]> git.saurik.com Git - apple/securityd.git/blob - src/AuthorizationRule.h
securityd-55137.1.tar.gz
[apple/securityd.git] / src / AuthorizationRule.h
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * AuthorizationRule.h
24 * Security
25 *
26 */
27
28 #ifndef _H_AUTHORIZATIONRULE
29 #define _H_AUTHORIZATIONRULE 1
30
31 #include <CoreFoundation/CoreFoundation.h>
32 #include <security_cdsa_utilities/AuthorizationData.h>
33 #include "authority.h"
34
35 namespace Authorization
36 {
37
38 class Rule;
39
40 class RuleImpl : public RefCount
41 {
42 public:
43 RuleImpl();
44 RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
45
46 OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
47 AuthorizationFlags flags, CFAbsoluteTime now,
48 const CredentialSet *inCredentials, CredentialSet &credentials,
49 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
50
51 string name() const { return mRightName; }
52 bool extractPassword() const { return mExtractPassword; }
53
54 private:
55 // internal machinery
56
57 // evaluate credential for right
58 OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
59 const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
60 // evaluate user credential (authentication) for right
61 OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
62
63 OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
64 AuthItemSet &environmentToClient, AuthorizationFlags flags,
65 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
66 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
67
68 void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
69
70 // perform authorization based on running specified mechanisms (see evaluateMechanism)
71 OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
72
73 OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
74 AuthItemSet &environmentToClient, AuthorizationFlags flags,
75 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
76 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
77
78 OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const;
79
80 // find username hint based on session owner
81 OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const;
82
83 CredentialSet makeCredentials(const AuthorizationToken &auth) const;
84
85 map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
86 map<string,string> localizedButtons() const { return mLocalizedButtons; }
87
88
89 // parsed attributes
90 private:
91 enum Type
92 {
93 kDeny,
94 kAllow,
95 kUser,
96 kRuleDelegation,
97 kKofN,
98 kEvaluateMechanisms,
99 } mType;
100
101 string mRightName;
102 string mGroupName;
103 CFTimeInterval mMaxCredentialAge;
104 bool mShared;
105 bool mAllowRoot;
106 vector<string> mEvalDef;
107 bool mSessionOwner;
108 vector<Rule> mRuleDef;
109 uint32_t mKofN;
110 mutable uint32_t mTries;
111 bool mExtractPassword;
112 bool mAuthenticateUser;
113 map<string,string> mLocalizedPrompts;
114 map<string,string> mLocalizedButtons;
115
116 private:
117
118 class Attribute
119 {
120 public:
121 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
122 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
123 static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue);
124 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
125 static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey);
126 };
127
128
129 // keys
130 static CFStringRef kUserGroupID;
131 static CFStringRef kTimeoutID;
132 static CFStringRef kSharedID;
133 static CFStringRef kAllowRootID;
134 static CFStringRef kMechanismsID;
135 static CFStringRef kSessionOwnerID;
136 static CFStringRef kKofNID;
137 static CFStringRef kPromptID;
138 static CFStringRef kButtonID;
139 static CFStringRef kTriesID;
140 static CFStringRef kExtractPasswordID;
141
142 static CFStringRef kRuleClassID;
143 static CFStringRef kRuleAllowID;
144 static CFStringRef kRuleDenyID;
145 static CFStringRef kRuleUserID;
146 static CFStringRef kRuleDelegateID;
147 static CFStringRef kRuleMechanismsID;
148 static CFStringRef kRuleAuthenticateUserID;
149 };
150
151 class Rule : public RefPointer<RuleImpl>
152 {
153 public:
154 Rule();
155 Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
156 };
157
158 }; /* namespace Authorization */
159
160 #endif /* ! _H_AUTHORIZATIONRULE */