+++ /dev/null
-/*
- * Copyright (c) 2002-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// ACL.cpp
-//
-#include <security_keychain/ACL.h>
-#include <security_keychain/SecCFTypes.h>
-#include <security_utilities/osxcode.h>
-#include <security_utilities/trackingallocator.h>
-#include <security_cdsa_utilities/walkers.h>
-#include <security_keychain/TrustedApplication.h>
-#include <Security/SecTrustedApplication.h>
-#include <security_utilities/devrandom.h>
-#include <security_cdsa_utilities/uniformrandom.h>
-#include <memory>
-
-
-using namespace KeychainCore;
-using namespace DataWalkers;
-
-
-//
-// The default form of a prompt selector
-//
-const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR ACL::defaultSelector = {
- CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION, 0
-};
-
-
-//
-// ACL static constants
-//
-const CSSM_ACL_HANDLE ACL::ownerHandle;
-
-
-//
-// Create an ACL object from the result of a CSSM ACL query
-//
-ACL::ACL(Access &acc, const AclEntryInfo &info, Allocator &alloc)
- : allocator(alloc), access(acc), mState(unchanged), mSubjectForm(NULL), mMutex(Mutex::recursive)
-{
- // parse the subject
- parse(info.proto().subject());
-
- // fill in AclEntryInfo layer information
- const AclEntryPrototype &proto = info.proto();
- mAuthorizations = proto.authorization();
- mDelegate = proto.delegate();
- mEntryTag = proto.s_tag();
-
- // take CSSM entry handle from info layer
- mCssmHandle = info.handle();
-}
-
-ACL::ACL(Access &acc, const AclOwnerPrototype &owner, Allocator &alloc)
- : allocator(alloc), access(acc), mState(unchanged), mSubjectForm(NULL), mMutex(Mutex::recursive)
-{
- // parse subject
- parse(owner.subject());
-
- // for an owner "entry", the next-layer information is fixed (and fake)
- mAuthorizations.insert(CSSM_ACL_AUTHORIZATION_CHANGE_ACL);
- mDelegate = owner.delegate();
- mEntryTag[0] = '\0';
-
- // use fixed (fake) entry handle
- mCssmHandle = ownerHandle;
-}
-
-
-//
-// Create a new ACL that authorizes anyone to do anything.
-// This constructor produces a "pure" ANY ACL, without descriptor or selector.
-// To generate a "standard" form of ANY, use the appListForm constructor below,
-// then change its form to allowAnyForm.
-//
-ACL::ACL(Access &acc, Allocator &alloc)
- : allocator(alloc), access(acc), mSubjectForm(NULL), mMutex(Mutex::recursive)
-{
- mState = inserted; // new
- mForm = allowAllForm; // everybody
- mAuthorizations.insert(CSSM_ACL_AUTHORIZATION_ANY); // anything
- mDelegate = false;
-
- //mPromptDescription stays empty
- mPromptSelector = defaultSelector;
-
- // randomize the CSSM handle
- UniformRandomBlobs<DevRandomGenerator>().random(mCssmHandle);
-}
-
-
-//
-// Create a new ACL in standard form.
-// As created, it authorizes all activities.
-//
-ACL::ACL(Access &acc, string description, const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR &promptSelector,
- Allocator &alloc)
- : allocator(alloc), access(acc), mSubjectForm(NULL), mMutex(Mutex::recursive)
-{
- mState = inserted; // new
- mForm = appListForm;
- mAuthorizations.insert(CSSM_ACL_AUTHORIZATION_ANY); // anything
- mDelegate = false;
-
- mPromptDescription = description;
- mPromptSelector = promptSelector;
-
- // randomize the CSSM handle
- UniformRandomBlobs<DevRandomGenerator>().random(mCssmHandle);
-}
-
-
-//
-// Destroy an ACL
-//
-ACL::~ACL()
-{
- // release subject form (if any)
- chunkFree(mSubjectForm, allocator);
-}
-
-
-//
-// Does this ACL authorize a particular right?
-//
-bool ACL::authorizes(AclAuthorization right)
-{
- StLock<Mutex>_(mMutex);
- return mAuthorizations.find(right) != mAuthorizations.end()
- || mAuthorizations.find(CSSM_ACL_AUTHORIZATION_ANY) != mAuthorizations.end()
- || mAuthorizations.empty();
-}
-
-
-//
-// Add an application to the trusted-app list of this ACL.
-// Will fail unless this is a standard "simple" form ACL.
-//
-void ACL::addApplication(TrustedApplication *app)
-{
- StLock<Mutex>_(mMutex);
- switch (mForm) {
- case appListForm: // simple...
- mAppList.push_back(app);
- modify();
- break;
- case allowAllForm: // hmm...
- if (!mPromptDescription.empty()) {
- // verbose "any" form (has description, "any" override)
- mAppList.push_back(app);
- modify();
- break;
- }
- // pure "any" form without description. Cannot convert to appListForm
- default:
- MacOSError::throwMe(errSecACLNotSimple);
- }
-}
-
-
-//
-// Mark an ACL as modified.
-//
-void ACL::modify()
-{
- StLock<Mutex>_(mMutex);
- if (mState == unchanged) {
- secdebug("SecAccess", "ACL %p marked modified", this);
- mState = modified;
- }
-}
-
-
-//
-// Mark an ACL as "removed"
-// Removed ACLs have no valid contents (they are invalid on their face).
-// When "updated" to the originating item, they will cause the corresponding
-// ACL entry to be deleted. Otherwise, they are irrelevant.
-// Note: Removing an ACL does not actually remove it from its Access's map.
-//
-void ACL::remove()
-{
- StLock<Mutex>_(mMutex);
- mAppList.clear();
- mForm = invalidForm;
- mState = deleted;
-}
-
-
-//
-// Produce CSSM-layer form (ACL prototype) copies of our content.
-// Note that the result is chunk-allocated, and becomes owned by the caller.
-//
-void ACL::copyAclEntry(AclEntryPrototype &proto, Allocator &alloc)
-{
- StLock<Mutex>_(mMutex);
- proto.clearPod(); // preset
-
- // carefully copy the subject
- makeSubject();
- assert(mSubjectForm);
- proto = AclEntryPrototype(*mSubjectForm, mDelegate); // shares subject
- ChunkCopyWalker w(alloc);
- walk(w, proto.subject()); // copy subject in-place
-
- // the rest of a prototype
- proto.tag(mEntryTag);
- AuthorizationGroup tags(mAuthorizations, allocator);
- proto.authorization() = tags;
-}
-
-void ACL::copyAclOwner(AclOwnerPrototype &proto, Allocator &alloc)
-{
- StLock<Mutex>_(mMutex);
- proto.clearPod();
-
- makeSubject();
- assert(mSubjectForm);
- proto = AclOwnerPrototype(*mSubjectForm, mDelegate); // shares subject
- ChunkCopyWalker w(alloc);
- walk(w, proto.subject()); // copy subject in-place
-}
-
-
-//
-// (Re)place this ACL's setting into the AclBearer specified.
-// If update, assume this is an update operation and the ACL was
-// originally derived from this object; specifically, assume the
-// CSSM handle is valid. If not update, assume this is a different
-// object that has no related ACL entry (yet).
-//
-void ACL::setAccess(AclBearer &target, bool update,
- const AccessCredentials *cred)
-{
- StLock<Mutex>_(mMutex);
- // determine what action we need to perform
- State action = state();
- if (!update)
- action = (action == deleted) ? unchanged : inserted;
-
- // the owner acl (pseudo) "entry" is a special case
- if (isOwner()) {
- switch (action) {
- case unchanged:
- secdebug("SecAccess", "ACL %p owner unchanged", this);
- return;
- case inserted: // means modify the initial owner
- case modified:
- {
- secdebug("SecAccess", "ACL %p owner modified", this);
- makeSubject();
- assert(mSubjectForm);
- AclOwnerPrototype proto(*mSubjectForm, mDelegate);
- target.changeOwner(proto, cred);
- return;
- }
- default:
- assert(false);
- return;
- }
- }
-
- // simple cases
- switch (action) {
- case unchanged: // ignore
- secdebug("SecAccess", "ACL %p handle 0x%lx unchanged", this, entryHandle());
- return;
- case deleted: // delete
- secdebug("SecAccess", "ACL %p handle 0x%lx deleted", this, entryHandle());
- target.deleteAcl(entryHandle(), cred);
- return;
- default:
- break;
- }
-
- // build the byzantine data structures that CSSM loves so much
- makeSubject();
- assert(mSubjectForm);
- AclEntryPrototype proto(*mSubjectForm, mDelegate);
- proto.tag(mEntryTag);
- AutoAuthorizationGroup tags(mAuthorizations, allocator);
- proto.authorization() = tags;
- AclEntryInput input(proto);
- switch (action) {
- case inserted: // insert
- secdebug("SecAccess", "ACL %p inserted", this);
- target.addAcl(input, cred);
- break;
- case modified: // update
- secdebug("SecAccess", "ACL %p handle 0x%lx modified", this, entryHandle());
- target.changeAcl(entryHandle(), input, cred);
- break;
- default:
- assert(false);
- }
-}
-
-
-//
-// Parse an AclEntryPrototype (presumably from a CSSM "Get" ACL operation
-// into internal form.
-//
-void ACL::parse(const TypedList &subject)
-{
- StLock<Mutex>_(mMutex);
- try {
- switch (subject.type()) {
- case CSSM_ACL_SUBJECT_TYPE_ANY:
- // subsume an "any" as a standard form
- mForm = allowAllForm;
- return;
- case CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT:
- // pure keychain prompt - interpret as applist form with no apps
- parsePrompt(subject);
- mForm = appListForm;
- return;
- case CSSM_ACL_SUBJECT_TYPE_THRESHOLD:
- {
- // app-list format: THRESHOLD(1, n): sign(1), ..., sign(n), PROMPT
- if (subject[1] != 1)
- throw ParseError();
- uint32 count = subject[2];
-
- // parse final (PROMPT) element
- TypedList &end = subject[count + 2]; // last choice
- if (end.type() != CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT)
- throw ParseError(); // not PROMPT at end
- parsePrompt(end);
-
- // check for leading ANY
- TypedList &first = subject[3];
- if (first.type() == CSSM_ACL_SUBJECT_TYPE_ANY) {
- mForm = allowAllForm;
- return;
- }
-
- // parse other (code signing) elements
- for (uint32 n = 0; n < count - 1; n++)
- mAppList.push_back(new TrustedApplication(TypedList(subject[n + 3].list())));
- }
- mForm = appListForm;
- return;
- default:
- mForm = customForm;
- mSubjectForm = chunkCopy(&subject);
- return;
- }
- } catch (const ParseError &) {
- secdebug("SecAccess", "acl compile failed; marking custom");
- mForm = customForm;
- mSubjectForm = chunkCopy(&subject);
- mAppList.clear();
- }
-}
-
-void ACL::parsePrompt(const TypedList &subject)
-{
- StLock<Mutex>_(mMutex);
- assert(subject.length() == 3);
- mPromptSelector =
- *subject[1].data().interpretedAs<CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR>(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
- mPromptDescription = subject[2].toString();
-}
-
-
-//
-// Take this ACL and produce its meaning as a CSSM ACL subject in mSubjectForm
-//
-void ACL::makeSubject()
-{
- StLock<Mutex>_(mMutex);
- switch (form()) {
- case allowAllForm:
- chunkFree(mSubjectForm, allocator); // release previous
- if (mPromptDescription.empty()) {
- // no description -> pure ANY
- mSubjectForm = new(allocator) TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_ANY);
- } else {
- // have description -> threshold(1 of 2) of { ANY, PROMPT }
- mSubjectForm = new(allocator) TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_THRESHOLD,
- new(allocator) ListElement(1),
- new(allocator) ListElement(2));
- *mSubjectForm += new(allocator) ListElement(TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_ANY));
- TypedList prompt(allocator, CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT,
- new(allocator) ListElement(allocator, CssmData::wrap(mPromptSelector)),
- new(allocator) ListElement(allocator, mPromptDescription));
- *mSubjectForm += new(allocator) ListElement(prompt);
- }
- return;
- case appListForm: {
- // threshold(1 of n+1) of { app1, ..., appn, PROMPT }
- chunkFree(mSubjectForm, allocator); // release previous
- uint32 appCount = (uint32)mAppList.size();
- mSubjectForm = new(allocator) TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_THRESHOLD,
- new(allocator) ListElement(1),
- new(allocator) ListElement(appCount + 1));
- for (uint32 n = 0; n < appCount; n++)
- *mSubjectForm +=
- new(allocator) ListElement(mAppList[n]->makeSubject(allocator));
- TypedList prompt(allocator, CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT,
- new(allocator) ListElement(allocator, CssmData::wrap(mPromptSelector)),
- new(allocator) ListElement(allocator, mPromptDescription));
- *mSubjectForm += new(allocator) ListElement(prompt);
- }
- return;
- case customForm:
- assert(mSubjectForm); // already set; keep it
- return;
- default:
- assert(false); // unexpected
- }
-}
projects / apple / security.git / blobdiff