src/AuthorizationEngine.h

   1 /*
   2  * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  *
  23  *  AuthorizationEngine.h
  24  *  Authorization
  25  *
  26  */
  27 #ifndef _H_AUTHORIZATIONENGINE
  28 #define _H_AUTHORIZATIONENGINE  1
  29
  30 #include <Security/Authorization.h>
  31 #include <Security/AuthorizationPlugin.h>
  32 #include <security_cdsa_utilities/AuthorizationData.h>
  33
  34 #include <security_utilities/threading.h>
  35 #include <security_utilities/osxcode.h>
  36
  37 #include <CoreFoundation/CFDate.h>
  38 #include <CoreFoundation/CFDictionary.h>
  39 #include <sys/stat.h>
  40 #include <sys/types.h>
  41
  42 #include "authority.h"
  43
  44 #include "AuthorizationRule.h"
  45 #include "AuthorizationDBPlist.h"
  46
  47 namespace Authorization
  48 {
  49
  50 class Error : public CommonError {
  51 protected:
  52     Error(int err);
  53 public:
  54     const int error;
  55     virtual int unixError() const throw();
  56     virtual OSStatus osStatus() const throw();
  57     virtual const char *what () const throw();
  58         // @@@ Default value should be internal error.
  59     static void throwMe(int err = -1) __attribute((noreturn));
  60 };
  61
  62
  63 /* The engine which performs the actual authentication and authorization computations.
  64
  65         The implementation of a typical call to AuthorizationCreate would look like:
  66
  67         Get the current shared CredentialSet for this session.
  68         Call authorizedRights() with inRights and the shared CredentialSet.
  69         Compute the difference set between the rights requested and the rights returned from authorizedRights().
  70         Call credentialIds() with the rights computed above (for which we have no credentials yet).
  71         Call aquireCredentials() for the credentialIds returned from credentialIds()
  72         For each credential returned place it in the session (replacing when needed) if shared() returns true.
  73         The authorization returned to the user should now refer to the credentials in the session and the non shared ones returned by aquireCredentials().
  74
  75         When a call to AuthorizationCopyRights() is made, just call authorizedRights() using the union of the session credentials and the credentials tied to the authorization specified.
  76
  77         When a call to AuthorizationCopyInfo() is made, ask the Credential specified by tag for it info and return it.
  78
  79         When a call to AuthorizationFree() is made, delete all the non-shared credentials ascociated with the authorization specified.  If the kAuthorizationFreeFlagDestroy is set.  Also delete the shared credentials ascociated with the authorization specified.
  80  */
  81 class Engine
  82 {
  83 public:
  84         Engine(const char *configFile);
  85         ~Engine();
  86
  87         OSStatus authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
  88                 AuthorizationFlags flags, const CredentialSet *inCredentials, CredentialSet *outCredentials,
  89                 AuthItemSet &outRights, AuthorizationToken &auth);
  90         OSStatus getRule(string &inRightName, CFDictionaryRef *outRuleDefinition);
  91         OSStatus setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth);
  92         OSStatus removeRule(const char *inRightName, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth);
  93
  94 private:
  95         OSStatus verifyModification(string inRightName, bool remove,
  96         const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth);
  97
  98         AuthorizationDBPlist mAuthdb;
  99     mutable Mutex mLock;
 100 };
 101
 102 }; // namespace Authorization
 103
 104 #endif /* ! _H_AUTHORIZATIONENGINE */