]> git.saurik.com Git - apple/securityd.git/blob - src/AuthorizationRule.h
securityd-26232.tar.gz
[apple/securityd.git] / src / AuthorizationRule.h
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * AuthorizationRule.h
24 * Security
25 *
26 * Created by Conrad Sauerwald on Wed Mar 19 2003.
27 */
28
29 #ifndef _H_AUTHORIZATIONRULE
30 #define _H_AUTHORIZATIONRULE 1
31
32 #include <CoreFoundation/CoreFoundation.h>
33 #include <security_cdsa_utilities/AuthorizationData.h>
34 #include "authority.h"
35
36 namespace Authorization
37 {
38
39 class Rule;
40
41 class RuleImpl : public RefCount
42 {
43 public:
44 RuleImpl();
45 RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
46
47 OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
48 AuthorizationFlags flags, CFAbsoluteTime now,
49 const CredentialSet *inCredentials, CredentialSet &credentials,
50 AuthorizationToken &auth) const;
51
52 string name() const { return mRightName; }
53
54 private:
55 // internal machinery
56
57 // evaluate credential for right
58 OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
59 const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const;
60
61 OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
62 AuthItemSet &environmentToClient, AuthorizationFlags flags,
63 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
64 AuthorizationToken &auth) const;
65
66 void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
67
68 // perform authorization based on running specified mechanisms (see evaluateMechanism)
69 OSStatus evaluateAuthorization(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
70
71 OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
72 AuthItemSet &environmentToClient, AuthorizationFlags flags,
73 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
74 AuthorizationToken &auth) const;
75
76 OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const;
77
78 // find username hint based on session owner
79 OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, string& usernamehint) const;
80
81 CredentialSet makeCredentials(const AuthorizationToken &auth) const;
82
83 map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
84
85
86 // parsed attributes
87 private:
88 enum Type
89 {
90 kDeny,
91 kAllow,
92 kUser,
93 kRuleDelegation,
94 kKofN,
95 kEvaluateMechanisms,
96 } mType;
97
98 string mRightName;
99 string mGroupName;
100 CFTimeInterval mMaxCredentialAge;
101 bool mShared;
102 bool mAllowRoot;
103 vector<string> mEvalDef;
104 bool mSessionOwner;
105 vector<Rule> mRuleDef;
106 uint32_t mKofN;
107 mutable uint32_t mTries;
108 bool mAuthenticateUser;
109 map<string,string> mLocalizedPrompts;
110
111 private:
112
113 class Attribute
114 {
115 public:
116 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
117 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
118 static string getString(CFDictionaryRef config, CFStringRef key, bool required, char *defaultValue);
119 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
120 static bool getLocalizedPrompts(CFDictionaryRef config, map<string,string> &localizedPrompts);
121 };
122
123
124 // keys
125 static CFStringRef kUserGroupID;
126 static CFStringRef kTimeoutID;
127 static CFStringRef kSharedID;
128 static CFStringRef kAllowRootID;
129 static CFStringRef kMechanismsID;
130 static CFStringRef kSessionOwnerID;
131 static CFStringRef kKofNID;
132 static CFStringRef kPromptID;
133 static CFStringRef kTriesID;
134
135 static CFStringRef kRuleClassID;
136 static CFStringRef kRuleAllowID;
137 static CFStringRef kRuleDenyID;
138 static CFStringRef kRuleUserID;
139 static CFStringRef kRuleDelegateID;
140 static CFStringRef kRuleMechanismsID;
141 static CFStringRef kRuleAuthenticateUserID;
142 };
143
144 class Rule : public RefPointer<RuleImpl>
145 {
146 public:
147 Rule();
148 Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
149 };
150
151 }; /* namespace Authorization */
152
153 #endif /* ! _H_AUTHORIZATIONRULE */