src/AuthorizationRule.h

   1 /*
   2  *  Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  *  @APPLE_LICENSE_HEADER_START@
   5  *
   6  *  Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved.
   7  *
   8  *  This file contains Original Code and/or Modifications of Original Code
   9  *  as defined in and that are subject to the Apple Public Source License
  10  *  Version 2.0 (the 'License'). You may not use this file except in
  11  *  compliance with the License. Please obtain a copy of the License at
  12  *  http://www.opensource.apple.com/apsl/ and read it before using this
  13  *  file.
  14  *
  15  *  The Original Code and all software distributed under the License are
  16  *  distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  17  *  EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  18  *  INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  19  *  FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  20  *  Please see the License for the specific language governing rights and
  21  *  limitations under the License.
  22  *
  23  *  @APPLE_LICENSE_HEADER_END@
  24  *
  25  *  AuthorizationRule.h
  26  *  Security
  27  *
  28  *  Created by Conrad Sauerwald on Wed Mar 19 2003.
  29  */
  30
  31 #ifndef _H_AUTHORIZATIONRULE
  32 #define _H_AUTHORIZATIONRULE  1
  33
  34 #include <CoreFoundation/CoreFoundation.h>
  35 #include <security_cdsa_utilities/AuthorizationData.h>
  36 #include "authority.h"
  37
  38 namespace Authorization
  39 {
  40
  41 class Rule;
  42
  43 class RuleImpl : public RefCount
  44 {
  45 public:
  46         RuleImpl();
  47         RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
  48
  49         OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
  50                 AuthorizationFlags flags, CFAbsoluteTime now,
  51                 const CredentialSet *inCredentials, CredentialSet &credentials,
  52                 AuthorizationToken &auth) const;
  53
  54         string name() const { return mRightName; }
  55
  56 private:
  57 // internal machinery
  58
  59         // evaluate credential for right
  60         OSStatus evaluateCredentialForRight(const AuthItemRef &inRight, const Rule &inRule,
  61                 const AuthItemSet &environment,
  62                 CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const;
  63
  64
  65         OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
  66     AuthItemSet &environmentToClient, AuthorizationFlags flags,
  67         CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
  68         AuthorizationToken &auth) const;
  69
  70         void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
  71
  72         // perform authorization based on running specified mechanisms (see evaluateMechanism)
  73         OSStatus evaluateAuthorization(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
  74
  75         OSStatus evaluateAuthorizationOld(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
  76
  77         OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
  78                 AuthItemSet &environmentToClient, AuthorizationFlags flags,
  79                 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
  80                 AuthorizationToken &auth) const;
  81
  82         OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const;
  83
  84         // find username hint based on session owner
  85         OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, string& usernamehint) const;
  86
  87         string agentNameForAuth(const AuthorizationToken &auth) const;
  88         CredentialSet makeCredentials(const AuthItemSet &context) const;
  89
  90         map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
  91
  92
  93 // parsed attributes
  94 private:
  95         enum Type
  96         {
  97                 kDeny,
  98                 kAllow,
  99                 kUser,
 100                 kRuleDelegation,
 101                 kKofN,
 102                 kEvaluateMechanisms,
 103         } mType;
 104
 105         string mRightName;
 106         string mGroupName;
 107         CFTimeInterval mMaxCredentialAge;
 108         bool mShared;
 109         bool mAllowRoot;
 110         vector<string> mEvalDef;
 111         bool mSessionOwner;
 112         vector<Rule> mRuleDef;
 113         uint32_t mKofN;
 114         mutable uint32_t mTries;
 115         map<string,string> mLocalizedPrompts;
 116
 117 private:
 118
 119         class Attribute
 120         {
 121         public:
 122                 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
 123                 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
 124                 static string getString(CFDictionaryRef config, CFStringRef key, bool required, char *defaultValue);
 125                 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
 126                 static void setString(CFMutableDictionaryRef config, CFStringRef key, string &value);
 127                 static void setDouble(CFMutableDictionaryRef config, CFStringRef key, double value);
 128                 static void setBool(CFMutableDictionaryRef config, CFStringRef key, bool value);
 129                 static bool getLocalizedPrompts(CFDictionaryRef config, map<string,string> &localizedPrompts);
 130         };
 131
 132
 133 // keys
 134         static CFStringRef kUserGroupID;
 135         static CFStringRef kTimeoutID;
 136         static CFStringRef kSharedID;
 137         static CFStringRef kAllowRootID;
 138         static CFStringRef kMechanismsID;
 139         static CFStringRef kSessionOwnerID;
 140         static CFStringRef kKofNID;
 141         static CFStringRef kPromptID;
 142     static CFStringRef kTriesID;
 143
 144         static CFStringRef kRuleClassID;
 145         static CFStringRef kRuleAllowID;
 146         static CFStringRef kRuleDenyID;
 147         static CFStringRef kRuleUserID;
 148         static CFStringRef kRuleDelegateID;
 149         static CFStringRef kRuleMechanismsID;
 150
 151 };
 152
 153 class Rule : public RefPointer<RuleImpl>
 154 {
 155 public:
 156         Rule();
 157         Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
 158 };
 159
 160 }; /* namespace Authorization */
 161
 162 #endif /* ! _H_AUTHORIZATIONRULE */