--- /dev/null
+#include "MISEntitlement.h"
+
+static const CFStringRef kEntitlementAllValuesAllowed = CFSTR("*");
+
+static Boolean whitelistArrayAllowsEntitlementValue(CFArrayRef whitelist, CFStringRef value)
+{
+ Boolean allowed = false;
+
+ CFIndex i, count = CFArrayGetCount(whitelist);
+ for (i = 0; (i < count) && (allowed == false); i++) {
+ CFStringRef item = (CFStringRef) CFArrayGetValueAtIndex(whitelist, i);
+ if (CFGetTypeID(item) == CFStringGetTypeID()) {
+
+ CFIndex len = CFStringGetLength(item);
+ if (len > 0) {
+ if (CFStringGetCharacterAtIndex(item, len-1) != '*') {
+
+ /* Not a wildcard, must be an exact match */
+ allowed = CFStringCompare(item, value, 0) == kCFCompareEqualTo;
+ } else {
+
+ /* Last character is a wildcard - do some matching */
+ CFStringRef wildcardPrefix = CFStringCreateWithSubstring(kCFAllocatorDefault, item, CFRangeMake(0, len-1));
+ allowed = CFStringHasPrefix(value, wildcardPrefix);
+ CFRelease(wildcardPrefix);
+ }
+ }
+ } else {
+
+ /* Unexpected item in whitelist - bail */
+ break;
+ }
+ }
+
+ return allowed;
+}
+
+Boolean MISEntitlementDictionaryAllowsEntitlementValue(CFDictionaryRef entitlements, CFStringRef entitlement, CFTypeRef value)
+{
+ Boolean allowsEntitlement = false;
+
+ /* NULL is never a valid entitlement value */
+ if (value != NULL) {
+
+ /* Make sure the entitlement is present */
+ CFTypeRef storedValue = CFDictionaryGetValue(entitlements, entitlement);
+ if (storedValue != NULL) {
+
+ /*
+ * Handling depends on the type
+ * If the value matches our constant, the entitlement is permitted
+ * to have any value.
+ * If the value in the dictionary is a boolean, then the entitlement
+ * value must be a boolean with the same value
+ * If the value in the dictionary is an array (of strings), then the
+ * entitlement must be either one of those strings OR an array that
+ * includes only present strings
+ */
+ if (CFEqual(storedValue, kEntitlementAllValuesAllowed) == true) {
+
+ /* XXX: Does this need to restrict the value to some types */
+ allowsEntitlement = true;
+ } else if (CFGetTypeID(storedValue) == CFBooleanGetTypeID()) {
+ allowsEntitlement = CFEqual(storedValue, value);
+ } else if (CFGetTypeID(storedValue) == CFStringGetTypeID()) {
+ if (CFGetTypeID(value) == CFStringGetTypeID()) {
+ CFArrayRef array = CFArrayCreate(kCFAllocatorDefault, (const void **) &storedValue, 1, &kCFTypeArrayCallBacks);
+ allowsEntitlement = whitelistArrayAllowsEntitlementValue(array, (CFStringRef) value);
+ CFRelease(array);
+ }
+ } else if (CFGetTypeID(storedValue) == CFArrayGetTypeID()) {
+
+ /* value is either a single string or array of strings */
+ if (CFGetTypeID(value) == CFStringGetTypeID()) {
+ allowsEntitlement = whitelistArrayAllowsEntitlementValue((CFArrayRef) storedValue, (CFStringRef) value);
+ } else if (CFGetTypeID(value) == CFArrayGetTypeID()) {
+
+ /*
+ * Assume allowed, will set back to false if we encounter
+ * elements that are not permitted
+ */
+ allowsEntitlement = true;
+
+ /* Make sure each element is a string and in the array */
+ CFIndex i, count = CFArrayGetCount((CFArrayRef) value);
+ for (i = 0; (i < count) && (allowsEntitlement == true); i++) {
+ CFTypeRef element = CFArrayGetValueAtIndex((CFArrayRef) value, i);
+ if (CFGetTypeID(element) == CFStringGetTypeID()) {
+ allowsEntitlement = whitelistArrayAllowsEntitlementValue((CFArrayRef) storedValue, (CFStringRef) element);
+ } else {
+ allowsEntitlement = false;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ return allowsEntitlement;
+}
projects / apple / security.git / blobdiff