+++ /dev/null
-/* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */
-
-#include "rule.h"
-#include "authutilities.h"
-#include "mechanism.h"
-#include "crc.h"
-#include "debugging.h"
-#include "authitems.h"
-#include "process.h"
-
-#include <Security/AuthorizationDB.h>
-#include <Security/AuthorizationTagsPriv.h>
-#include "server.h"
-
-static void _sql_get_id(rule_t,authdb_connection_t);
-static RuleClass _get_cf_rule_class(CFTypeRef);
-static bool _copy_cf_rule_mechanisms(rule_t,CFTypeRef,authdb_connection_t);
-static bool _copy_cf_rule_delegations(rule_t, CFTypeRef,authdb_connection_t);
-
-#define kMaximumAuthorizationTries 10000
-
-#define RULE_ID "id"
-#define RULE_NAME "name"
-#define RULE_TYPE "type"
-#define RULE_CLASS "class"
-#define RULE_GROUP "group"
-#define RULE_KOFN "kofn"
-#define RULE_TIMEOUT "timeout"
-#define RULE_FLAGS "flags"
-#define RULE_TRIES "tries"
-#define RULE_COMMENT "comment"
-#define RULE_VERSION "version"
-#define RULE_CREATED "created"
-#define RULE_MODIFIED "modified"
-#define RULE_IDENTIFIER "identifier"
-#define RULE_REQUIREMENT "requirement"
-#define RULE_HASH "hash"
-
-struct _rule_s {
- __AUTH_BASE_STRUCT_HEADER__;
-
- auth_items_t data;
- CFMutableArrayRef mechanisms;
- CFMutableArrayRef delegations;
-
- CFMutableDictionaryRef loc_prompts;
- CFMutableDictionaryRef loc_buttons;
-
- CFDataRef requirement_data;
- SecRequirementRef requirement;
-};
-
-static void
-_rule_finalize(CFTypeRef value)
-{
- rule_t rule = (rule_t)value;
- CFReleaseSafe(rule->data);
- CFReleaseSafe(rule->mechanisms);
- CFReleaseSafe(rule->delegations);
- CFReleaseSafe(rule->loc_prompts);
- CFReleaseSafe(rule->loc_buttons);
- CFReleaseSafe(rule->requirement_data);
- CFReleaseSafe(rule->requirement);
-}
-
-static Boolean
-_rule_equal(CFTypeRef value1, CFTypeRef value2)
-{
- rule_t rule1 = (rule_t)value1;
- rule_t rule2 = (rule_t)value2;
-
- return strcasecmp(rule_get_name(rule1), rule_get_name(rule2)) == 0;
-}
-
-static CFStringRef
-_rule_copy_description(CFTypeRef value)
-{
- rule_t rule = (rule_t)value;
- CFMutableStringRef str = CFStringCreateMutable(kCFAllocatorDefault, 0);
- CFStringRef tmp = CFCopyDescription(rule->data);
- CFStringAppend(str, tmp);
- CFReleaseNull(tmp);
- tmp = CFCopyDescription(rule->mechanisms);
- CFStringAppend(str, tmp);
- CFReleaseNull(tmp);
- tmp = CFCopyDescription(rule->delegations);
- CFStringAppend(str, tmp);
- CFReleaseNull(tmp);
- return str;
-}
-
-static CFHashCode
-_rule_hash(CFTypeRef value)
-{
- rule_t rule = (rule_t)value;
- const char * str = rule_get_name(rule);
- return crc64(str, strlen(str));
-}
-
-AUTH_TYPE_INSTANCE(rule,
- .init = NULL,
- .copy = NULL,
- .finalize = _rule_finalize,
- .equal = _rule_equal,
- .hash = _rule_hash,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = _rule_copy_description
- );
-
-static CFTypeID rule_get_type_id() {
- static CFTypeID type_id = _kCFRuntimeNotATypeID;
- static dispatch_once_t onceToken;
-
- dispatch_once(&onceToken, ^{
- type_id = _CFRuntimeRegisterClass(&_auth_type_rule);
- });
-
- return type_id;
-}
-
-static rule_t
-_rule_create()
-{
- rule_t rule = (rule_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, rule_get_type_id(), AUTH_CLASS_SIZE(rule), NULL);
- require(rule != NULL, done);
-
- rule->data = auth_items_create();
- rule->delegations = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- rule->mechanisms = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
-
-done:
- return rule;
-}
-
-static rule_t
-_rule_create_with_sql(auth_items_t sql)
-{
- rule_t rule = NULL;
- require(sql != NULL, done);
-
- rule = _rule_create();
- require(rule != NULL, done);
-
- auth_items_copy(rule->data, sql);
-
-done:
- return rule;
-}
-
-rule_t
-rule_create_default()
-{
- rule_t rule = _rule_create();
- require(rule != NULL, done);
-
- auth_items_set_int64(rule->data, RULE_TYPE, RT_RIGHT);
- auth_items_set_string(rule->data, RULE_NAME, "(default)");
- auth_items_set_int64(rule->data, RULE_CLASS, RC_USER);
- auth_items_set_string(rule->data, RULE_GROUP, "admin");
- auth_items_set_int64(rule->data, RULE_TIMEOUT, 300);
- auth_items_set_int64(rule->data, RULE_TRIES, kMaximumAuthorizationTries);
- auth_items_set_int64(rule->data, RULE_FLAGS, RuleFlagShared | RuleFlagAuthenticateUser);
-
- mechanism_t mech = mechanism_create_with_string("builtin:authenticate", NULL);
- CFArrayAppendValue(rule->mechanisms, mech);
- CFReleaseNull(mech);
-
- mech = mechanism_create_with_string("builtin:reset-password,privileged", NULL);
- CFArrayAppendValue(rule->mechanisms, mech);
- CFReleaseNull(mech);
-
- mech = mechanism_create_with_string("builtin:authenticate,privileged", NULL);
- CFArrayAppendValue(rule->mechanisms, mech);
- CFReleaseNull(mech);
-
- mech = mechanism_create_with_string("PKINITMechanism:auth,privileged", NULL);
- CFArrayAppendValue(rule->mechanisms, mech);
- CFReleaseNull(mech);
-
-done:
- return rule;
-}
-
-rule_t
-rule_create_with_string(const char * str, authdb_connection_t dbconn)
-{
- rule_t rule = NULL;
- require(str != NULL, done);
-
- rule = _rule_create();
- require(rule != NULL, done);
-
- auth_items_set_string(rule->data, RULE_NAME, str);
-
- if (dbconn) {
- rule_sql_fetch(rule, dbconn);
- }
-
-done:
- return rule;
-}
-
-static void _set_data_string(rule_t rule, const char * key, CFStringRef str)
-{
- char * tmpStr = _copy_cf_string(str, NULL);
-
- if (tmpStr) {
- auth_items_set_string(rule->data, key, tmpStr);
- free_safe(tmpStr);
- }
-}
-
-rule_t
-rule_create_with_plist(RuleType type, CFStringRef name, CFDictionaryRef plist, authdb_connection_t dbconn)
-{
- rule_t rule = NULL;
- require(name != NULL, done);
- require(plist != NULL, done);
-
- rule = _rule_create();
- require(rule != NULL, done);
-
- _set_data_string(rule, RULE_NAME, name);
- require_action(rule_get_name(rule) != NULL, done, CFReleaseSafe(rule));
-
- _sql_get_id(rule, dbconn);
-
- auth_items_set_int64(rule->data, RULE_TYPE, type);
-
- auth_items_set_int64(rule->data, RULE_CLASS, _get_cf_rule_class(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleClass))));
- _set_data_string(rule, RULE_COMMENT, CFDictionaryGetValue(plist, CFSTR(kAuthorizationComment)));
-
-
- CFTypeRef loc_tmp = CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterDefaultPrompt));
- if (loc_tmp) {
- rule->loc_prompts = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, loc_tmp);
- }
- loc_tmp = CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterDefaultButton));
- if (loc_tmp) {
- rule->loc_buttons = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, loc_tmp);
- }
-
- auth_items_set_int64(rule->data, RULE_VERSION, _get_cf_int(CFDictionaryGetValue(plist, CFSTR("version")), 0));
-
- RuleFlags flags = 0;
-
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterEntitled)), false)) {
- flags |= RuleFlagEntitled;
- }
-
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterRequireAppleSigned)), false)) {
- flags |= RuleFlagRequireAppleSigned;
- }
-
- switch (rule_get_class(rule)) {
- case RC_USER:
- _set_data_string(rule, RULE_GROUP, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterGroup)));
- auth_items_set_int64(rule->data, RULE_TIMEOUT, _get_cf_int(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialTimeout)), INT32_MAX));
- auth_items_set_int64(rule->data, RULE_TRIES, _get_cf_int(CFDictionaryGetValue(plist, CFSTR("tries")), kMaximumAuthorizationTries));
-
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialShared)), false)) {
- flags |= RuleFlagShared;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterAllowRoot)), false)) {
- flags |= RuleFlagAllowRoot;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialSessionOwner)), false)) {
- flags |= RuleFlagSessionOwner;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterAuthenticateUser)), true)) {
- flags |= RuleFlagAuthenticateUser;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterExtractPassword)), false)) {
- flags |= RuleFlagExtractPassword;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterEntitledAndGroup)), false)) {
- flags |= RuleFlagEntitledAndGroup;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterVPNEntitledAndGroup)), false)) {
- flags |= RuleFlagVPNEntitledAndGroup;
- }
-
- _copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
-
- break;
- case RC_RULE:
- auth_items_set_int64(rule->data, RULE_KOFN, _get_cf_int(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterKofN)), 0));
-
- _copy_cf_rule_delegations(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRightRule)), dbconn);
- break;
- case RC_MECHANISM:
- auth_items_set_int64(rule->data, RULE_TRIES, _get_cf_int(CFDictionaryGetValue(plist, CFSTR("tries")), kMaximumAuthorizationTries));
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterCredentialShared)), true)) {
- flags |= RuleFlagShared;
- }
- if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterExtractPassword)), false)) {
- flags |= RuleFlagExtractPassword;
- }
-
- _copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
-
- break;
- case RC_DENY:
- break;
- case RC_ALLOW:
- break;
- default:
- LOGD("rule: invalid rule class");
- break;
- }
-
- auth_items_set_int64(rule->data, RULE_FLAGS, flags);
-
-done:
- return rule;
-}
-
-static void
-_sql_get_id(rule_t rule, authdb_connection_t dbconn)
-{
- authdb_step(dbconn, "SELECT id,created,identifier,requirement FROM rules WHERE name = ? LIMIT 1",
- ^(sqlite3_stmt *stmt) {
- sqlite3_bind_text(stmt, 1, rule_get_name(rule), -1, NULL);
- }, ^bool(auth_items_t data) {
- auth_items_copy(rule->data, data);
- return true;
- });
-}
-
-static bool
-_copy_cf_rule_delegations(rule_t rule, CFTypeRef value, authdb_connection_t dbconn)
-{
- bool result = false;
- char * tmp_str = NULL;
- require(value != NULL, done);
-
- if (CFGetTypeID(value) == CFStringGetTypeID()) {
- tmp_str = _copy_cf_string(value, NULL);
- rule_t delegate = rule_create_with_string(tmp_str, dbconn);
- free_safe(tmp_str);
- if (delegate) {
- CFArrayAppendValue(rule->delegations, delegate);
- CFReleaseSafe(delegate);
- }
- } else { //array
- CFIndex count = CFArrayGetCount(value);
- for (CFIndex i = 0; i < count; i++) {
- tmp_str = _copy_cf_string(CFArrayGetValueAtIndex(value,i), NULL);
- rule_t delegate = rule_create_with_string(tmp_str, dbconn);
- free_safe(tmp_str);
- if (delegate) {
- CFArrayAppendValue(rule->delegations, delegate);
- CFReleaseSafe(delegate);
- }
- }
- }
-
- result = true;
-
-done:
- return result;
-}
-
-static bool
-_copy_cf_rule_mechanisms(rule_t rule, CFTypeRef array, authdb_connection_t dbconn)
-{
- bool result = false;
- require(array != NULL, done);
- require(CFGetTypeID(array) == CFArrayGetTypeID(), done);
-
- CFIndex count = CFArrayGetCount(array);
- for (CFIndex i = 0; i < count; i++) {
- mechanism_t mech = NULL;
- char * string = _copy_cf_string(CFArrayGetValueAtIndex(array, i), NULL);
-
- if (!string)
- continue;
-
- mech = mechanism_create_with_string(string, dbconn);
- if (mech) {
- CFArrayAppendValue(rule->mechanisms, mech);
- CFReleaseSafe(mech);
- }
- free(string);
- }
-
- result = true;
-
-done:
- return result;
-}
-
-static RuleClass
-_get_cf_rule_class(CFTypeRef str)
-{
- RuleClass rc = RC_RULE;
- require(str != NULL, done);
- require(CFGetTypeID(str) == CFStringGetTypeID(), done);
-
- if (CFEqual(str, CFSTR(kAuthorizationRuleClassUser)))
- return RC_USER;
-
- if (CFEqual(str, CFSTR(kAuthorizationRightRule)))
- return RC_RULE;
-
- if (CFEqual(str, CFSTR(kAuthorizationRuleClassMechanisms)))
- return RC_MECHANISM;
-
- if (CFEqual(str, CFSTR(kAuthorizationRuleClassDeny)))
- return RC_DENY;
-
- if (CFEqual(str, CFSTR(kAuthorizationRuleClassAllow)))
- return RC_ALLOW;
-
-done:
- return rc;
-}
-
-static bool
-_sql_bind(rule_t rule, sqlite3_stmt * stmt)
-{
- int64_t n;
- int32_t rc = 0;
- require(stmt != NULL, err);
-
- int32_t column = 1;
- rc = sqlite3_bind_text(stmt, column++, rule_get_name(rule), -1, NULL);
- require_noerr(rc, err);
- rc = sqlite3_bind_int(stmt, column++, rule_get_type(rule));
- require_noerr(rc, err);
- rc = sqlite3_bind_int(stmt, column++, rule_get_class(rule));
- require_noerr(rc, err);
-
- switch (rule_get_class(rule)) {
- case RC_USER:
- rc = sqlite3_bind_text(stmt, column++, rule_get_group(rule), -1, NULL);
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // kofn
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, rule_get_timeout(rule));
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, rule_get_tries(rule));
- require_noerr(rc, err);
- break;
- case RC_RULE:
- rc = sqlite3_bind_null(stmt, column++); // group
- require_noerr(rc, err);
- n = rule_get_kofn(rule);
- if (n) {
- rc = sqlite3_bind_int64(stmt, column++, n);
- } else {
- rc = sqlite3_bind_null(stmt, column++);
- }
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // timeout
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // tries
- require_noerr(rc, err);
- break;
- case RC_MECHANISM:
- rc = sqlite3_bind_null(stmt, column++); // group
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // kofn
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // timeout
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, rule_get_tries(rule));
- require_noerr(rc, err);
- break;
- case RC_DENY:
- case RC_ALLOW:
- rc = sqlite3_bind_null(stmt, column++); // group
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // kofn
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // timeout
- require_noerr(rc, err);
- rc = sqlite3_bind_int64(stmt, column++, auth_items_get_int64(rule->data, RULE_FLAGS));
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // tries
- require_noerr(rc, err);
- break;
- default:
- LOGD("rule: sql bind, invalid rule class");
- break;
- }
-
- rc = sqlite3_bind_int64(stmt, column++, rule_get_version(rule)); // version
- require_noerr(rc, err);
- rc = sqlite3_bind_double(stmt, column++, rule_get_created(rule)); // created
- require_noerr(rc, err);
- rc = sqlite3_bind_double(stmt, column++, rule_get_modified(rule)); // modified
- require_noerr(rc, err);
- rc = sqlite3_bind_null(stmt, column++); // hash
- require_noerr(rc, err);
- rc = sqlite3_bind_text(stmt, column++, rule_get_identifier(rule), -1, NULL);
- require_noerr(rc, err);
-
- CFDataRef data = rule_get_requirment_data(rule);
- if (data) {
- rc = sqlite3_bind_blob(stmt, column++, CFDataGetBytePtr(data), (int32_t)CFDataGetLength(data), NULL);
- } else {
- rc = sqlite3_bind_null(stmt, column++);
- }
- require_noerr(rc, err);
-
- rc = sqlite3_bind_text(stmt, column++, rule_get_comment(rule), -1, NULL);
- require_noerr(rc, err);
-
- return true;
-
-err:
- LOGD("rule: sql bind, error %i", rc);
- return false;
-}
-
-static void
-_get_sql_mechanisms(rule_t rule, authdb_connection_t dbconn)
-{
- CFArrayRemoveAllValues(rule->mechanisms);
-
- authdb_step(dbconn, "SELECT mechanisms.* " \
- "FROM mechanisms " \
- "JOIN mechanisms_map ON mechanisms.id = mechanisms_map.m_id " \
- "WHERE mechanisms_map.r_id = ? ORDER BY mechanisms_map.ord ASC",
- ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, ^bool(auth_items_t data) {
- mechanism_t mechanism = mechanism_create_with_sql(data);
- CFArrayAppendValue(rule->mechanisms, mechanism);
- CFReleaseSafe(mechanism);
- return true;
- });
-}
-
-static void
-_get_sql_delegates(rule_t rule, authdb_connection_t dbconn)
-{
- CFArrayRemoveAllValues(rule->delegations);
-
- authdb_step(dbconn, "SELECT rules.* " \
- "FROM rules " \
- "JOIN delegates_map ON rules.id = delegates_map.d_id " \
- "WHERE delegates_map.r_id = ? ORDER BY delegates_map.ord ASC",
- ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, ^bool(auth_items_t data) {
- rule_t delegate = _rule_create_with_sql(data);
- if (delegate) {
- _get_sql_mechanisms(delegate, dbconn);
-
- if (rule_get_class(rule) == RC_RULE) {
- _get_sql_delegates(delegate, dbconn);
- }
-
- CFArrayAppendValue(rule->delegations, delegate);
- CFReleaseSafe(delegate);
- }
- return true;
- });
-}
-
-bool
-rule_sql_fetch(rule_t rule, authdb_connection_t dbconn)
-{
- __block bool result = false;
-
- authdb_step(dbconn, "SELECT * FROM rules WHERE name = ? LIMIT 1",
- ^(sqlite3_stmt *stmt) {
- sqlite3_bind_text(stmt, 1, rule_get_name(rule), -1, NULL);
- }, ^bool(auth_items_t data) {
- result = true;
- auth_items_copy(rule->data, data);
- return true;
- });
-
- if (rule_get_id(rule) != 0) {
- _get_sql_mechanisms(rule,dbconn);
-
- if (rule_get_class(rule) == RC_RULE) {
- _get_sql_delegates(rule, dbconn);
- }
- }
-
- return result;
-}
-
-static bool
-_sql_update(rule_t rule, authdb_connection_t dbconn)
-{
- bool result = false;
-
- result = authdb_step(dbconn, "UPDATE rules " \
- "SET name=?,type=?,class=?,'group'=?,kofn=?,timeout=?,flags=?,tries=?,version=?,created=?,modified=?,hash=?,identifier=?,requirement=?,comment=? " \
- "WHERE id = ?",
- ^(sqlite3_stmt *stmt) {
- _sql_bind(rule, stmt);
- sqlite3_bind_int64(stmt, sqlite3_bind_parameter_count(stmt), rule_get_id(rule));
- }, NULL);
- return result;
-}
-
-static bool
-_sql_insert(rule_t rule, authdb_connection_t dbconn)
-{
- bool result = false;
-
- result = authdb_step(dbconn, "INSERT INTO rules VALUES (NULL,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)",
- ^(sqlite3_stmt *stmt) {
- _sql_bind(rule, stmt);
- }, NULL);
- return result;
-}
-
-static bool
-_sql_commit_mechanisms_map(rule_t rule, authdb_connection_t dbconn)
-{
- bool result = false;
-
- result = authdb_step(dbconn, "DELETE FROM mechanisms_map WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, NULL);
- require(result == true, done);
-
- CFIndex count = CFArrayGetCount(rule->mechanisms);
- for(CFIndex i = 0; i < count; i++) {
- mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
- result = authdb_step(dbconn, "INSERT INTO mechanisms_map VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- sqlite3_bind_int64(stmt, 2, mechanism_get_id(mech));
- sqlite3_bind_int64(stmt, 3, i);
- }, NULL);
- require(result == true, done);
- }
-
-done:
- return result;
-}
-
-static bool
-_sql_commit_delegates_map(rule_t rule, authdb_connection_t dbconn)
-{
- bool result = false;
-
- result = authdb_step(dbconn, "DELETE FROM delegates_map WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, NULL);
- require(result == true, done);
-
- CFIndex count = CFArrayGetCount(rule->delegations);
- for(CFIndex i = 0; i < count; i++) {
- rule_t delegate = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
- result = authdb_step(dbconn, "INSERT INTO delegates_map VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- sqlite3_bind_int64(stmt, 2, rule_get_id(delegate));
- sqlite3_bind_int64(stmt, 3, i);
- }, NULL);
- require(result == true, done);
- }
-
-done:
- return result;
-}
-
-static void
-_sql_commit_localization(rule_t rule, authdb_connection_t dbconn)
-{
-
- authdb_step(dbconn, "DELETE FROM prompts WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, NULL);
-
- authdb_step(dbconn, "DELETE FROM buttons WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, NULL);
-
- if (rule->loc_prompts) {
- _cf_dictionary_iterate(rule->loc_prompts, ^bool(CFTypeRef key, CFTypeRef value) {
- char * lang = _copy_cf_string(key, NULL);
- char * str = _copy_cf_string(value, NULL);
-
- authdb_step(dbconn, "INSERT INTO prompts VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- sqlite3_bind_text(stmt, 2, lang, -1, NULL);
- sqlite3_bind_text(stmt, 3, str, -1, NULL);
- }, NULL);
-
- free_safe(lang);
- free_safe(str);
-
- return true;
- });
- }
-
- if (rule->loc_buttons) {
- _cf_dictionary_iterate(rule->loc_buttons, ^bool(CFTypeRef key, CFTypeRef value) {
- char * lang = _copy_cf_string(key, NULL);
- char * str = _copy_cf_string(value, NULL);
-
- authdb_step(dbconn, "INSERT INTO buttons VALUES (?,?,?)", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- sqlite3_bind_text(stmt, 2, lang, -1, NULL);
- sqlite3_bind_text(stmt, 3, str, -1, NULL);
- }, NULL);
-
- free_safe(lang);
- free_safe(str);
- return true;
- });
- }
-
-}
-
-bool
-rule_sql_commit(rule_t rule, authdb_connection_t dbconn, CFAbsoluteTime modified, process_t proc)
-{
- bool result = false;
- // type and class required else rule is name only?
- RuleClass rule_class = rule_get_class(rule);
- require(rule_get_type(rule) != 0, done);
- require(rule_class != 0, done);
-
- CFIndex mechCount = 0;
- if (rule_class == RC_USER || rule_class == RC_MECHANISM) {
- // Validate mechanisms
- mechCount = CFArrayGetCount(rule->mechanisms);
- for (CFIndex i = 0; i < mechCount; i++) {
- mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
- if (mechanism_get_id(mech) == 0) {
- if (!mechanism_sql_fetch(mech, dbconn)) {
- mechanism_sql_commit(mech, dbconn);
- mechanism_sql_fetch(mech, dbconn);
- }
- }
- if (!mechanism_exists(mech)) {
- LOGE("Warning mechanism not found on disk %s during import of %s", mechanism_get_string(mech), rule_get_name(rule));
- }
- require_action(mechanism_get_id(mech) != 0, done, LOGE("rule: commit, invalid mechanism %s:%s for %s", mechanism_get_plugin(mech), mechanism_get_param(mech), rule_get_name(rule)));
- }
- }
-
- CFIndex delegateCount = 0;
- if (rule_class == RC_RULE) {
- // Validate delegates
- delegateCount = CFArrayGetCount(rule->delegations);
- for (CFIndex i = 0; i < delegateCount; i++) {
- rule_t delegate = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
- if (rule_get_id(delegate) == 0) {
- rule_sql_fetch(delegate, dbconn);
- }
- require_action(rule_get_id(delegate) != 0, done, LOGE("rule: commit, missing delegate %s for %s", rule_get_name(delegate), rule_get_name(rule)));
- }
- }
-
- auth_items_set_double(rule->data, RULE_MODIFIED, modified);
-
- result = authdb_transaction(dbconn, AuthDBTransactionNormal, ^bool{
- bool update = false;
-
- if (rule_get_id(rule)) {
- update = _sql_update(rule, dbconn);
- } else {
- if (proc) {
- const char * ident = process_get_identifier(proc);
- if (ident) {
- auth_items_set_string(rule->data, RULE_IDENTIFIER, ident);
- }
- CFDataRef req = process_get_requirement_data(proc);
- if (req) {
- auth_items_set_data(rule->data, RULE_REQUIREMENT, CFDataGetBytePtr(req), (size_t)CFDataGetLength(req));
- }
- }
- auth_items_set_double(rule->data, RULE_CREATED, modified);
- update = _sql_insert(rule, dbconn);
- _sql_get_id(rule, dbconn);
- }
-
- _sql_commit_localization(rule, dbconn);
-
- if (update) {
- update = _sql_commit_mechanisms_map(rule, dbconn);
- }
-
- if (update) {
- update = _sql_commit_delegates_map(rule,dbconn);
- }
-
- return update;
- });
-
-
-done:
- if (!result) {
- LOGV("rule: commit, failed for %s (%llu)", rule_get_name(rule), rule_get_id(rule));
- }
- return result;
-}
-
-bool
-rule_sql_remove(rule_t rule, authdb_connection_t dbconn)
-{
- bool result = false;
- int64_t id = rule_get_id(rule);
-
- if (id == 0) {
- rule_sql_fetch(rule, dbconn);
- id = rule_get_id(rule);
- require(id != 0, done);
- }
-
- result = authdb_step(dbconn, "DELETE FROM rules WHERE id = ?",
- ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, id);
- }, NULL);
-done:
- return result;
-}
-
-CFMutableDictionaryRef
-rule_copy_to_cfobject(rule_t rule, authdb_connection_t dbconn) {
- CFMutableDictionaryRef dict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- CFTypeRef tmp = NULL;
- CFMutableArrayRef array = NULL;
- CFIndex count = 0;
- CFIndex i = 0;
- int64_t n;
- double d;
-
- const char * comment = rule_get_comment(rule);
- if (comment) {
- tmp = CFStringCreateWithCString(kCFAllocatorDefault, comment, kCFStringEncodingUTF8);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationComment), tmp);
- CFReleaseSafe(tmp);
- }
-
- n = rule_get_version(rule);
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
- CFDictionarySetValue(dict, CFSTR(RULE_VERSION), tmp);
- CFReleaseSafe(tmp);
-
- d = rule_get_created(rule);
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberFloat64Type, &d);
- CFDictionarySetValue(dict, CFSTR(RULE_CREATED), tmp);
- CFReleaseSafe(tmp);
-
- d = rule_get_modified(rule);
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberFloat64Type, &d);
- CFDictionarySetValue(dict, CFSTR(RULE_MODIFIED), tmp);
- CFReleaseSafe(tmp);
-
- const char * identifier = rule_get_identifier(rule);
- if (identifier) {
- tmp = CFStringCreateWithCString(kCFAllocatorDefault, identifier, kCFStringEncodingUTF8);
- CFDictionarySetValue(dict, CFSTR(RULE_IDENTIFIER), tmp);
- CFReleaseSafe(tmp);
- }
-
- SecRequirementRef req = rule_get_requirment(rule);
- if (req) {
- CFStringRef reqStr = NULL;
- SecRequirementCopyString(req, kSecCSDefaultFlags, &reqStr);
- if (reqStr) {
- CFDictionarySetValue(dict, CFSTR(RULE_REQUIREMENT), reqStr);
- CFReleaseSafe(reqStr);
- }
- }
-
- if (rule_check_flags(rule, RuleFlagEntitled)) {
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterEntitled), kCFBooleanTrue);
- }
-
- if (rule_check_flags(rule, RuleFlagRequireAppleSigned)) {
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterRequireAppleSigned), kCFBooleanTrue);
- }
-
- if (rule_get_type(rule) == RT_RIGHT) {
- CFMutableDictionaryRef prompts = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- authdb_step(dbconn, "SELECT * FROM prompts WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, ^bool(auth_items_t data) {
- CFStringRef key = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "lang"), kCFStringEncodingUTF8);
- CFStringRef value = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "value"), kCFStringEncodingUTF8);
- CFDictionaryAddValue(prompts, key, value);
- CFReleaseSafe(key);
- CFReleaseSafe(value);
- return true;
- });
-
- if (CFDictionaryGetCount(prompts)) {
- CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterDefaultPrompt), prompts);
- }
- CFReleaseSafe(prompts);
-
- CFMutableDictionaryRef buttons = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- authdb_step(dbconn, "SELECT * FROM buttons WHERE r_id = ?", ^(sqlite3_stmt *stmt) {
- sqlite3_bind_int64(stmt, 1, rule_get_id(rule));
- }, ^bool(auth_items_t data) {
- CFStringRef key = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "lang"), kCFStringEncodingUTF8);
- CFStringRef value = CFStringCreateWithCString(kCFAllocatorDefault, auth_items_get_string(data, "value"), kCFStringEncodingUTF8);
- CFDictionaryAddValue(buttons, key, value);
- CFReleaseSafe(key);
- CFReleaseSafe(value);
- return true;
- });
-
- if (CFDictionaryGetCount(buttons)) {
- CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterDefaultButton), buttons);
- }
- CFReleaseSafe(buttons);
- }
-
- switch (rule_get_class(rule)) {
- case RC_USER:
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassUser));
-
- const char * group = rule_get_group(rule);
- if (group) {
- tmp = CFStringCreateWithCString(kCFAllocatorDefault, group, kCFStringEncodingUTF8);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterGroup), tmp);
- CFReleaseSafe(tmp);
- }
-
- n = rule_get_timeout(rule);
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialTimeout), tmp);
- CFReleaseSafe(tmp);
-
- n = rule_get_tries(rule);
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
- CFDictionarySetValue(dict, CFSTR("tries"), tmp);
- CFReleaseSafe(tmp);
-
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialShared), rule_get_shared(rule) ? kCFBooleanTrue : kCFBooleanFalse);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterAllowRoot), rule_get_allow_root(rule) ? kCFBooleanTrue : kCFBooleanFalse);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialSessionOwner), rule_get_session_owner(rule) ? kCFBooleanTrue : kCFBooleanFalse);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterAuthenticateUser), rule_get_authenticate_user(rule) ? kCFBooleanTrue : kCFBooleanFalse);
- if (rule_check_flags(rule, RuleFlagEntitledAndGroup)) {
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterEntitledAndGroup), kCFBooleanTrue);
- }
- if (rule_check_flags(rule, RuleFlagVPNEntitledAndGroup)) {
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterVPNEntitledAndGroup), kCFBooleanTrue);
- }
- if (rule_get_extract_password(rule)) {
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterExtractPassword), kCFBooleanTrue);
- }
-
- count = CFArrayGetCount(rule->mechanisms);
- if (count) {
- array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- for (i = 0; i < count; i++) {
- mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
- tmp = CFStringCreateWithCString(kCFAllocatorDefault, mechanism_get_string(mech), kCFStringEncodingUTF8);
- CFArrayAppendValue(array, tmp);
- CFReleaseSafe(tmp);
- }
- CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterMechanisms), array);
- CFRelease(array);
- }
- break;
- case RC_RULE:
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRightRule));
- int64_t kofn = rule_get_kofn(rule);
- if (kofn) {
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &kofn);
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterKofN), tmp);
- CFReleaseSafe(tmp);
- }
-
- count = CFArrayGetCount(rule->delegations);
- if (count) {
- array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- for (i = 0; i < count; i++) {
- rule_t delegate = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
- tmp = CFStringCreateWithCString(kCFAllocatorDefault, rule_get_name(delegate), kCFStringEncodingUTF8);
- CFArrayAppendValue(array, tmp);
- CFReleaseSafe(tmp);
- }
- CFDictionaryAddValue(dict, CFSTR(kAuthorizationRightRule), array);
- CFRelease(array);
- }
- break;
- case RC_MECHANISM:
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassMechanisms));
-
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterCredentialShared), rule_get_shared(rule) ? kCFBooleanTrue : kCFBooleanFalse);
- if (rule_get_extract_password(rule)) {
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterExtractPassword), kCFBooleanTrue);
- }
-
- n = rule_get_tries(rule);
- tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
- CFDictionarySetValue(dict, CFSTR("tries"), tmp);
- CFReleaseSafe(tmp);
-
- count = CFArrayGetCount(rule->mechanisms);
- if (count) {
- array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- for (i = 0; i < count; i++) {
- mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
- tmp = CFStringCreateWithCString(kCFAllocatorDefault, mechanism_get_string(mech), kCFStringEncodingUTF8);
- CFArrayAppendValue(array, tmp);
- CFReleaseSafe(tmp);
- }
- CFDictionaryAddValue(dict, CFSTR(kAuthorizationRuleParameterMechanisms), array);
- CFRelease(array);
- }
- break;
- case RC_DENY:
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassDeny));
- break;
- case RC_ALLOW:
- CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleClass), CFSTR(kAuthorizationRuleClassAllow));
- break;
- default:
- break;
- }
-
- return dict;
-}
-
-
-CFArrayRef
-rule_get_mechanisms(rule_t rule)
-{
- return rule->mechanisms;
-}
-
-size_t
-rule_get_mechanisms_count(rule_t rule)
-{
- return (size_t)CFArrayGetCount(rule->mechanisms);
-}
-
-bool
-rule_mechanisms_iterator(rule_t rule, mechanism_iterator_t iter)
-{
- bool result = false;
-
- CFIndex count = CFArrayGetCount(rule->mechanisms);
- for (CFIndex i = 0; i < count; i++) {
- mechanism_t mech = (mechanism_t)CFArrayGetValueAtIndex(rule->mechanisms, i);
- result = iter(mech);
- if (!result) {
- break;
- }
- }
-
- return result;
-}
-
-size_t
-rule_get_delegates_count(rule_t rule)
-{
- return (size_t)CFArrayGetCount(rule->delegations);
-}
-
-bool
-rule_delegates_iterator(rule_t rule, delegate_iterator_t iter)
-{
- bool result = false;
-
- CFIndex count = CFArrayGetCount(rule->delegations);
- for (CFIndex i = 0; i < count; i++) {
- rule_t tmp = (rule_t)CFArrayGetValueAtIndex(rule->delegations, i);
- result = iter(tmp);
- if (!result) {
- break;
- }
- }
-
- return result;
-}
-
-int64_t
-rule_get_id(rule_t rule)
-{
- return auth_items_get_int64(rule->data, RULE_ID);
-}
-
-const char *
-rule_get_name(rule_t rule)
-{
- return auth_items_get_string(rule->data, RULE_NAME);
-}
-
-RuleType
-rule_get_type(rule_t rule)
-{
- return (RuleType)auth_items_get_int64(rule->data, RULE_TYPE);
-}
-
-RuleClass
-rule_get_class(rule_t rule)
-{
- return (RuleClass)auth_items_get_int64(rule->data, RULE_CLASS);
-}
-
-const char *
-rule_get_group(rule_t rule)
-{
- return auth_items_get_string(rule->data, RULE_GROUP);
-}
-
-int64_t
-rule_get_kofn(rule_t rule)
-{
- return auth_items_get_int64(rule->data, RULE_KOFN);
-}
-
-int64_t
-rule_get_timeout(rule_t rule)
-{
- return auth_items_get_int64(rule->data, RULE_TIMEOUT);
-}
-
-bool
-rule_check_flags(rule_t rule, RuleFlags flags)
-{
- return (auth_items_get_int64(rule->data, RULE_FLAGS) & flags) != 0;
-}
-
-bool
-rule_get_shared(rule_t rule)
-{
- return rule_check_flags(rule, RuleFlagShared);
-}
-
-bool
-rule_get_allow_root(rule_t rule)
-{
- return rule_check_flags(rule, RuleFlagAllowRoot);
-}
-
-bool
-rule_get_session_owner(rule_t rule)
-{
- return rule_check_flags(rule, RuleFlagSessionOwner);
-}
-
-bool
-rule_get_authenticate_user(rule_t rule)
-{
- return rule_check_flags(rule, RuleFlagAuthenticateUser);
-}
-
-bool
-rule_get_extract_password(rule_t rule)
-{
- return rule_check_flags(rule, RuleFlagExtractPassword);
-}
-
-int64_t
-rule_get_tries(rule_t rule)
-{
- return auth_items_get_int64(rule->data, RULE_TRIES);
-}
-
-const char *
-rule_get_comment(rule_t rule)
-{
- return auth_items_get_string(rule->data, RULE_COMMENT);
-}
-
-int64_t
-rule_get_version(rule_t rule)
-{
- return auth_items_get_int64(rule->data, RULE_VERSION);
-}
-
-double rule_get_created(rule_t rule)
-{
- return auth_items_get_double(rule->data, RULE_CREATED);
-}
-
-double rule_get_modified(rule_t rule)
-{
- return auth_items_get_double(rule->data, RULE_MODIFIED);
-}
-
-const char * rule_get_identifier(rule_t rule)
-{
- return auth_items_get_string(rule->data, RULE_IDENTIFIER);
-}
-
-CFDataRef rule_get_requirment_data(rule_t rule)
-{
- if (!rule->requirement_data && auth_items_exist(rule->data, RULE_REQUIREMENT)) {
- size_t len;
- const void * data = auth_items_get_data(rule->data, RULE_REQUIREMENT, &len);
- rule->requirement_data = CFDataCreate(kCFAllocatorDefault, data, (CFIndex)len);
- }
-
- return rule->requirement_data;
-}
-
-SecRequirementRef rule_get_requirment(rule_t rule)
-{
- if (!rule->requirement) {
- CFDataRef data = rule_get_requirment_data(rule);
- if (data) {
- SecRequirementCreateWithData(data, kSecCSDefaultFlags, &rule->requirement);
- }
- }
-
- return rule->requirement;
-}
projects / apple / security.git / blobdiff