]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_authorization/lib/Authorization.h
Security-57740.1.18.tar.gz
[apple/security.git] / OSX / libsecurity_authorization / lib / Authorization.h
1 /*
2 * Copyright (c) 2000-2004,2007,2011-2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 /*
26 * Authorization.h -- APIs for implementing access control in applications
27 * and daemons.
28 */
29
30 #ifndef _SECURITY_AUTHORIZATION_H_
31 #define _SECURITY_AUTHORIZATION_H_
32
33 #include <TargetConditionals.h>
34 #include <MacTypes.h>
35 #include <Availability.h>
36 #include <CoreFoundation/CFAvailability.h>
37 #include <CoreFoundation/CFBase.h>
38
39 #include <stdio.h>
40
41 #if defined(__cplusplus)
42 extern "C" {
43 #endif
44
45 CF_ASSUME_NONNULL_BEGIN
46
47 /*!
48 @header Authorization
49 Version 1.0 10/16/2000
50
51 The Authorization API contains all the APIs that a application or tool that need pre-authorization or need an authorization desision made.
52
53 A typical use cases are a preference panel that would start off calling AuthorizationCreate() (without UI) to get an authorization object. Then call AuthorizationCopyRights() to figure out what is currently allowed.
54
55 If any of the operations that the preference panel wishes to perform are currently not allowed the lock icon in the window would show up in the locked state. Otherwise it would show up unlocked.
56
57 When the user locks the lock AuthorizationFree() is called with the kAuthorizationFlagDestroyRights to destroy any authorization rights that have been aquired.
58
59 When the user unlocks the lock AuthorizationCreate() is called with the kAuthorizationFlagInteractionAllowed and kAuthorizationFlagExtendRights flags to obtain all required rights. The old authorization object can be freed by calling AuthorizationFree() with no flags.
60
61 */
62
63
64
65 /*!
66 @defined kAuthorizationEmptyEnvironment
67 Parameter to specify to AuthorizationCreate when no environment is being provided.
68 */
69 #define kAuthorizationEmptyEnvironment NULL
70
71
72 /*!
73 @enum AuthorizationStatus
74 Error codes returned by Authorization API.
75 */
76
77 /*
78 Note: the comments that appear after these errors are used to create SecErrorMessages.strings.
79 The comments must not be multi-line, and should be in a form meaningful to an end user. If
80 a different or additional comment is needed, it can be put in the header doc format, or on a
81 line that does not start with errZZZ.
82
83 errAuthorizationSuccess can't include a string as it's also errSecSuccess in libsecurity_keychain/lib/SecBase.h
84 */
85
86 CF_ENUM(OSStatus) {
87 errAuthorizationSuccess = 0,
88 errAuthorizationInvalidSet = -60001, /* The authorization rights are invalid. */
89 errAuthorizationInvalidRef = -60002, /* The authorization reference is invalid. */
90 errAuthorizationInvalidTag = -60003, /* The authorization tag is invalid. */
91 errAuthorizationInvalidPointer = -60004, /* The returned authorization is invalid. */
92 errAuthorizationDenied = -60005, /* The authorization was denied. */
93 errAuthorizationCanceled = -60006, /* The authorization was cancelled by the user. */
94 errAuthorizationInteractionNotAllowed = -60007, /* The authorization was denied since no user interaction was possible. */
95 errAuthorizationInternal = -60008, /* Unable to obtain authorization for this operation. */
96 errAuthorizationExternalizeNotAllowed = -60009, /* The authorization is not allowed to be converted to an external format. */
97 errAuthorizationInternalizeNotAllowed = -60010, /* The authorization is not allowed to be created from an external format. */
98 errAuthorizationInvalidFlags = -60011, /* The provided option flag(s) are invalid for this authorization operation. */
99 errAuthorizationToolExecuteFailure = -60031, /* The specified program could not be executed. */
100 errAuthorizationToolEnvironmentError = -60032, /* An invalid status was returned during execution of a privileged tool. */
101 errAuthorizationBadAddress = -60033, /* The requested socket address is invalid (must be 0-1023 inclusive). */
102 };
103
104
105 /*!
106 @typedef AuthorizationFlags
107 Optional flags passed in to several Authorization APIs.
108 See the description of AuthorizationCreate, AuthorizationCopyRights and AuthorizationFree for a description of how they affect those calls.
109 */
110 typedef CF_OPTIONS(UInt32, AuthorizationFlags) {
111 kAuthorizationFlagDefaults = 0,
112 kAuthorizationFlagInteractionAllowed = (1 << 0),
113 kAuthorizationFlagExtendRights = (1 << 1),
114 kAuthorizationFlagPartialRights = (1 << 2),
115 kAuthorizationFlagDestroyRights = (1 << 3),
116 kAuthorizationFlagPreAuthorize = (1 << 4),
117
118 // private bits (do not use)
119 kAuthorizationFlagNoData = (1 << 20)
120 };
121
122
123 /*!
124 @enum AuthorizationRightFlags
125 Flags returned in the flags field of ItemSet Items when calling AuthorizationCopyRights().
126 */
127 enum {
128 kAuthorizationFlagCanNotPreAuthorize = (1 << 0)
129 };
130
131
132 /*!
133 @typedef AuthorizationRef
134 Opaque reference to an authorization object.
135 */
136 typedef const struct AuthorizationOpaqueRef *AuthorizationRef;
137
138
139 /*!
140 @typedef AuthorizationString
141 A zero terminated string in UTF-8 encoding.
142 */
143 typedef const char *AuthorizationString;
144
145
146 /*!
147 @struct AuthorizationItem
148 Each AuthorizationItem describes a single string-named item with optional
149 parameter value. The value must be contiguous memory of valueLength bytes;
150 internal structure is defined separately for each name.
151
152 @field name name of the item, as an AuthorizationString. Mandatory.
153 @field valueLength Number of bytes in parameter value. Must be 0 if no parameter value.
154 @field value Pointer to the optional parameter value associated with name.
155 Must be NULL if no parameter value.
156 @field flags Reserved field. Must be set to 0 on creation. Do not modify after that.
157 */
158 typedef struct {
159 AuthorizationString name;
160 size_t valueLength;
161 void * __nullable value;
162 UInt32 flags;
163 } AuthorizationItem;
164
165
166 /*!
167 @struct AuthorizationItemSet
168 An AuthorizationItemSet structure represents a set of zero or more AuthorizationItems. Since it is a set it should not contain any identical AuthorizationItems.
169
170 @field count Number of items identified by items.
171 @field items Pointer to an array of items.
172 */
173 typedef struct {
174 UInt32 count;
175 AuthorizationItem * __nullable items;
176 } AuthorizationItemSet;
177
178
179
180 /*!
181 @struct AuthorizationExternalForm
182 An AuthorizationExternalForm structure can hold the externalized form of
183 an AuthorizationRef. As such, it can be transmitted across IPC channels
184 to other processes, which can re-internalize it to recover a valid AuthorizationRef
185 handle.
186 The data contained in an AuthorizationExternalForm should be considered opaque.
187
188 SECURITY NOTE: Applications should take care to not disclose the AuthorizationExternalForm to
189 potential attackers since it would authorize rights to them.
190 */
191 static const size_t kAuthorizationExternalFormLength = 32;
192
193 typedef struct {
194 char bytes[kAuthorizationExternalFormLength];
195 } AuthorizationExternalForm;
196
197
198
199 /*!
200 @typedef AuthorizationRights
201 An AuthorizationItemSet representing a set of rights each with an associated argument (value).
202 Each argument value is as defined for the specific right they belong to. Argument values may not contain pointers as the should be copyable to different address spaces.
203 */
204 typedef AuthorizationItemSet AuthorizationRights;
205
206
207 /*!
208 @typedef AuthorizationEnvironment
209 An AuthorizationItemSet representing environmental information of potential use
210 to authorization decisions.
211 */
212 typedef AuthorizationItemSet AuthorizationEnvironment;
213
214
215 /*!
216 @function AuthorizationCreate
217 Create a new autorization object which can be used in other authorization calls. When the authorization is no longer needed AuthorizationFree should be called.
218
219 When the kAuthorizationFlagInteractionAllowed flag is set, user interaction will happen when required. Failing to set this flag will result in this call failing with a errAuthorizationInteractionNotAllowed status when interaction is required.
220
221 Setting the kAuthorizationFlagExtendRights flag will extend the currently available rights. If this flag is set the returned AuthorizationRef will grant all the rights requested when errAuthorizationSuccess is returned. If this flag is not set the operation will almost certainly succeed, but no attempt will be made to make the requested rights availible.
222 Call AuthorizationCopyRights to figure out which of the requested rights are granted by the returned AuthorizationRef.
223
224 Setting the kAuthorizationFlagPartialRights flag will cause this call to succeed if only some of the requested rights are being granted by the returned AuthorizationRef. Unless this flag is set this API will fail if not all the requested rights could be obtained.
225
226 Setting the kAuthorizationFlagDestroyRights flag will prevent any rights obtained during this call from being preserved after returning from this API (This is most useful when the authorization parameter is NULL and the caller doesn't want to affect the session state in any way).
227
228 Setting the kAuthorizationFlagPreAuthorize flag will pre authorize the requested rights so that at a later time -- by calling AuthorizationMakeExternalForm() follow by AuthorizationCreateFromExternalForm() -- the obtained rights can be used in a different process. Rights that can't be preauthorized will be treated as if they were authorized for the sake of returning an error (in other words if all rights are either authorized or could not be preauthorized this call will still succeed).
229 The rights which could not be preauthorized are not currently authorized and may fail to authorize when a later call to AuthorizationCopyRights() is made, unless the kAuthorizationFlagExtendRights and kAuthorizationFlagInteractionAllowed flags are set. Even then they might still fail if the user does not supply the correct credentials.
230 The reason for passing in this flag is to provide correct audit trail information and to avoid unnecessary user interaction.
231
232 @param rights (input/optional) An AuthorizationItemSet containing rights for which authorization is being requested. If none are specified the resulting AuthorizationRef will authorize nothing at all.
233 @param environment (input/optional) An AuthorizationItemSet containing environment state used when making the autorization decision. See the AuthorizationEnvironment type for details.
234 @param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion.
235 @param authorization (output optional) A pointer to an AuthorizationRef to be returned. When the returned AuthorizationRef is no longer needed AuthorizationFree should be called to prevent anyone from using the aquired rights. If NULL is specified no new rights are returned, but the system will attempt to authorize all the requested rights and return the appropriate status.
236
237 @result errAuthorizationSuccess 0 authorization or all requested rights succeeded.
238
239 errAuthorizationDenied -60005 The authorization for one or more of the requested rights was denied.
240
241 errAuthorizationCanceled -60006 The authorization was cancelled by the user.
242
243 errAuthorizationInteractionNotAllowed -60007 The authorization was denied since no interaction with the user was allowed.
244 */
245 OSStatus AuthorizationCreate(const AuthorizationRights * __nullable rights,
246 const AuthorizationEnvironment * __nullable environment,
247 AuthorizationFlags flags,
248 AuthorizationRef __nullable * __nullable authorization);
249
250
251 /*!
252 @function AuthorizationFree
253 Destroy an AutorizationRef object. If the kAuthorizationFlagDestroyRights flag is passed,
254 any rights associated with the authorization are lost. Otherwise, only local resources
255 are released, and the rights may still be available to other clients.
256
257 Setting the kAuthorizationFlagDestroyRights flag will prevent any rights that were obtained by the specified authorization object to be preserved after returning from this API. This effectivaly locks down all potentially shared authorizations.
258
259 @param authorization (input) The authorization object on which this operation is performed.
260
261 @param flags (input) Bit mask of option flags to this call.
262
263 @result errAuthorizationSuccess 0 No error.
264
265 errAuthorizationInvalidRef -60002 The authorization parameter is invalid.
266 */
267 OSStatus AuthorizationFree(AuthorizationRef authorization, AuthorizationFlags flags);
268
269
270 /*!
271 @function AuthorizationCopyRights
272 Given a set of rights, return the subset that is currently authorized
273 by the AuthorizationRef given.
274
275 When the kAuthorizationFlagInteractionAllowed flag is set, user interaction will happen when required. Failing to set this flag will result in this call failing with a errAuthorizationInteractionNotAllowed status when interaction is required.
276
277 Setting the kAuthorizationFlagExtendRights flag will extend the currently available rights.
278
279 Setting the kAuthorizationFlagPartialRights flag will cause this call to succeed if only some of the requested rights are being granted by the returned AuthorizationRef. Unless this flag is set this API will fail if not all the requested rights could be obtained.
280
281 Setting the kAuthorizationFlagDestroyRights flag will prevent any additional rights obtained during this call from being preserved after returning from this API.
282
283 Setting the kAuthorizationFlagPreAuthorize flag will pre authorize the requested rights so that at a later time -- by calling AuthorizationMakeExternalForm() follow by AuthorizationCreateFromExternalForm() -- the obtained rights can be used in a different process. Rights that can't be preauthorized will be treated as if they were authorized for the sake of returning an error (in other words if all rights are either authorized or could not be preauthorized this call will still succeed), and they will be returned in authorizedRights with their kAuthorizationFlagCanNotPreAuthorize bit in the flags field set to 1.
284 The rights which could not be preauthorized are not currently authorized and may fail to authorize when a later call to AuthorizationCopyRights() is made, unless the kAuthorizationFlagExtendRights and kAuthorizationFlagInteractionAllowed flags are set. Even then they might still fail if the user does not supply the correct credentials.
285 The reason for passing in this flag is to provide correct audit trail information and to avoid unnecessary user interaction.
286
287 Setting the kAuthorizationFlagPreAuthorize flag will pre authorize the requested rights so that at a later time -- by calling AuthorizationMakeExternalForm() follow by AuthorizationCreateFromExternalForm() -- the obtained rights can be used in a different process. When this flags is specified rights that can't be preauthorized will be returned as if they were authorized with their kAuthorizationFlagCanNotPreAuthorize bit in the flags field set to 1. These rights are not currently authorized and may fail to authorize later unless kAuthorizationFlagExtendRights and kAuthorizationFlagInteractionAllowed flags are set when the actual authorization is done. And even then they might still fail if the user does not supply the correct credentials.
288
289 @param authorization (input) The authorization object on which this operation is performed.
290 @param rights (input) A rights set (see AuthorizationCreate).
291 @param environment (input/optional) An AuthorizationItemSet containing environment state used when making the autorization decision. See the AuthorizationEnvironment type for details.
292 @param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion.
293 @param authorizedRights (output/optional) A pointer to a newly allocated AuthorizationInfoSet in which the authorized subset of rights are returned (authorizedRights should be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed). If NULL the only information returned is the status. Note that if the kAuthorizationFlagPreAuthorize flag was specified rights that could not be preauthorized are returned in authorizedRights, but their flags contains the kAuthorizationFlagCanNotPreAuthorize bit.
294
295 @result errAuthorizationSuccess 0 No error.
296
297 errAuthorizationInvalidRef -60002 The authorization parameter is invalid.
298
299 errAuthorizationInvalidSet -60001 The rights parameter is invalid.
300
301 errAuthorizationInvalidPointer -60004 The authorizedRights parameter is invalid.
302 */
303 OSStatus AuthorizationCopyRights(AuthorizationRef authorization,
304 const AuthorizationRights *rights,
305 const AuthorizationEnvironment * __nullable environment,
306 AuthorizationFlags flags,
307 AuthorizationRights * __nullable * __nullable authorizedRights);
308
309
310 #ifdef __BLOCKS__
311
312 /*!
313 @typedef AuthorizationAsyncCallback
314 Callback block passed to AuthorizationCopyRightsAsync.
315
316 @param err (output) The result of the AuthorizationCopyRights call.
317 @param blockAuthorizedRights (output) The authorizedRights from the AuthorizationCopyRights call to be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed.
318 */
319 typedef void (^AuthorizationAsyncCallback)(OSStatus err, AuthorizationRights * __nullable blockAuthorizedRights);
320
321 /*!
322 @function AuthorizationCopyRightsAsync
323 An asynchronous version of AuthorizationCopyRights.
324
325 @param callbackBlock (input) The callback block to be called upon completion.
326 */
327 void AuthorizationCopyRightsAsync(AuthorizationRef authorization,
328 const AuthorizationRights *rights,
329 const AuthorizationEnvironment * __nullable environment,
330 AuthorizationFlags flags,
331 AuthorizationAsyncCallback callbackBlock);
332
333
334 #endif /* __BLOCKS__ */
335
336
337 /*!
338 @function AuthorizationCopyInfo
339 Returns sideband information (e.g. access credentials) obtained from a call to AuthorizationCreate. The format of this data depends of the tag specified.
340
341 @param authorization (input) The authorization object on which this operation is performed.
342 @param tag (input/optional) An optional string tag specifing which sideband information should be returned. When NULL is specified all available information is returned.
343 @param info (output) A pointer to a newly allocated AuthorizationInfoSet in which the requested sideband infomation is returned (info should be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed).
344
345 @result errAuthorizationSuccess 0 No error.
346
347 errAuthorizationInvalidRef -60002 The authorization parameter is invalid.
348
349 errAuthorizationInvalidTag -60003 The tag parameter is invalid.
350
351 errAuthorizationInvalidPointer -60004 The info parameter is invalid.
352 */
353 OSStatus AuthorizationCopyInfo(AuthorizationRef authorization,
354 AuthorizationString __nullable tag,
355 AuthorizationItemSet * __nullable * __nonnull info);
356
357
358 /*!
359 @function AuthorizationMakeExternalForm
360 Turn an Authorization into an external "byte blob" form so it can be
361 transmitted to another process.
362 Note that *storing* the external form somewhere will probably not do what
363 you want, since authorizations are bounded by sessions, processes, and possibly
364 time limits. This is for online transmission of authorizations.
365
366 @param authorization The (valid) authorization reference to externalize
367 @param extForm Pointer to an AuthorizationExternalForm variable to fill.
368
369 @result errAuthorizationSuccess 0 No error.
370
371 errAuthorizationExternalizeNotAllowed -60009 Externalizing this authorization is not allowed.
372
373 errAuthorizationInvalidRef -60002 The authorization parameter is invalid.
374
375
376 */
377 OSStatus AuthorizationMakeExternalForm(AuthorizationRef authorization,
378 AuthorizationExternalForm * __nonnull extForm);
379
380
381 /*!
382 @function AuthorizationCreateFromExternalForm
383 Internalize the external "byte blob" form of an authorization reference.
384
385 @param extForm Pointer to an AuthorizationExternalForm value.
386 @param authorization Will be filled with a valid AuthorizationRef on success.
387
388 @result errAuthorizationInternalizeNotAllowed -60010 Internalizing this authorization is not allowed.
389 */
390 OSStatus AuthorizationCreateFromExternalForm(const AuthorizationExternalForm *extForm,
391 AuthorizationRef __nullable * __nonnull authorization);
392
393
394 /*!
395 @function AuthorizationFreeItemSet
396 Release the memory allocated for an AuthorizationItemSet that was allocated
397 by an API call.
398
399 @param set The AuthorizationItemSet to deallocate.
400
401 @result errAuthorizationSuccess 0 No error.
402
403 errAuthorizationInvalidSet -60001 The set parameter is invalid.
404 */
405 OSStatus AuthorizationFreeItemSet(AuthorizationItemSet *set);
406
407
408 /*!
409 @function AuthorizationExecuteWithPrivileges
410 Run an executable tool with enhanced privileges after passing
411 suitable authorization procedures.
412
413 @param authorization An authorization reference that is used to authorize
414 access to the enhanced privileges. It is also passed to the tool for
415 further access control.
416 @param pathToTool Full pathname to the tool that should be executed
417 with enhanced privileges.
418 @param options Option bits (reserved). Must be zero.
419 @param arguments An argv-style vector of strings to be passed to the tool.
420 @param communicationsPipe Assigned a UNIX stdio FILE pointer for
421 a bidirectional pipe to communicate with the tool. The tool will have
422 this pipe as its standard I/O channels (stdin/stdout). If NULL, do not
423 establish a communications pipe.
424
425 @discussion This function has been deprecated and should no longer be used.
426 Use a launchd-launched helper tool and/or the Service Mangement framework
427 for this functionality.
428 */
429 OSStatus AuthorizationExecuteWithPrivileges(AuthorizationRef authorization,
430 const char *pathToTool,
431 AuthorizationFlags options,
432 char * __nonnull const * __nonnull arguments,
433 FILE * __nullable * __nullable communicationsPipe) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_1,__MAC_10_7,__IPHONE_NA,__IPHONE_NA);
434
435
436 /*!
437 @function AuthorizationCopyPrivilegedReference
438 From within a tool launched via the AuthorizationExecuteWithPrivileges function
439 ONLY, retrieve the AuthorizationRef originally passed to that function.
440 While AuthorizationExecuteWithPrivileges already verified the authorization to
441 launch your tool, the tool may want to avail itself of any additional pre-authorizations
442 the caller may have obtained through that reference.
443
444 @discussion This function has been deprecated and should no longer be used.
445 Use a launchd-launched helper tool and/or the Service Mangement framework
446 for this functionality.
447 */
448 OSStatus AuthorizationCopyPrivilegedReference(AuthorizationRef __nullable * __nonnull authorization,
449 AuthorizationFlags flags) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_1,__MAC_10_7,__IPHONE_NA,__IPHONE_NA);
450
451 CF_ASSUME_NONNULL_END
452
453 #if defined(__cplusplus)
454 }
455 #endif
456
457 #endif /* !_SECURITY_AUTHORIZATION_H_ */