--- /dev/null
+/*
+ * Copyright (c) 2000-2004,2007 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * AuthorizationEngine.h
+ * Authorization
+ *
+ */
+#ifndef _H_AUTHORIZATIONENGINE
+#define _H_AUTHORIZATIONENGINE 1
+
+#include <Security/Authorization.h>
+#include <Security/AuthorizationPlugin.h>
+#include <security_cdsa_utilities/AuthorizationData.h>
+
+#include <security_utilities/threading.h>
+#include <security_utilities/osxcode.h>
+
+#include <CoreFoundation/CFDate.h>
+#include <CoreFoundation/CFDictionary.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "authority.h"
+
+#include "AuthorizationRule.h"
+#include "AuthorizationDBPlist.h"
+
+namespace Authorization
+{
+
+class Error : public CommonError {
+protected:
+ Error(int err);
+public:
+ const int error;
+ virtual int unixError() const throw();
+ virtual OSStatus osStatus() const throw();
+ virtual const char *what () const throw();
+ static void throwMe(int err) __attribute((noreturn));
+};
+
+
+/* The engine which performs the actual authentication and authorization computations.
+
+ The implementation of a typical call to AuthorizationCreate would look like:
+
+ Get the current shared CredentialSet for this session.
+ Call authorizedRights() with inRights and the shared CredentialSet.
+ Compute the difference set between the rights requested and the rights returned from authorizedRights().
+ Call credentialIds() with the rights computed above (for which we have no credentials yet).
+ Call aquireCredentials() for the credentialIds returned from credentialIds()
+ For each credential returned place it in the session (replacing when needed) if shared() returns true.
+ The authorization returned to the user should now refer to the credentials in the session and the non shared ones returned by aquireCredentials().
+
+ When a call to AuthorizationCopyRights() is made, just call authorizedRights() using the union of the session credentials and the credentials tied to the authorization specified.
+
+ When a call to AuthorizationCopyInfo() is made, ask the Credential specified by tag for it info and return it.
+
+ When a call to AuthorizationFree() is made, delete all the non-shared credentials ascociated with the authorization specified. If the kAuthorizationFreeFlagDestroy is set. Also delete the shared credentials ascociated with the authorization specified.
+ */
+class Engine
+{
+public:
+ Engine(const char *configFile);
+ ~Engine();
+
+ OSStatus authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
+ AuthorizationFlags flags, const CredentialSet *inCredentials, CredentialSet *outCredentials,
+ AuthItemSet &outRights, AuthorizationToken &auth);
+ OSStatus getRule(string &inRightName, CFDictionaryRef *outRuleDefinition);
+ OSStatus setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth);
+ OSStatus removeRule(const char *inRightName, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth);
+
+private:
+ OSStatus verifyModification(string inRightName, bool remove,
+ const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth);
+
+ AuthorizationDBPlist mAuthdb;
+ mutable Mutex mLock;
+};
+
+}; // namespace Authorization
+
+#endif /* ! _H_AUTHORIZATIONENGINE */
projects / apple / security.git / blobdiff