  75 CFStringRef RuleImpl::kRuleDelegateID = CFSTR(kAuthorizationRightRule);
  76 CFStringRef RuleImpl::kRuleMechanismsID = CFSTR(kAuthorizationRuleClassMechanisms);
  77 CFStringRef RuleImpl::kRuleAuthenticateUserID = CFSTR(kAuthorizationRuleParameterAuthenticateUser);
  78
  79
  80 string
  81 RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool required = false, const char *defaultValue = "")
  82 {
  83         Syslog::alert("Authorization via securityd no longer supported");
  84         MacOSError::throwMe(errAuthorizationInternal);
  85 }
  86
  87 double
  88 RuleImpl::Attribute::getDouble(CFDictionaryRef config, CFStringRef key, bool required = false, double defaultValue = 0.0)
  89 {
  90         Syslog::alert("Authorization via securityd no longer supported");
  91         MacOSError::throwMe(errAuthorizationInternal);
  92 }
  93
  94 bool
  95 RuleImpl::Attribute::getBool(CFDictionaryRef config, CFStringRef key, bool required = false, bool defaultValue = false)
  96 {
  97         Syslog::alert("Authorization via securityd no longer supported");
  98         MacOSError::throwMe(errAuthorizationInternal);
  99 }
 100
 101 vector<string>
 102 RuleImpl::Attribute::getVector(CFDictionaryRef config, CFStringRef key, bool required = false)
 103 {
 104         Syslog::alert("Authorization via securityd no longer supported");
 105         MacOSError::throwMe(errAuthorizationInternal);
 106 }
 107
 108
 109 bool RuleImpl::Attribute::getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey)
 110 {
 111         Syslog::alert("Authorization via securityd no longer supported");
 112         MacOSError::throwMe(errAuthorizationInternal);
 113 }
 114
 115
 116 // default rule
 117 RuleImpl::RuleImpl() :
 118 mType(kUser), mGroupName("admin"), mMaxCredentialAge(300.0), mShared(true), mAllowRoot(false), mSessionOwner(false), mTries(0), mAuthenticateUser(true), mExtractPassword(false)
 119 {
 120         // XXX/cs read default descriptions from somewhere
 121         // @@@ Default rule is shared admin group with 5 minute timeout
 122 }
 123
 124 // return rule built from rule definition; throw if invalid.
 125 RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules) : mRightName(inRightName), mExtractPassword(false)
 126 {
 127         Syslog::alert("Authorization via securityd no longer supported");
 128         MacOSError::throwMe(errAuthorizationInternal);
 129 }
 130
 131 /*
 132 RuleImpl::~Rule()
 133 {
 134 }
 135 */
 136
 137 void
 138 RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const
 139 {
 140         Syslog::alert("Authorization via securityd no longer supported");
 141         MacOSError::throwMe(errAuthorizationInternal);
 142 }
 143
 144 // If a different evaluation for getting a credential is prescribed,
 145 // we'll run that and validate the credentials from there.
 146 // we fall back on a default configuration from the authenticate rule
 147 OSStatus
 148 RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
 149 {
 150         Syslog::alert("Authorization via securityd no longer supported");
 151         MacOSError::throwMe(errAuthorizationInternal);
 152 }
 153
 154 // create externally verified credentials on the basis of
 155 // mechanism-provided information
 156 CredentialSet
 157 RuleImpl::makeCredentials(const AuthorizationToken &auth) const
 158 {
 159         Syslog::alert("Authorization via securityd no longer supported");
 160         MacOSError::throwMe(errAuthorizationInternal);
 161 }
 162
 163 // evaluate whether a good credential of the current session owner would authorize a right
 164 OSStatus
 165 RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const
 166 {
 167         Syslog::alert("Authorization via securityd no longer supported");
 168         MacOSError::throwMe(errAuthorizationInternal);
 169 }
 170
 171
 172 OSStatus
 173 RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const
 174 {
 175         Syslog::alert("Authorization via securityd no longer supported");
 176         MacOSError::throwMe(errAuthorizationInternal);
 177 }
 178
 179 // Return errAuthorizationSuccess if this rule allows access based on the specified credential,
 180 // return errAuthorizationDenied otherwise.
 181 OSStatus
 182 RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const
 183 {
 184         Syslog::alert("Authorization via securityd no longer supported");
 185         MacOSError::throwMe(errAuthorizationInternal);
 186 }
 187
 188
 189
 190 OSStatus
 191 RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
 192 {
 193         Syslog::alert("Authorization via securityd no longer supported");
 194         MacOSError::throwMe(errAuthorizationInternal);
 195 }
 196
 197 OSStatus
 198 RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const
 199 {
 200         Syslog::alert("Authorization via securityd no longer supported");
 201         MacOSError::throwMe(errAuthorizationInternal);
 202 }
 203
 204 OSStatus
 205 RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
 206 {
 207         Syslog::alert("Authorization via securityd no longer supported");
 208         MacOSError::throwMe(errAuthorizationInternal);
 209 }
 210
 211
 212 OSStatus
 213 RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
 214 {
 215         Syslog::alert("Authorization via securityd no longer supported");
 216         MacOSError::throwMe(errAuthorizationInternal);
 217 }
 218
 219 Rule::Rule() : RefPointer<RuleImpl>(new RuleImpl()) {}
 220 Rule::Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules) : RefPointer<RuleImpl>(new RuleImpl(inRightName, cfRight, cfRules)) {}
 221
 222
 223
 224 } // end namespace Authorization