OSX/libsecurity_cdsa_utilities/lib/acl_preauth.h

   1 /*
   2  * Copyright (c) 2004,2006-2007,2011 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // acl_preauth - a subject type for modeling PINs and similar slot-specific
  27 //              pre-authentication schemes.
  28 //
  29 #ifndef _ACL_PREAUTH
  30 #define _ACL_PREAUTH
  31
  32 #include <security_cdsa_utilities/cssmacl.h>
  33 #include <string>
  34
  35
  36 namespace Security {
  37 namespace PreAuthorizationAcls {
  38
  39
  40 class OriginMaker : public AclSubject::Maker {
  41 protected:
  42         typedef LowLevelMemoryUtilities::Reader Reader;
  43         typedef LowLevelMemoryUtilities::Writer Writer;
  44 public:
  45         OriginMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH) { }
  46         AclSubject *make(const TypedList &list) const;
  47         AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const;
  48 };
  49
  50 class SourceMaker : public AclSubject::Maker {
  51 protected:
  52         typedef LowLevelMemoryUtilities::Reader Reader;
  53         typedef LowLevelMemoryUtilities::Writer Writer;
  54 public:
  55         SourceMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE) { }
  56         AclSubject *make(const TypedList &list) const;
  57         AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const;
  58 };
  59
  60
  61 //
  62 // The actual designation of the PreAuth source AclBearer is provide by the environment.
  63 //
  64 class Environment : public virtual AclValidationEnvironment {
  65 public:
  66         virtual ObjectAcl *preAuthSource() = 0;
  67 };
  68
  69
  70 //
  71 // This is the object that is being "attached" (as an Adornment) to hold
  72 // the pre-authorization state of a SourceAclSubject.
  73 // The Adornable used for storage is determined by the Environment's store() method.
  74 //
  75 struct AclState {
  76         AclState() : accepted(false) { }
  77         bool accepted;                                          // was previously accepted by upstream
  78 };
  79
  80
  81 //
  82 // This is the "origin" subject class that gets created the usual way.
  83 // It models a pre-auth "origin" - i.e. it points at a preauth slot and accepts
  84 // its verdict on validation. Think of it as the "come from" part of the link.
  85 //
  86 class OriginAclSubject : public AclSubject {
  87 public:
  88     bool validates(const AclValidationContext &ctx) const;
  89     CssmList toList(Allocator &alloc) const;
  90
  91     OriginAclSubject(AclAuthorization auth);
  92
  93     void exportBlob(Writer::Counter &pub, Writer::Counter &priv);
  94     void exportBlob(Writer &pub, Writer &priv);
  95
  96         IFDUMP(void debugDump() const);
  97
  98 private:
  99         AclAuthorization mAuthTag;              // authorization tag referred to (origin only)
 100 };
 101
 102
 103 //
 104 // The "source" subject class describes the other end of the link; the "go to" part
 105 // if you will. Its sourceSubject is consulted for actual validation; and prior validation
 106 // state is remembered (through the environment store facility) so that future validation
 107 // attempts will automaticaly succeed (that's the "pre" in PreAuth).
 108 //
 109 class SourceAclSubject : public AclSubject {
 110 public:
 111         bool validates(const AclValidationContext &ctx) const;
 112         CssmList toList(Allocator &alloc) const;
 113
 114         SourceAclSubject(AclSubject *subSubject,
 115                 CSSM_ACL_PREAUTH_TRACKING_STATE state = CSSM_ACL_PREAUTH_TRACKING_UNKNOWN);
 116
 117         void exportBlob(Writer::Counter &pub, Writer::Counter &priv);
 118         void exportBlob(Writer &pub, Writer &priv);
 119
 120         IFDUMP(void debugDump() const);
 121
 122 private:
 123         RefPointer<AclSubject> mSourceSubject;  // subject determining outcome (source only)
 124 };
 125
 126
 127
 128 }       //  namespace PreAuthorizationAcls
 129 }       //  namespace Security
 130
 131
 132 #endif //_ACL_PREAUTH