--- /dev/null
+/* Copyright (c) 2012 Apple Inc. All rights reserved. */
+
+#include "Authorization.h"
+#include "authd_private.h"
+#include "authutilities.h"
+#include "debugging.h"
+
+#include <Security/AuthorizationPriv.h>
+#include <Security/AuthorizationDB.h>
+#include <Security/AuthorizationTags.h>
+#include <Security/AuthorizationTagsPriv.h>
+#include <xpc/xpc.h>
+#include <xpc/private.h>
+#include <mach/mach.h>
+#include <syslog.h>
+#include <AssertMacros.h>
+#include <CoreFoundation/CFXPCBridge.h>
+
+static dispatch_queue_t
+get_authorization_dispatch_queue()
+{
+ static dispatch_once_t onceToken = 0;
+ static dispatch_queue_t connection_queue = NULL;
+
+ dispatch_once(&onceToken, ^{
+ connection_queue = dispatch_queue_create("authorization-connection-queue", DISPATCH_QUEUE_SERIAL);
+ });
+
+ return connection_queue;
+}
+
+static xpc_connection_t
+get_authorization_connection()
+{
+ static xpc_connection_t connection = NULL;
+
+ dispatch_sync(get_authorization_dispatch_queue(), ^{
+ if (connection == NULL) {
+ connection = xpc_connection_create(SECURITY_AUTH_NAME, NULL);
+
+ if (!connection) {
+ syslog(LOG_ERR, "Authorization, failed to create xpc connection to %s", SECURITY_AUTH_NAME);
+ connection = xpc_connection_create(SECURITY_AUTH_NAME, NULL);
+ }
+
+ xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
+ if (xpc_get_type(event) == XPC_TYPE_ERROR) {
+ if (event == XPC_ERROR_CONNECTION_INVALID) {
+ syslog(LOG_ERR, "Authorization, server not available");
+ }
+ // XPC_ERROR_CONNECTION_INTERRUPTED
+ // XPC_ERROR_TERMINATION_IMMINENT
+ } else {
+ char * desc = xpc_copy_description(event);
+ syslog(LOG_ERR, "Authorization, we should never get messages on this connection: %s", desc);
+ free(desc);
+ }
+ });
+
+ xpc_connection_resume(connection);
+
+ // Send
+ xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_SETUP);
+ mach_port_t bootstrap = MACH_PORT_NULL;
+ task_get_bootstrap_port(mach_task_self(), &bootstrap);
+ xpc_dictionary_set_mach_send(message, AUTH_XPC_BOOTSTRAP, bootstrap);
+ xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, message);
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ }
+ });
+
+ return connection;
+}
+
+static void
+setItemSet(xpc_object_t message, const char * key, const AuthorizationItemSet * itemSet)
+{
+ xpc_object_t serialized = SerializeItemSet(itemSet);
+ if (serialized) {
+ xpc_dictionary_set_value(message, key, serialized);
+ xpc_release(serialized);
+ }
+}
+
+OSStatus AuthorizationCreate(const AuthorizationRights *rights,
+ const AuthorizationEnvironment *environment,
+ AuthorizationFlags flags,
+ AuthorizationRef *authorization)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+
+// require_action(!(rights == NULL && authorization == NULL), done, status = errAuthorizationInvalidSet);
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_CREATE);
+ setItemSet(message, AUTH_XPC_RIGHTS, rights);
+ setItemSet(message, AUTH_XPC_ENVIROMENT, environment);
+ xpc_dictionary_set_uint64(message, AUTH_XPC_FLAGS, flags | (authorization ? 0 : kAuthorizationFlagNoData));
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Out
+ if (authorization && status == errAuthorizationSuccess) {
+ size_t len;
+ const void * data = xpc_dictionary_get_data(reply, AUTH_XPC_BLOB, &len);
+ require_action(data != NULL, done, status = errAuthorizationInternal);
+ assert(len == sizeof(AuthorizationBlob));
+
+ AuthorizationBlob * blob = (AuthorizationBlob*)calloc(1u, sizeof(AuthorizationBlob));
+ require_action(blob != NULL, done, status = errAuthorizationInternal);
+ *blob = *(AuthorizationBlob*)data;
+
+ *authorization = (AuthorizationRef)blob;
+ }
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationCreateWithAuditToken(audit_token_t token,
+ const AuthorizationEnvironment *environment,
+ AuthorizationFlags flags,
+ AuthorizationRef *authorization)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidPointer);
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_CREATE_WITH_AUDIT_TOKEN);
+ xpc_dictionary_set_data(message, AUTH_XPC_DATA, &token, sizeof(token));
+ setItemSet(message, AUTH_XPC_ENVIROMENT, environment);
+ xpc_dictionary_set_uint64(message, AUTH_XPC_FLAGS, flags);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Out
+ if (status == errAuthorizationSuccess) {
+ size_t len;
+ const void * data = xpc_dictionary_get_data(reply, AUTH_XPC_BLOB, &len);
+ require_action(data != NULL, done, status = errAuthorizationInternal);
+ assert(len == sizeof(AuthorizationBlob));
+
+ AuthorizationBlob * blob = (AuthorizationBlob*)calloc(1u, sizeof(AuthorizationBlob));
+ require_action(blob != NULL, done, status = errAuthorizationInternal);
+ *blob = *(AuthorizationBlob*)data;
+
+ *authorization = (AuthorizationRef)blob;
+ }
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationFree(AuthorizationRef authorization, AuthorizationFlags flags)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+ AuthorizationBlob *blob = NULL;
+
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authorization;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_FREE);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+ xpc_dictionary_set_uint64(message, AUTH_XPC_FLAGS, flags);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Free
+ free(blob);
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+static OSStatus
+_AuthorizationCopyRights_send_message(xpc_object_t message, AuthorizationRights **authorizedRights)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t reply = NULL;
+
+ // Send
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Out
+ if (authorizedRights && status == errAuthorizationSuccess) {
+ xpc_object_t tmpItems = xpc_dictionary_get_value(reply, AUTH_XPC_OUT_ITEMS);
+ AuthorizationRights * grantedRights = DeserializeItemSet(tmpItems);
+ require_action(grantedRights != NULL, done, status = errAuthorizationInternal);
+
+ *authorizedRights = grantedRights;
+ }
+
+done:
+ xpc_release_safe(reply);
+ return status;
+}
+
+static OSStatus
+_AuthorizationCopyRights_prepare_message(AuthorizationRef authorization, const AuthorizationRights *rights, const AuthorizationEnvironment *environment, AuthorizationFlags flags, xpc_object_t *message_out)
+{
+ OSStatus status = errAuthorizationInternal;
+ AuthorizationBlob *blob = NULL;
+ xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authorization;
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_COPY_RIGHTS);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+ setItemSet(message, AUTH_XPC_RIGHTS, rights);
+ setItemSet(message, AUTH_XPC_ENVIROMENT, environment);
+ xpc_dictionary_set_uint64(message, AUTH_XPC_FLAGS, flags);
+
+ *message_out = message;
+ message = NULL;
+ status = errAuthorizationSuccess;
+
+done:
+ xpc_release_safe(message);
+ return status;
+}
+
+OSStatus AuthorizationCopyRights(AuthorizationRef authorization,
+ const AuthorizationRights *rights,
+ const AuthorizationEnvironment *environment,
+ AuthorizationFlags flags,
+ AuthorizationRights **authorizedRights)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+
+ require_noerr(status = _AuthorizationCopyRights_prepare_message(authorization, rights, environment, flags, &message), done);
+ require_noerr(status = _AuthorizationCopyRights_send_message(message, authorizedRights), done);
+
+done:
+ xpc_release_safe(message);
+ return status;
+}
+
+
+void AuthorizationCopyRightsAsync(AuthorizationRef authorization,
+ const AuthorizationRights *rights,
+ const AuthorizationEnvironment *environment,
+ AuthorizationFlags flags,
+ AuthorizationAsyncCallback callbackBlock)
+{
+ OSStatus prepare_status = errAuthorizationInternal;
+ __block xpc_object_t message = NULL;
+
+ prepare_status = _AuthorizationCopyRights_prepare_message(authorization, rights, environment, flags, &message);
+ if (prepare_status != errAuthorizationSuccess) {
+ callbackBlock(prepare_status, NULL);
+ }
+
+ dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+ AuthorizationRights *blockAuthorizedRights = NULL;
+ OSStatus status = _AuthorizationCopyRights_send_message(message, &blockAuthorizedRights);
+ callbackBlock(status, blockAuthorizedRights);
+ xpc_release_safe(message);
+ });
+}
+
+OSStatus AuthorizationDismiss()
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require(message != NULL, done);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_DISMISS);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationCopyInfo(AuthorizationRef authorization,
+ AuthorizationString tag,
+ AuthorizationItemSet **info)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+ AuthorizationBlob *blob = NULL;
+
+ require_action(info != NULL, done, status = errAuthorizationInvalidSet);
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authorization;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_COPY_INFO);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+ if (tag) {
+ xpc_dictionary_set_string(message, AUTH_XPC_TAG, tag);
+ }
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Out
+ if (info && status == errAuthorizationSuccess) {
+ xpc_object_t tmpItems = xpc_dictionary_get_value(reply, AUTH_XPC_OUT_ITEMS);
+ AuthorizationRights * outInfo = DeserializeItemSet(tmpItems);
+ require_action(outInfo != NULL, done, status = errAuthorizationInternal);
+
+ *info = outInfo;
+ }
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationMakeExternalForm(AuthorizationRef authorization,
+ AuthorizationExternalForm *extForm)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+ AuthorizationBlob *blob = NULL;
+
+ require_action(extForm != NULL, done, status = errAuthorizationInvalidPointer);
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authorization;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_MAKE_EXTERNAL_FORM);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // out
+ if (status == errAuthorizationSuccess) {
+ size_t len;
+ const void * data = xpc_dictionary_get_data(reply, AUTH_XPC_EXTERNAL, &len);
+ require_action(data != NULL, done, status = errAuthorizationInternal);
+ assert(len == sizeof(AuthorizationExternalForm));
+
+ *extForm = *(AuthorizationExternalForm*)data;
+ }
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationCreateFromExternalForm(const AuthorizationExternalForm *extForm,
+ AuthorizationRef *authorization)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+
+ require_action(extForm != NULL, done, status = errAuthorizationInvalidPointer);
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidRef);
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_CREATE_FROM_EXTERNAL_FORM);
+ xpc_dictionary_set_data(message, AUTH_XPC_EXTERNAL, extForm, sizeof(AuthorizationExternalForm));
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Out
+ if (authorization && status == errAuthorizationSuccess) {
+ size_t len;
+ const void * data = xpc_dictionary_get_data(reply, AUTH_XPC_BLOB, &len);
+ require_action(data != NULL, done, status = errAuthorizationInternal);
+ assert(len == sizeof(AuthorizationBlob));
+
+ AuthorizationBlob * blob = (AuthorizationBlob*)calloc(1u, sizeof(AuthorizationBlob));
+ require_action(blob != NULL, done, status = errAuthorizationInternal);
+ *blob = *(AuthorizationBlob*)data;
+
+ *authorization = (AuthorizationRef)blob;
+ }
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationFreeItemSet(AuthorizationItemSet *set)
+{
+ FreeItemSet(set);
+ return errAuthorizationSuccess;
+}
+
+OSStatus AuthorizationEnableSmartCard(AuthorizationRef authRef, Boolean enable)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+ AuthorizationBlob *blob = NULL;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+ require_action(authRef != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authRef;
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_ENABLE_SMARTCARD);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+ xpc_dictionary_set_bool(message, AUTH_XPC_DATA, enable);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+
+OSStatus AuthorizationRightGet(const char *rightName,
+ CFDictionaryRef *rightDefinition)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+
+ require_action(rightName != NULL, done, status = errAuthorizationInvalidPointer);
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_RIGHT_GET);
+ xpc_dictionary_set_string(message, AUTH_XPC_RIGHT_NAME, rightName);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+ // Out
+ if (rightDefinition && status == errAuthorizationSuccess) {
+ xpc_object_t value = xpc_dictionary_get_value(reply, AUTH_XPC_DATA);
+ require_action(value != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(value) == XPC_TYPE_DICTIONARY, done, status = errAuthorizationInternal);
+
+ CFTypeRef cfdict = _CFXPCCreateCFObjectFromXPCObject(value);
+ require_action(cfdict != NULL, done, status = errAuthorizationInternal);
+
+ *rightDefinition = cfdict;
+ }
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationRightSet(AuthorizationRef authRef,
+ const char *rightName,
+ CFTypeRef rightDefinition,
+ CFStringRef descriptionKey,
+ CFBundleRef bundle,
+ CFStringRef tableName)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+ AuthorizationBlob *blob = NULL;
+ CFMutableDictionaryRef rightDict = NULL;
+ CFBundleRef clientBundle = bundle;
+
+ if (bundle) {
+ CFRetain(bundle);
+ }
+
+ require_action(rightDefinition != NULL, done, status = errAuthorizationInvalidPointer);
+ require_action(rightName != NULL, done, status = errAuthorizationInvalidPointer);
+ require_action(authRef != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authRef;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_RIGHT_SET);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+ xpc_dictionary_set_string(message, AUTH_XPC_RIGHT_NAME, rightName);
+
+ // Create rightDict
+ if (CFGetTypeID(rightDefinition) == CFStringGetTypeID()) {
+ rightDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ require_action(rightDict != NULL, done, status = errAuthorizationInternal);
+
+ CFDictionarySetValue(rightDict, CFSTR(kAuthorizationRightRule), rightDefinition);
+
+ } else if (CFGetTypeID(rightDefinition) == CFDictionaryGetTypeID()) {
+ rightDict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, rightDefinition);
+ require_action(rightDict != NULL, done, status = errAuthorizationInternal);
+
+ } else {
+ status = errAuthorizationInvalidPointer;
+ goto done;
+ }
+
+ // Create locDict
+ if (descriptionKey) {
+ CFMutableDictionaryRef locDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ require_action(locDict != NULL, done, status = errAuthorizationInternal);
+
+ if (clientBundle == NULL) {
+ clientBundle = CFBundleGetMainBundle();
+ CFRetain(clientBundle);
+ }
+
+ if (clientBundle) {
+ CFArrayRef bundleLocalizations = CFBundleCopyBundleLocalizations(clientBundle);
+ if (bundleLocalizations) {
+ // for every CFString in localizations do
+ CFIndex locIndex, allLocs = CFArrayGetCount(bundleLocalizations);
+ for (locIndex = 0; locIndex < allLocs; locIndex++)
+ {
+ CFStringRef oneLocalization = (CFStringRef)CFArrayGetValueAtIndex(bundleLocalizations, locIndex);
+
+ if (!oneLocalization)
+ continue;
+
+ // @@@ no way to get "Localized" and "strings" as constants?
+ CFURLRef locURL = CFBundleCopyResourceURLForLocalization(clientBundle, tableName ? tableName : CFSTR("Localizable"), CFSTR("strings"), NULL /*subDirName*/, oneLocalization);
+
+ if (!locURL)
+ continue;
+
+ CFDataRef tableData = NULL;
+ SInt32 errCode;
+ CFStringRef errStr = NULL;
+ CFPropertyListRef stringTable = NULL;
+
+ CFURLCreateDataAndPropertiesFromResource(CFGetAllocator(clientBundle), locURL, &tableData, NULL, NULL, &errCode);
+ CFReleaseSafe(locURL);
+ if (errCode)
+ {
+ CFReleaseSafe(tableData);
+ continue;
+ }
+
+ stringTable = CFPropertyListCreateFromXMLData(CFGetAllocator(clientBundle), tableData, kCFPropertyListImmutable, &errStr);
+ CFReleaseSafe(errStr);
+ CFReleaseSafe(tableData);
+
+ CFStringRef value = (CFStringRef)CFDictionaryGetValue(stringTable, descriptionKey);
+ if (value == NULL || CFEqual(value, CFSTR(""))) {
+ CFReleaseSafe(stringTable);
+ continue;
+ } else {
+ // oneLocalization/value into our dictionary
+ CFDictionarySetValue(locDict, oneLocalization, value);
+ CFReleaseSafe(stringTable);
+ }
+ }
+ CFReleaseSafe(bundleLocalizations);
+ }
+ }
+
+ // add the description as the default localization into the dictionary
+ CFDictionarySetValue(locDict, CFSTR(""), descriptionKey);
+
+ // stuff localization table into right definition
+ CFDictionarySetValue(rightDict, CFSTR(kAuthorizationRuleParameterDefaultPrompt), locDict);
+ CFReleaseSafe(locDict);
+ }
+
+ xpc_object_t value = _CFXPCCreateXPCObjectFromCFObject(rightDict);
+ xpc_dictionary_set_value(message, AUTH_XPC_DATA, value);
+ xpc_release_safe(value);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+done:
+ CFReleaseSafe(clientBundle);
+ CFReleaseSafe(rightDict);
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
+
+OSStatus AuthorizationRightRemove(AuthorizationRef authorization,
+ const char *rightName)
+{
+ OSStatus status = errAuthorizationInternal;
+ xpc_object_t message = NULL;
+ xpc_object_t reply = NULL;
+ AuthorizationBlob *blob = NULL;
+
+ require_action(rightName != NULL, done, status = errAuthorizationInvalidPointer);
+ require_action(authorization != NULL, done, status = errAuthorizationInvalidRef);
+ blob = (AuthorizationBlob *)authorization;
+
+ // Send
+ message = xpc_dictionary_create(NULL, NULL, 0);
+ require_action(message != NULL, done, status = errAuthorizationInternal);
+
+ xpc_dictionary_set_uint64(message, AUTH_XPC_TYPE, AUTHORIZATION_RIGHT_REMOVE);
+ xpc_dictionary_set_data(message, AUTH_XPC_BLOB, blob, sizeof(AuthorizationBlob));
+ xpc_dictionary_set_string(message, AUTH_XPC_RIGHT_NAME, rightName);
+
+ // Reply
+ reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
+ require_action(reply != NULL, done, status = errAuthorizationInternal);
+ require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+
+ // Status
+ status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
+
+done:
+ xpc_release_safe(message);
+ xpc_release_safe(reply);
+ return status;
+}
projects / apple / security.git / blobdiff