2  * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved. 
   4  * @APPLE_LICENSE_HEADER_START@ 
   6  * Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved. 
   8  * This file contains Original Code and/or Modifications of Original Code 
   9  * as defined in and that are subject to the Apple Public Source License 
  10  * Version 2.0 (the 'License'). You may not use this file except in 
  11  * compliance with the License. Please obtain a copy of the License at 
  12  * http://www.opensource.apple.com/apsl/ and read it before using this 
  15  * The Original Code and all software distributed under the License are 
  16  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
  17  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
  18  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
  19  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
  20  * Please see the License for the specific language governing rights and 
  21  * limitations under the License. 
  23  * @APPLE_LICENSE_HEADER_END@ 
  28  *  AuthorizationEngine.cpp 
  31  *  Created by Michael Brouwer on Thu Oct 12 2000. 
  34 #include "AuthorizationEngine.h" 
  35 #include <security_cdsa_utilities/AuthorizationWalkers.h> 
  36 #include <Security/AuthorizationPriv.h> 
  37 #include <Security/AuthorizationDB.h> 
  40 #include "authority.h" 
  42 #include <Security/AuthorizationTags.h> 
  43 #include <Security/AuthorizationTagsPriv.h> 
  44 #include <security_utilities/logging.h> 
  45 #include <security_utilities/cfutilities.h> 
  46 #include <security_utilities/debugging.h> 
  47 //#include "session.h" 
  50 #include <CoreFoundation/CFData.h> 
  51 #include <CoreFoundation/CFNumber.h> 
  52 #include <CoreFoundation/CFPropertyList.h> 
  58 namespace Authorization 
{ 
  62 // Errors to be thrown 
  64 Error::Error(int err
) : error(err
) 
  68 const char *Error::what() const throw() 
  69 { return "Authorization error"; } 
  71 int Error::unixError() const throw() 
  72 { return error
; }       // @@@ eventually... 
  74 OSStatus 
Error::osStatus() const throw() 
  77 void Error::throwMe(int err
) { throw Error(err
); } 
  82 Engine::Engine(const char *configFile
) : mAuthdb(configFile
) 
  92         @function AuthorizationEngine::authorize 
  96         @param inRights (input) List of rights being requested for authorization. 
  97         @param environment (optional/input) Environment containing information to be used during evaluation. 
  98         @param flags (input) Optional flags @@@ see AuthorizationCreate for a description. 
  99         @param inCredentials (input) Credentials already held by the caller. 
 100         @param outCredentials (output/optional) Credentials obtained, used or refreshed during this call to authorize the requested rights. 
 101         @param outRights (output/optional) Subset of inRights which were actually authorized. 
 103         @results Returns errAuthorizationSuccess if all rights requested are authorized, or if the kAuthorizationFlagPartialRights flag was specified.  Might return other status values like errAuthorizationDenied, errAuthorizationCanceled or errAuthorizationInteractionNotAllowed  
 106 Engine::authorize(const AuthItemSet 
&inRights
, const AuthItemSet 
&environment
, 
 107         AuthorizationFlags flags
, const CredentialSet 
*inCredentials
, CredentialSet 
*outCredentials
, 
 108         AuthItemSet 
&outRights
, AuthorizationToken 
&auth
) 
 110         CredentialSet credentials
; 
 111         OSStatus status 
= errAuthorizationSuccess
; 
 113         // Get current time of day. 
 114         CFAbsoluteTime now 
= CFAbsoluteTimeGetCurrent(); 
 116         // Update rules from database if needed 
 119         // Check if a credential was passed into the environment and we were asked to extend the rights 
 120         if (flags 
& kAuthorizationFlagExtendRights
) 
 122                 string username
, password
; 
 124                 for (AuthItemSet::iterator item 
= environment
.begin(); item 
!= environment
.end(); item 
++) 
 126                         if (!strcmp((*item
)->name(), kAuthorizationEnvironmentUsername
)) 
 127                                 username 
= (*item
)->stringValue(); 
 128                         else if (!strcmp((*item
)->name(), kAuthorizationEnvironmentPassword
)) 
 129                                 password 
= (*item
)->stringValue(); 
 130                         else if (!strcmp((*item
)->name(), kAuthorizationEnvironmentShared
)) 
 134                 if (username
.length()) 
 136                         // Let's create a credential from the passed in username and password. 
 137                         Credential 
newCredential(username
, password
, shared
); 
 138                         // If it's valid insert it into the credentials list.  Normally this is 
 139                         // only done if it actually authorizes a requested right, but for this 
 140                         // special case (environment) we do it even when no rights are being requested. 
 141                         if (newCredential
->isValid()) 
 142                                 credentials
.insert(newCredential
); 
 146         // generate hints for every authorization 
 147     AuthItemSet environmentToClient 
= environment
; 
 149         AuthItemSet::const_iterator end 
= inRights
.end(); 
 150         for (AuthItemSet::const_iterator it 
= inRights
.begin(); it 
!= end
; ++it
) 
 152                 // Get the rule for each right we are trying to obtain. 
 153                 const Rule 
&toplevelRule 
= mAuthdb
.getRule(*it
); 
 154                 OSStatus result 
= toplevelRule
->evaluate(*it
, toplevelRule
, environmentToClient
, flags
, now
, inCredentials
, credentials
, auth
); 
 155                 secdebug("autheval", "evaluate rule %s for right %s returned %ld.", toplevelRule
->name().c_str(), (*it
)->name(), result
); 
 158                         CodeSigning::OSXCode 
*processCode 
= Server::process().clientCode(); 
 159                         string processName 
= processCode 
? processCode
->canonicalPath() : "unknown"; 
 160                         CodeSigning::OSXCode 
*authCreatorCode 
= auth
.creatorCode(); 
 161                         string authCreatorName 
= authCreatorCode 
? authCreatorCode
->canonicalPath() : "unknown"; 
 163                         if (result 
== errAuthorizationSuccess
) 
 164                                 Syslog::info("Succeeded authorizing right %s by process %s for authorization created by %s.", (*it
)->name(), processName
.c_str(), authCreatorName
.c_str()); 
 165                         else if (result 
== errAuthorizationDenied
) 
 166                                 Syslog::notice("Failed to authorize right %s by process %s for authorization created by %s.", (*it
)->name(), processName
.c_str(), authCreatorName
.c_str()); 
 169                 if (result 
== errAuthorizationSuccess
) 
 170                         outRights
.insert(*it
); 
 171                 else if (result 
== errAuthorizationDenied 
|| result 
== errAuthorizationInteractionNotAllowed
) 
 173                         // add creator pid to authorization token 
 174                         if (!(flags 
& kAuthorizationFlagPartialRights
)) 
 180         else if (result 
== errAuthorizationCanceled
) 
 187                         Syslog::error("Engine::authorize: Rule::evaluate returned %ld returning errAuthorizationInternal", result
); 
 188                         status 
= errAuthorizationInternal
; 
 194                 outCredentials
->swap(credentials
); 
 200 Engine::verifyModification(string inRightName
, bool remove
, 
 201         const CredentialSet 
*inCredentials
, CredentialSet 
*outCredentials
, AuthorizationToken 
&auth
) 
 205         // meta rights are constructed as follows: 
 206         // we don't allow setting of wildcard rights, so you can only be more specific 
 207         // note that you should never restrict things with a wildcard right without disallowing 
 208         // changes to the entire domain.  ie.  
 209         //              system.privilege.               -> never 
 210         //              config.add.system.privilege.    -> never 
 211         //              config.modify.system.privilege. -> never 
 212         //              config.delete.system.privilege. -> never 
 213         // For now we don't allow any configuration of configuration rules 
 214         //              config.config. -> never 
 216         string rightnameToCheck
; 
 218         // @@@ verify right name is is not NULL or zero length 
 219         if (inRightName
.length() == 0) 
 220                 return errAuthorizationDenied
; 
 222         // @@@ make sure it isn't a wildcard right by checking trailing "." 
 223         if ( *(inRightName
.rbegin()) == '.') 
 224                 return errAuthorizationDenied
; 
 226         // @@@ make sure it isn't a configure right by checking it doesn't start with config. 
 227         if (inRightName
.find(kConfigRight
, 0) != string::npos
) 
 229                 // special handling of meta right change: 
 230                 // config.add. config.modify. config.remove. config.{}. 
 231                 // check for config.<right> (which always starts with config.config.) 
 232                 rightnameToCheck 
= string(kConfigRight
) + inRightName
; 
 236                 // regular check of rights 
 237                 bool existingRule 
= mAuthdb
.existRule(inRightName
); 
 241                                 rightnameToCheck 
= string(kAuthorizationConfigRightModify
) + inRightName
; 
 243                                 rightnameToCheck 
= string(kAuthorizationConfigRightAdd
) + inRightName
; 
 248                                 rightnameToCheck 
= string(kAuthorizationConfigRightRemove
) + inRightName
; 
 251                                 secdebug("engine", "rule %s doesn't exist.", inRightName
.c_str()); 
 252                                 return errAuthorizationSuccess
; // doesn't exist, done 
 258         AuthItemSet rights
, environment
, outRights
; 
 259         rights
.insert(AuthItemRef(rightnameToCheck
.c_str())); 
 260         secdebug("engine", "authorizing %s for db modification.", rightnameToCheck
.c_str()); 
 261         return authorize(rights
, environment
, kAuthorizationFlagDefaults 
| kAuthorizationFlagInteractionAllowed 
| kAuthorizationFlagExtendRights
, inCredentials
, outCredentials
, outRights
, auth
); 
 265 Engine::getRule(string 
&inRightName
, CFDictionaryRef 
*outRuleDefinition
) 
 267         // Get current time of day. 
 268         CFAbsoluteTime now 
= CFAbsoluteTimeGetCurrent(); 
 270         // Update rules from database if needed 
 273         CFDictionaryRef definition 
= mAuthdb
.getRuleDefinition(inRightName
); 
 276                 if (outRuleDefinition
) 
 277                         *outRuleDefinition 
= definition
; 
 279                         CFRelease(definition
); 
 281                 return errAuthorizationSuccess
; 
 284         return errAuthorizationDenied
; 
 288 Engine::setRule(const char *inRightName
, CFDictionaryRef inRuleDefinition
, const CredentialSet 
*inCredentials
, CredentialSet 
*outCredentials
, AuthorizationToken 
&auth
) 
 290         // Get current time of day. 
 291         CFAbsoluteTime now 
= CFAbsoluteTimeGetCurrent(); 
 293         // Update rules from database if needed 
 296         // Validate rule by constructing it from the passed dictionary 
 297         if (!mAuthdb
.validateRule(inRightName
, inRuleDefinition
)) 
 298                 return errAuthorizationDenied
; // @@@ separate error for this? 
 300         OSStatus result 
= verifyModification(inRightName
, false /*setting, not removing*/, inCredentials
, outCredentials
, auth
); 
 301         if (result 
!= errAuthorizationSuccess
) 
 304         // set the rule for the right and save the database 
 305         mAuthdb
.setRule(inRightName
, inRuleDefinition
); 
 307         return errAuthorizationSuccess
; 
 311 Engine::removeRule(const char *inRightName
, const CredentialSet 
*inCredentials
, CredentialSet 
*outCredentials
, AuthorizationToken 
&auth
) 
 313         // Get current time of day. 
 314         CFAbsoluteTime now 
= CFAbsoluteTimeGetCurrent(); 
 316         // Update rules from database if needed 
 319         OSStatus result 
= verifyModification(inRightName
, true /*removing*/, inCredentials
, outCredentials
, auth
); 
 320         if (result 
!= errAuthorizationSuccess
) 
 323         // set the rule for the right and save the database 
 324         mAuthdb
.removeRule(inRightName
); 
 326         return errAuthorizationSuccess
; 
 329 }       // end namespace Authorization