X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/ce3c8656732c924baf7e88df75eab50891bdc471..fa7225c82381bac4432a6edf16f53b5370238d85:/securityd/src/AuthorizationRule.cpp?ds=inline diff --git a/securityd/src/AuthorizationRule.cpp b/securityd/src/AuthorizationRule.cpp deleted file mode 100644 index 9c6f49a5..00000000 --- a/securityd/src/AuthorizationRule.cpp +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright (c) 2003-2010,2012 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - * - * AuthorizationRule.cpp - * Security - * - */ - -#include "AuthorizationRule.h" -#include -#include -#include -#include -#include -#include -#include "ccaudit_extensions.h" -#include "authority.h" -#include "server.h" -#include "process.h" -#include "agentquery.h" -#include "AuthorizationMechEval.h" - -#include -#include -#include -#include -#include - -extern "C" { -#include -} - -using namespace CommonCriteria::Securityd; - -// -// Rule class -// -namespace Authorization { - -CFStringRef RuleImpl::kUserGroupID = CFSTR(kAuthorizationRuleParameterGroup); -CFStringRef RuleImpl::kTimeoutID = CFSTR(kAuthorizationRuleParameterCredentialTimeout); -CFStringRef RuleImpl::kSharedID = CFSTR(kAuthorizationRuleParameterCredentialShared); -CFStringRef RuleImpl::kAllowRootID = CFSTR(kAuthorizationRuleParameterAllowRoot); -CFStringRef RuleImpl::kMechanismsID = CFSTR(kAuthorizationRuleParameterMechanisms); -CFStringRef RuleImpl::kSessionOwnerID = CFSTR(kAuthorizationRuleParameterCredentialSessionOwner); -CFStringRef RuleImpl::kKofNID = CFSTR(kAuthorizationRuleParameterKofN); -CFStringRef RuleImpl::kPromptID = CFSTR(kAuthorizationRuleParameterDefaultPrompt); -CFStringRef RuleImpl::kButtonID = CFSTR(kAuthorizationRuleParameterDefaultButton); -CFStringRef RuleImpl::kTriesID = CFSTR("tries"); // XXX/cs move to AuthorizationTagsPriv.h -CFStringRef RuleImpl::kExtractPasswordID = CFSTR(kAuthorizationRuleParameterExtractPassword); - -CFStringRef RuleImpl::kRuleClassID = CFSTR(kAuthorizationRuleClass); -CFStringRef RuleImpl::kRuleAllowID = CFSTR(kAuthorizationRuleClassAllow); -CFStringRef RuleImpl::kRuleDenyID = CFSTR(kAuthorizationRuleClassDeny); -CFStringRef RuleImpl::kRuleUserID = CFSTR(kAuthorizationRuleClassUser); -CFStringRef RuleImpl::kRuleDelegateID = CFSTR(kAuthorizationRightRule); -CFStringRef RuleImpl::kRuleMechanismsID = CFSTR(kAuthorizationRuleClassMechanisms); -CFStringRef RuleImpl::kRuleAuthenticateUserID = CFSTR(kAuthorizationRuleParameterAuthenticateUser); - - -string -RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool required = false, const char *defaultValue = "") -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -double -RuleImpl::Attribute::getDouble(CFDictionaryRef config, CFStringRef key, bool required = false, double defaultValue = 0.0) -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -bool -RuleImpl::Attribute::getBool(CFDictionaryRef config, CFStringRef key, bool required = false, bool defaultValue = false) -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -vector -RuleImpl::Attribute::getVector(CFDictionaryRef config, CFStringRef key, bool required = false) -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - - -bool RuleImpl::Attribute::getLocalizedText(CFDictionaryRef config, map &localizedPrompts, CFStringRef dictKey, const char *descriptionKey) -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - - -// default rule -RuleImpl::RuleImpl() : -mType(kUser), mGroupName("admin"), mMaxCredentialAge(300.0), mShared(true), mAllowRoot(false), mSessionOwner(false), mTries(0), mAuthenticateUser(true), mExtractPassword(false) -{ - // XXX/cs read default descriptions from somewhere - // @@@ Default rule is shared admin group with 5 minute timeout -} - -// return rule built from rule definition; throw if invalid. -RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules) : mRightName(inRightName), mExtractPassword(false) -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -/* -RuleImpl::~Rule() -{ -} -*/ - -void -RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -// If a different evaluation for getting a credential is prescribed, -// we'll run that and validate the credentials from there. -// we fall back on a default configuration from the authenticate rule -OSStatus -RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -// create externally verified credentials on the basis of -// mechanism-provided information -CredentialSet -RuleImpl::makeCredentials(const AuthorizationToken &auth) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -// evaluate whether a good credential of the current session owner would authorize a right -OSStatus -RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - - -OSStatus -RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -// Return errAuthorizationSuccess if this rule allows access based on the specified credential, -// return errAuthorizationDenied otherwise. -OSStatus -RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - - - -OSStatus -RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -OSStatus -RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -OSStatus -RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - - -OSStatus -RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const -{ - Syslog::alert("Authorization via securityd no longer supported"); - MacOSError::throwMe(errAuthorizationInternal); -} - -Rule::Rule() : RefPointer(new RuleImpl()) {} -Rule::Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules) : RefPointer(new RuleImpl(inRightName, cfRight, cfRules)) {} - - - -} // end namespace Authorization