+++ /dev/null
-/*
- * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <Security/SecACL.h>
-#include <security_keychain/ACL.h>
-#include <security_keychain/Access.h>
-#include <security_keychain/SecAccessPriv.h>
-
-#include "SecBridge.h"
-
-// Forward reference
-/*!
- @function GetACLAuthorizationTagFromString
- @abstract Get the CSSM ACL item from the CFString
- @param aclStr The String name of the ACL
- @result The CSSM ACL value
-*/
-sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
-
-CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
-
-//
-// Local functions
-//
-static void setApplications(ACL *acl, CFArrayRef applicationList);
-
-CFTypeID
-SecACLGetTypeID(void)
-{
- BEGIN_SECAPI
-
- return gTypes().ACL.typeID;
-
- END_SECAPI1(_kCFRuntimeNotATypeID)
-}
-
-
-/*!
- */
-OSStatus SecACLCreateFromSimpleContents(SecAccessRef accessRef,
- CFArrayRef applicationList,
- CFStringRef description, const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector,
- SecACLRef *newAcl)
-{
- BEGIN_SECAPI
- SecPointer<Access> access = Access::required(accessRef);
- SecPointer<ACL> acl = new ACL(*access, cfString(description), *promptSelector);
- if (applicationList) {
- // application-list + prompt
- acl->form(ACL::appListForm);
- setApplications(acl, applicationList);
- } else {
- // allow-any
- acl->form(ACL::allowAllForm);
- }
- access->add(acl.get());
- Required(newAcl) = acl->handle();
- END_SECAPI
-}
-
-OSStatus SecACLCreateWithSimpleContents(SecAccessRef access,
- CFArrayRef applicationList,
- CFStringRef description,
- SecKeychainPromptSelector promptSelector,
- SecACLRef *newAcl)
-{
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR cdsaPromptSelector;
- cdsaPromptSelector.version = CSSM_ACL_KEYCHAIN_PROMPT_CURRENT_VERSION;
- cdsaPromptSelector.flags = promptSelector;
- return SecACLCreateFromSimpleContents(access, applicationList, description, &cdsaPromptSelector, newAcl);
-}
-
-
-/*!
- */
-OSStatus SecACLRemove(SecACLRef aclRef)
-{
- BEGIN_SECAPI
- ACL::required(aclRef)->remove();
- END_SECAPI
-}
-
-
-static SecTrustedApplicationRef
-convert(const SecPointer<TrustedApplication> &trustedApplication)
-{
- return *trustedApplication;
-}
-
-/*!
- */
-OSStatus SecACLCopySimpleContents(SecACLRef aclRef,
- CFArrayRef *applicationList,
- CFStringRef *promptDescription, CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector)
-{
- BEGIN_SECAPI
- SecPointer<ACL> acl = ACL::required(aclRef);
- switch (acl->form()) {
- case ACL::allowAllForm:
- Required(applicationList) = NULL;
- Required(promptDescription) =
- acl->promptDescription().empty() ? NULL
- : makeCFString(acl->promptDescription());
- Required(promptSelector) = acl->promptSelector();
- break;
- case ACL::appListForm:
- Required(applicationList) =
- makeCFArray(convert, acl->applications());
- Required(promptDescription) = makeCFString(acl->promptDescription());
- Required(promptSelector) = acl->promptSelector();
- break;
- default:
- return errSecACLNotSimple; // custom or unknown
- }
- END_SECAPI
-}
-
-OSStatus SecACLCopyContents(SecACLRef acl,
- CFArrayRef *applicationList,
- CFStringRef *description,
- SecKeychainPromptSelector *promptSelector)
-{
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR cdsaPromptSelector;
- memset(&cdsaPromptSelector, 0, sizeof(cdsaPromptSelector));
- OSStatus err = errSecSuccess;
-
- err = SecACLCopySimpleContents(acl, applicationList, description, &cdsaPromptSelector);
- *promptSelector = cdsaPromptSelector.flags;
- return err;
-}
-
-OSStatus SecACLSetSimpleContents(SecACLRef aclRef,
- CFArrayRef applicationList,
- CFStringRef description, const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector)
-{
- BEGIN_SECAPI
- SecPointer<ACL> acl = ACL::required(aclRef);
- acl->promptDescription() = description ? cfString(description) : "";
- acl->promptSelector() = promptSelector ? *promptSelector : ACL::defaultSelector;
- if (applicationList) {
- // application-list + prompt
- acl->form(ACL::appListForm);
- setApplications(acl, applicationList);
- } else {
- // allow-any
- acl->form(ACL::allowAllForm);
- }
- acl->modify();
- END_SECAPI
-}
-
-OSStatus SecACLSetContents(SecACLRef acl,
- CFArrayRef applicationList,
- CFStringRef description,
- SecKeychainPromptSelector promptSelector)
-{
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR cdsaPromptSelector;
- cdsaPromptSelector.version = CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION;
- cdsaPromptSelector.flags = promptSelector;
- return SecACLSetSimpleContents(acl, applicationList, description, &cdsaPromptSelector);
-}
-
-//
-// Stuff a CFArray-of-SecTrustedApplications into an ACL object
-//
-static void setApplications(ACL *acl, CFArrayRef applicationList)
-{
- ACL::ApplicationList &appList = acl->applications();
- appList.clear();
- //@@@ should really use STL iterator overlay on CFArray. By hand...
- CFIndex count = CFArrayGetCount(applicationList);
- for (CFIndex n = 0; n < count; n++)
- appList.push_back(TrustedApplication::required(
- SecTrustedApplicationRef(CFArrayGetValueAtIndex(applicationList, n))));
-}
-
-
-//
-// Set and get the authorization tags of an ACL entry
-//
-OSStatus SecACLGetAuthorizations(SecACLRef acl,
- CSSM_ACL_AUTHORIZATION_TAG *tags, uint32 *tagCount)
-{
- BEGIN_SECAPI
- AclAuthorizationSet auths = ACL::required(acl)->authorizations();
- if (Required(tagCount) < auths.size()) { // overflow
- *tagCount = (uint32)auths.size(); // report size required
- CssmError::throwMe(errSecParam);
- }
- *tagCount = (uint32)auths.size();
- copy(auths.begin(), auths.end(), tags);
- END_SECAPI
-}
-
-CFArrayRef SecACLCopyAuthorizations(SecACLRef acl)
-{
- CFArrayRef result = NULL;
- if (NULL == acl)
- {
- return result;
- }
-
- AclAuthorizationSet auths = ACL::required(acl)->authorizations();
- uint32 numAuths = (uint32)auths.size();
-
- CSSM_ACL_AUTHORIZATION_TAG* tags = new CSSM_ACL_AUTHORIZATION_TAG[numAuths];
- int i;
- for (i = 0; i < numAuths; ++i)
- {
- tags[i] = NULL;
- }
-
- OSStatus err = SecACLGetAuthorizations(acl, tags, &numAuths);
- if (errSecSuccess != err)
- {
-
- return result;
- }
-
- CFTypeRef* strings = new CFTypeRef[numAuths];
- for (i = 0; i < numAuths; ++i)
- {
- strings[i] = NULL;
- }
-
- for (size_t iCnt = 0; iCnt < numAuths; iCnt++)
- {
- strings[iCnt] = (CFTypeRef)GetAuthStringFromACLAuthorizationTag(tags[iCnt]);
- }
-
- result = CFArrayCreate(kCFAllocatorDefault, (const void **)strings, numAuths, NULL);
-
- delete[] strings;
- delete[] tags;
-
- return result;
-
-}
-
-OSStatus SecACLSetAuthorizations(SecACLRef aclRef,
- CSSM_ACL_AUTHORIZATION_TAG *tags, uint32 tagCount)
-{
- BEGIN_SECAPI
- SecPointer<ACL> acl = ACL::required(aclRef);
- if (acl->isOwner()) // can't change rights of the owner ACL
- MacOSError::throwMe(errSecInvalidOwnerEdit);
- AclAuthorizationSet &auths = acl->authorizations();
- auths.clear();
- copy(tags, tags + tagCount, insert_iterator<AclAuthorizationSet>(auths, auths.begin()));
- acl->modify();
- END_SECAPI
-}
-
-OSStatus SecACLUpdateAuthorizations(SecACLRef acl, CFArrayRef authorizations)
-{
- if (NULL == acl || NULL == authorizations)
- {
- return errSecParam;
- }
- uint32 tagCount = (uint32)CFArrayGetCount(authorizations);
-
- size_t tagSize = (tagCount * sizeof(CSSM_ACL_AUTHORIZATION_TAG));
-
- CSSM_ACL_AUTHORIZATION_TAG* tags = (CSSM_ACL_AUTHORIZATION_TAG*)malloc(tagSize);
- memset(tags, 0, tagSize);
- for (uint32 iCnt = 0; iCnt < tagCount; iCnt++)
- {
- tags[iCnt] = GetACLAuthorizationTagFromString((CFStringRef)CFArrayGetValueAtIndex(authorizations, iCnt));
- }
-
- OSStatus result = SecACLSetAuthorizations(acl, tags, tagCount);
- free(tags);
- return result;
-}
projects / apple / security.git / blobdiff