2  *  Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved. 
   4  *  @APPLE_LICENSE_HEADER_START@ 
   6  *  This file contains Original Code and/or Modifications of Original Code 
   7  *  as defined in and that are subject to the Apple Public Source License 
   8  *  Version 2.0 (the 'License'). You may not use this file except in 
   9  *  compliance with the License. Please obtain a copy of the License at 
  10  *  http://www.opensource.apple.com/apsl/ and read it before using this 
  13  *  The Original Code and all software distributed under the License are 
  14  *  distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
  15  *  EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
  16  *  INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
  17  *  FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
  18  *  Please see the License for the specific language governing rights and 
  19  *  limitations under the License. 
  21  *  @APPLE_LICENSE_HEADER_END@ 
  23  *  AuthorizationRule.cpp 
  28 #include "AuthorizationRule.h" 
  29 #include <Security/AuthorizationTags.h> 
  30 #include <Security/AuthorizationTagsPriv.h> 
  31 #include <Security/AuthorizationDB.h> 
  32 #include <Security/AuthorizationPriv.h> 
  33 #include <security_utilities/logging.h> 
  34 #include <security_utilities/ccaudit.h> 
  35 #include <bsm/audit_uevents.h> 
  36 #include "authority.h" 
  39 #include "agentquery.h" 
  40 #include "AuthorizationMechEval.h" 
  45 #include <membership.h> 
  48 #include <membershipPriv.h> 
  54 namespace Authorization 
{ 
  56 CFStringRef 
RuleImpl::kUserGroupID 
= CFSTR(kAuthorizationRuleParameterGroup
); 
  57 CFStringRef 
RuleImpl::kTimeoutID 
= CFSTR(kAuthorizationRuleParameterCredentialTimeout
); 
  58 CFStringRef 
RuleImpl::kSharedID 
= CFSTR(kAuthorizationRuleParameterCredentialShared
); 
  59 CFStringRef 
RuleImpl::kAllowRootID 
= CFSTR(kAuthorizationRuleParameterAllowRoot
); 
  60 CFStringRef 
RuleImpl::kMechanismsID 
= CFSTR(kAuthorizationRuleParameterMechanisms
); 
  61 CFStringRef 
RuleImpl::kSessionOwnerID 
= CFSTR(kAuthorizationRuleParameterCredentialSessionOwner
); 
  62 CFStringRef 
RuleImpl::kKofNID 
= CFSTR(kAuthorizationRuleParameterKofN
); 
  63 CFStringRef 
RuleImpl::kPromptID 
= CFSTR(kAuthorizationRuleParameterDefaultPrompt
); 
  64 CFStringRef 
RuleImpl::kTriesID 
= CFSTR("tries"); // XXX/cs move to AuthorizationTagsPriv.h 
  66 CFStringRef 
RuleImpl::kRuleClassID 
= CFSTR(kAuthorizationRuleClass
); 
  67 CFStringRef 
RuleImpl::kRuleAllowID 
= CFSTR(kAuthorizationRuleClassAllow
); 
  68 CFStringRef 
RuleImpl::kRuleDenyID 
= CFSTR(kAuthorizationRuleClassDeny
); 
  69 CFStringRef 
RuleImpl::kRuleUserID 
= CFSTR(kAuthorizationRuleClassUser
); 
  70 CFStringRef 
RuleImpl::kRuleDelegateID 
= CFSTR(kAuthorizationRightRule
); 
  71 CFStringRef 
RuleImpl::kRuleMechanismsID 
= CFSTR(kAuthorizationRuleClassMechanisms
); 
  72 CFStringRef 
RuleImpl::kRuleAuthenticateUserID 
= CFSTR(kAuthorizationRuleParameterAuthenticateUser
); 
  76 RuleImpl::Attribute::getString(CFDictionaryRef config
, CFStringRef key
, bool required 
= false, char *defaultValue 
= "") 
  78         CFTypeRef value 
= CFDictionaryGetValue(config
, key
); 
  79         if (value 
&& (CFGetTypeID(value
) == CFStringGetTypeID())) 
  81                 CFStringRef stringValue 
= reinterpret_cast<CFStringRef
>(value
); 
  83                 const char *ptr 
= CFStringGetCStringPtr(stringValue
, kCFStringEncodingUTF8
); 
  86                         if (CFStringGetCString(stringValue
, buffer
, sizeof(buffer
), kCFStringEncodingUTF8
)) 
  89                                 MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
  96                         return string(defaultValue
); 
  98                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 102 RuleImpl::Attribute::getDouble(CFDictionaryRef config
, CFStringRef key
, bool required 
= false, double defaultValue 
= 0.0) 
 104         double doubleValue 
= 0; 
 106         CFTypeRef value 
= CFDictionaryGetValue(config
, key
); 
 107         if (value 
&& (CFGetTypeID(value
) == CFNumberGetTypeID())) 
 109                 CFNumberGetValue(reinterpret_cast<CFNumberRef
>(value
), kCFNumberDoubleType
, &doubleValue
); 
 115                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 121 RuleImpl::Attribute::getBool(CFDictionaryRef config
, CFStringRef key
, bool required 
= false, bool defaultValue 
= false) 
 123         bool boolValue 
= false; 
 124         CFTypeRef value 
= CFDictionaryGetValue(config
, key
); 
 126         if (value 
&& (CFGetTypeID(value
) == CFBooleanGetTypeID())) 
 128                 boolValue 
= CFBooleanGetValue(reinterpret_cast<CFBooleanRef
>(value
)); 
 134                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 140 RuleImpl::Attribute::getVector(CFDictionaryRef config
, CFStringRef key
, bool required 
= false) 
 142         vector
<string
> valueArray
; 
 144         CFTypeRef value 
= CFDictionaryGetValue(config
, key
); 
 145         if (value 
&& (CFGetTypeID(value
) == CFArrayGetTypeID())) 
 147                 CFArrayRef evalArray 
= reinterpret_cast<CFArrayRef
>(value
); 
 149                 for (int index
=0; index 
< CFArrayGetCount(evalArray
); index
++) 
 151                         CFTypeRef arrayValue 
= CFArrayGetValueAtIndex(evalArray
, index
); 
 152                         if (arrayValue 
&& (CFGetTypeID(arrayValue
) == CFStringGetTypeID())) 
 154                                 CFStringRef stringValue 
= reinterpret_cast<CFStringRef
>(arrayValue
); 
 156                                 const char *ptr 
= CFStringGetCStringPtr(stringValue
, kCFStringEncodingUTF8
); 
 159                                         if (CFStringGetCString(stringValue
, buffer
, sizeof(buffer
), kCFStringEncodingUTF8
)) 
 162                                                 MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 164                                 valueArray
.push_back(string(ptr
)); 
 170                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 176 bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config
, map
<string
,string
> &localizedPrompts
) 
 178         CFIndex numberOfPrompts 
= 0; 
 179         CFDictionaryRef promptsDict
; 
 180         if (CFDictionaryContainsKey(config
, kPromptID
)) 
 182                 promptsDict 
= reinterpret_cast<CFDictionaryRef
>(CFDictionaryGetValue(config
, kPromptID
)); 
 183                 if (promptsDict 
&& (CFGetTypeID(promptsDict
) == CFDictionaryGetTypeID())) 
 184                         numberOfPrompts 
= CFDictionaryGetCount(promptsDict
); 
 186         if (numberOfPrompts 
== 0) 
 189         const void *keys
[numberOfPrompts
+1]; 
 190         const void *values
[numberOfPrompts
+1]; 
 191         CFDictionaryGetKeysAndValues(promptsDict
, &keys
[0], &values
[0]); 
 193         while (numberOfPrompts
-- > 0) 
 195                 CFStringRef keyRef 
= reinterpret_cast<CFStringRef
>(keys
[numberOfPrompts
]); 
 196                 CFStringRef valueRef 
= reinterpret_cast<CFStringRef
>(values
[numberOfPrompts
]); 
 197                 if (!keyRef 
|| (CFGetTypeID(keyRef
) != CFStringGetTypeID())) 
 199                 if (!valueRef 
|| (CFGetTypeID(valueRef
) != CFStringGetTypeID())) 
 201                 string key 
= cfString(keyRef
); 
 202                 string value 
= cfString(valueRef
); 
 203                 localizedPrompts
[kAuthorizationRuleParameterDescription
+key
] = value
; 
 211 RuleImpl::RuleImpl() : 
 212 mType(kUser
), mGroupName("admin"), mMaxCredentialAge(300.0), mShared(true), mAllowRoot(false), mSessionOwner(false), mTries(0), mAuthenticateUser(true) 
 214         // XXX/cs read default descriptions from somewhere 
 215         // @@@ Default rule is shared admin group with 5 minute timeout 
 218 // return rule built from rule definition; throw if invalid. 
 219 RuleImpl::RuleImpl(const string 
&inRightName
, CFDictionaryRef cfRight
, CFDictionaryRef cfRules
) : mRightName(inRightName
) 
 221         // @@@ make sure cfRight is non mutable and never used that way 
 223         if (CFGetTypeID(cfRight
) != CFDictionaryGetTypeID()) 
 224                 MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 228         string classTag 
= Attribute::getString(cfRight
, kRuleClassID
, false, ""); 
 230         if (classTag
.length()) 
 232                 if (classTag 
== kAuthorizationRuleClassAllow
) 
 234                         secdebug("authrule", "%s : rule allow", inRightName
.c_str()); 
 237                 else if (classTag 
== kAuthorizationRuleClassDeny
) 
 239                         secdebug("authrule", "%s : rule deny", inRightName
.c_str()); 
 242                 else if (classTag 
== kAuthorizationRuleClassUser
) 
 245                         mGroupName 
= Attribute::getString(cfRight
, kUserGroupID
); 
 246                         // grab other user-in-group attributes 
 247                         mMaxCredentialAge 
= Attribute::getDouble(cfRight
, kTimeoutID
, false, DBL_MAX
); 
 248                         mShared 
= Attribute::getBool(cfRight
, kSharedID
); 
 249                         mAllowRoot 
= Attribute::getBool(cfRight
, kAllowRootID
); 
 250                         mSessionOwner 
= Attribute::getBool(cfRight
, kSessionOwnerID
); 
 251                         // authorization tags can have eval now too 
 252                         mEvalDef 
= Attribute::getVector(cfRight
, kMechanismsID
); 
 253             if (mEvalDef
.size() == 0 && cfRules 
/*only rights default see appserver-admin*/) 
 255                 CFDictionaryRef cfRuleDef 
= reinterpret_cast<CFDictionaryRef
>(CFDictionaryGetValue(cfRules
, CFSTR("authenticate"))); 
 256                                 if (cfRuleDef 
&& CFGetTypeID(cfRuleDef
) == CFDictionaryGetTypeID()) 
 257                     mEvalDef 
= Attribute::getVector(cfRuleDef
, kMechanismsID
); 
 259                         mTries 
= int(Attribute::getDouble(cfRight
, kTriesID
, false, 3.0)); // XXX/cs double(kAuthorizationMaxTries) 
 260                         mAuthenticateUser 
= Attribute::getBool(cfRight
, kRuleAuthenticateUserID
, false, true); 
 262                         secdebug("authrule", "%s : rule user in group \"%s\" timeout %g%s%s", 
 264                                 mGroupName
.c_str(), mMaxCredentialAge
, mShared 
? " shared" : "", 
 265                                 mAllowRoot 
? " allow-root" : ""); 
 268                 else if (classTag 
== kAuthorizationRuleClassMechanisms
) 
 270                         secdebug("authrule", "%s : rule evaluate mechanisms", inRightName
.c_str()); 
 271                         mType 
= kEvaluateMechanisms
; 
 272                         // mechanisms to evaluate 
 273                         mEvalDef 
= Attribute::getVector(cfRight
, kMechanismsID
, true); 
 274                         mTries 
= int(Attribute::getDouble(cfRight
, kTriesID
, false, 0.0)); // "forever" 
 275                         mShared 
= Attribute::getBool(cfRight
, kSharedID
, false, true); 
 277                 else if (classTag 
== kAuthorizationRightRule
) 
 279             assert(cfRules
); // rules can't delegate to other rules 
 280                         secdebug("authrule", "%s : rule delegate rule", inRightName
.c_str()); 
 281                         mType 
= kRuleDelegation
; 
 284                         string ruleDefString 
= Attribute::getString(cfRight
, kRuleDelegateID
, false, ""); 
 285                         if (ruleDefString
.length()) 
 287                                 CFStringRef ruleDefRef 
= makeCFString(ruleDefString
); 
 288                                 CFDictionaryRef cfRuleDef 
= reinterpret_cast<CFDictionaryRef
>(CFDictionaryGetValue(cfRules
, ruleDefRef
)); 
 290                                         CFRelease(ruleDefRef
); 
 291                                 if (!cfRuleDef 
|| CFGetTypeID(cfRuleDef
) != CFDictionaryGetTypeID()) 
 292                                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 293                                 mRuleDef
.push_back(Rule(ruleDefString
, cfRuleDef
, cfRules
)); 
 297                                 vector
<string
> ruleDef 
= Attribute::getVector(cfRight
, kRuleDelegateID
, true); 
 298                                 for (vector
<string
>::const_iterator it 
= ruleDef
.begin(); it 
!= ruleDef
.end(); it
++) 
 300                                         CFStringRef ruleNameRef 
= makeCFString(*it
); 
 301                                         CFDictionaryRef cfRuleDef 
= reinterpret_cast<CFDictionaryRef
>(CFDictionaryGetValue(cfRules
, ruleNameRef
)); 
 303                                                 CFRelease(ruleNameRef
); 
 304                                         if (!cfRuleDef 
|| (CFGetTypeID(cfRuleDef
) != CFDictionaryGetTypeID())) 
 305                                                 MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 306                                         mRuleDef
.push_back(Rule(*it
, cfRuleDef
, cfRules
)); 
 310                         mKofN 
= int(Attribute::getDouble(cfRight
, kKofNID
, false, 0.0)); 
 317                         secdebug("authrule", "%s : rule class unknown %s.", inRightName
.c_str(), classTag
.c_str()); 
 318                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 323                 // no class tag means, this is the abbreviated specification from the API 
 324                 // it _must_ have a definition for "rule" which will be used as a delegate 
 325                 // it may have a comment (not extracted here) 
 326                 // it may have a default prompt, or a whole dictionary of languages (not extracted here) 
 327                 mType 
= kRuleDelegation
; 
 328                 string ruleName 
= Attribute::getString(cfRight
, kRuleDelegateID
, true); 
 329                 secdebug("authrule", "%s : rule delegate rule (1): %s", inRightName
.c_str(), ruleName
.c_str()); 
 330                 CFStringRef ruleNameRef 
= makeCFString(ruleName
); 
 331                 CFDictionaryRef cfRuleDef 
= reinterpret_cast<CFDictionaryRef
>(CFDictionaryGetValue(cfRules
, ruleNameRef
)); 
 333                         CFRelease(ruleNameRef
); 
 334                 if (!cfRuleDef 
|| CFGetTypeID(cfRuleDef
) != CFDictionaryGetTypeID()) 
 335                         MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 336                 mRuleDef
.push_back(Rule(ruleName
, cfRuleDef
, cfRules
)); 
 339         Attribute::getLocalizedPrompts(cfRight
, mLocalizedPrompts
); 
 349 RuleImpl::setAgentHints(const AuthItemRef 
&inRight
, const Rule 
&inTopLevelRule
, AuthItemSet 
&environmentToClient
, AuthorizationToken 
&auth
) const 
 351         string 
authorizeString(inRight
->name()); 
 352     environmentToClient
.erase(AuthItemRef(AGENT_HINT_AUTHORIZE_RIGHT
));  
 353         environmentToClient
.insert(AuthItemRef(AGENT_HINT_AUTHORIZE_RIGHT
, AuthValueOverlay(authorizeString
))); 
 355         pid_t creatorPid 
= auth
.creatorPid(); 
 356     environmentToClient
.erase(AuthItemRef(AGENT_HINT_CREATOR_PID
));  
 357         environmentToClient
.insert(AuthItemRef(AGENT_HINT_CREATOR_PID
, AuthValueOverlay(sizeof(pid_t
), &creatorPid
))); 
 359         Process 
&thisProcess 
= Server::process(); 
 360         RefPointer
<OSXCode
> clientCode 
= auth
.creatorCode(); 
 361         SecurityAgent::RequestorType requestorType 
= SecurityAgent::unknown
; 
 366                 string encodedBundle 
= clientCode
->encode(); 
 367                 char bundleType 
= (encodedBundle
.c_str())[0]; // yay, no accessor 
 370                    case 'b': requestorType 
= SecurityAgent::bundle
; break; 
 371                    case 't': requestorType 
= SecurityAgent::tool
; break; 
 373                 bundlePath 
= clientCode
->canonicalPath(); 
 376         AuthItemSet processHints 
= SecurityAgent::Client::clientHints(requestorType
, bundlePath
, thisProcess
.pid(), thisProcess
.uid()); 
 377     environmentToClient
.erase(AuthItemRef(AGENT_HINT_CLIENT_TYPE
)); 
 378     environmentToClient
.erase(AuthItemRef(AGENT_HINT_CLIENT_PATH
)); 
 379     environmentToClient
.erase(AuthItemRef(AGENT_HINT_CLIENT_PID
)); 
 380     environmentToClient
.erase(AuthItemRef(AGENT_HINT_CLIENT_UID
)); 
 381     environmentToClient
.insert(processHints
.begin(), processHints
.end()); 
 383         map
<string
,string
> defaultPrompts 
= inTopLevelRule
->localizedPrompts(); 
 385         if (defaultPrompts
.empty()) 
 386                 defaultPrompts 
= localizedPrompts(); 
 388         if (!defaultPrompts
.empty()) 
 390                 map
<string
,string
>::const_iterator it
; 
 391                 for (it 
= defaultPrompts
.begin(); it 
!= defaultPrompts
.end(); it
++) 
 393                         const string 
&key 
= it
->first
; 
 394                         const string 
&value 
= it
->second
; 
 395                         environmentToClient
.insert(AuthItemRef(key
.c_str(), AuthValueOverlay(value
))); 
 399         // add rulename as a hint 
 400         string ruleName 
= name(); 
 401     environmentToClient
.erase(AuthItemRef(AGENT_HINT_AUTHORIZE_RULE
)); 
 402         environmentToClient
.insert(AuthItemRef(AGENT_HINT_AUTHORIZE_RULE
, AuthValueOverlay(ruleName
))); 
 406 RuleImpl::evaluateAuthorization(const AuthItemRef 
&inRight
, const Rule 
&inRule
, 
 407                 AuthItemSet 
&environmentToClient
,  
 408         AuthorizationFlags flags
, CFAbsoluteTime now
,  
 409         const CredentialSet 
*inCredentials
,  
 410         CredentialSet 
&credentials
, AuthorizationToken 
&auth
) const 
 412     OSStatus status 
= errAuthorizationDenied
; 
 415         evaluateSessionOwner(inRight
, inRule
, environmentToClient
, now
, auth
, usernamehint
); 
 416     if (usernamehint
.length()) 
 417                 environmentToClient
.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER
, AuthValueOverlay(usernamehint
))); 
 419     if ((mType 
== kUser
) && (mGroupName
.length())) 
 420         environmentToClient
.insert(AuthItemRef(AGENT_HINT_REQUIRE_USER_IN_GROUP
, AuthValueOverlay(mGroupName
))); 
 423     SecurityAgent::Reason reason 
= SecurityAgent::noReason
; 
 425         Process 
&cltProc 
= Server::process(); 
 426     // Authorization preserves creator's UID in setuid processes 
 427     uid_t cltUid 
= (cltProc
.uid() != 0) ? cltProc
.uid() : auth
.creatorUid(); 
 428     secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc
.pid(), cltUid
); 
 430     AgentMechanismEvaluator 
eval(cltUid
, auth
.session(), mEvalDef
); 
 432     for (tries 
= 0; tries 
< mTries
; tries
++) 
 434                 AuthItemRef 
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
)); 
 435                 environmentToClient
.erase(retryHint
); environmentToClient
.insert(retryHint
); // replace 
 436                 AuthItemRef 
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(tries
), &tries
)); 
 437                 environmentToClient
.erase(triesHint
); environmentToClient
.insert(triesHint
); // replace 
 439         status 
= eval
.run(AuthValueVector(), environmentToClient
, auth
); 
 441         if ((status 
== errAuthorizationSuccess
) || 
 442             (status 
== errAuthorizationCanceled
)) // @@@ can only pass back sideband through context 
 444             secdebug("AuthEvalMech", "storing new context for authorization"); 
 445             auth
.setInfoSet(eval
.context()); 
 448         // successfully ran mechanisms to obtain credential 
 449         if (status 
== errAuthorizationSuccess
) 
 451             // deny is the default 
 452             status 
= errAuthorizationDenied
; 
 454             CredentialSet newCredentials 
= makeCredentials(auth
); 
 455             // clear context after extracting credentials 
 458             for (CredentialSet::const_iterator it 
= newCredentials
.begin(); it 
!= newCredentials
.end(); ++it
) 
 460                 const Credential
& newCredential 
= *it
; 
 462                                 // @@@ we log the uid a process was running under when it created the authref, which is misleading in the case of loginwindow 
 463                                 if (newCredential
->isValid()) 
 464                                         Syslog::info("uid %lu succeeded authenticating as user %s (uid %lu) for right %s.", auth
.creatorUid(), newCredential
->username().c_str(), newCredential
->uid(), inRight
->name()); 
 466                                         // we can't be sure that the user actually exists so inhibit logging of uid 
 467                                         Syslog::error("uid %lu failed to authenticate as user %s for right %s.", auth
.creatorUid(), newCredential
->username().c_str(), inRight
->name()); 
 469                 if (!newCredential
->isValid()) 
 471                     reason 
= SecurityAgent::invalidPassphrase
; //invalidPassphrase; 
 475                 // verify that this credential authorizes right 
 476                 status 
= evaluateCredentialForRight(auth
, inRight
, inRule
, environmentToClient
, now
, newCredential
, true); 
 478                 if (status 
== errAuthorizationSuccess
) 
 480                                         // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent 
 481                     credentials
.erase(newCredential
); credentials
.insert(newCredential
); 
 482                     // use valid credential to set context info 
 483                                         // XXX/cs keeping this for now, such that the uid is passed back 
 484                     auth
.setCredentialInfo(newCredential
); 
 485                     secdebug("SSevalMech", "added valid credential for user %s", newCredential
->username().c_str()); 
 486                     status 
= errAuthorizationSuccess
; 
 490                     reason 
= SecurityAgent::userNotInGroup
; //unacceptableUser; // userNotInGroup 
 493             if (status 
== errAuthorizationSuccess
) 
 497             if ((status 
== errAuthorizationCanceled
) || 
 498                 (status 
== errAuthorizationInternal
)) 
 503             else // last mechanism is now authentication - fail 
 504                 if (status 
== errAuthorizationDenied
) 
 505                     reason 
= SecurityAgent::invalidPassphrase
; 
 509     // If we fell out of the loop because of too many tries, notify user 
 512         reason 
= SecurityAgent::tooManyTries
; 
 513                 AuthItemRef 
retryHint (AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
)); 
 514                 environmentToClient
.erase(retryHint
); environmentToClient
.insert(retryHint
); // replace 
 515                 AuthItemRef 
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(tries
), &tries
)); 
 516                 environmentToClient
.erase(triesHint
); environmentToClient
.insert(triesHint
); // replace 
 517         eval
.run(AuthValueVector(), environmentToClient
, auth
); 
 518         // XXX/cs is this still necessary? 
 521                 CommonCriteria::AuditRecord 
auditrec(auth
.creatorAuditToken()); 
 522                 auditrec
.submit(AUE_ssauthorize
, CommonCriteria::errTooManyTries
, inRight
->name()); 
 528 // create externally verified credentials on the basis of  
 529 // mechanism-provided information 
 531 RuleImpl::makeCredentials(const AuthorizationToken 
&auth
) const 
 533     // fetch context and construct a credential to be tested 
 534     const AuthItemSet 
&context 
= const_cast<AuthorizationToken 
&>(auth
).infoSet(); 
 535     CredentialSet newCredentials
; 
 538         AuthItemSet::const_iterator found 
= find_if(context
.begin(), context
.end(), FindAuthItemByRightName(kAuthorizationEnvironmentUsername
) ); 
 539         if (found 
== context
.end()) 
 541         string username 
= (**found
).stringValue(); 
 542         secdebug("AuthEvalMech", "found username"); 
 544         const uid_t 
*uid 
= NULL
; 
 545         found 
= find_if(context
.begin(), context
.end(), FindAuthItemByRightName("uid") ); 
 546         if (found 
!= context
.end()) 
 548             uid 
= static_cast<const uid_t 
*>((**found
).value().data
); 
 549             secdebug("AuthEvalMech", "found uid"); 
 552         const gid_t 
*gid 
= NULL
; 
 553         found 
= find_if(context
.begin(), context
.end(), FindAuthItemByRightName("gid") ); 
 554         if (found 
!= context
.end()) 
 556             gid 
= static_cast<const gid_t 
*>((**found
).value().data
); 
 557             secdebug("AuthEvalMech", "found gid"); 
 560         if (username
.length() && uid 
&& gid
) 
 562             // credential is valid because mechanism says so 
 563             newCredentials
.insert(Credential(username
, *uid
, *gid
, mShared
)); 
 567             found 
= find_if(context
.begin(), context
.end(), FindAuthItemByRightName(kAuthorizationEnvironmentPassword
) ); 
 568             if (found 
!= context
.end()) 
 570                 secdebug("AuthEvalMech", "found password"); 
 571                 string password 
= (**found
).stringValue(); 
 572                 secdebug("AuthEvalMech", "falling back on username/password credential if valid"); 
 573                                 Credential 
newCred(username
, password
, mShared
); 
 574                 newCredentials
.insert(newCred
); 
 575                                 CommonCriteria::AuditRecord 
auditrec(auth
.creatorAuditToken()); 
 576                                 if (newCred
->isValid()) 
 577                                         auditrec
.submit(AUE_ssauthorize
, CommonCriteria::errNone
, name().c_str()); 
 579                                         auditrec
.submit(AUE_ssauthorize
, CommonCriteria::errInvalidCredential
, name().c_str()); 
 584     return newCredentials
; 
 587 // evaluate whether a good credential of the current session owner would authorize a right 
 589 RuleImpl::evaluateSessionOwner(const AuthItemRef 
&inRight
, const Rule 
&inRule
, 
 590                            const AuthItemSet 
&environment
, 
 591                            const CFAbsoluteTime now
, 
 592                            const AuthorizationToken 
&auth
, 
 593                            string
& usernamehint
) const 
 595     // username hint is taken from the user who created the authorization, unless it's clearly ineligible 
 596         OSStatus status 
= noErr
; 
 597         // @@@ we have no access to current requester uid here and the process uid is only taken when the authorization is created 
 598         // meaning that a process like loginwindow that drops privs later is screwed. 
 601         Session 
&session 
= auth
.session(); 
 603         if (session
.haveOriginatorUid()) 
 604                 uid 
= session
.originatorUid(); 
 606                 uid 
= auth
.creatorUid(); 
 608         Server::active().longTermActivity(); 
 609         struct passwd 
*pw 
= getpwuid(uid
); 
 612                 // avoid hinting a locked account 
 613                 if ( (pw
->pw_passwd 
== NULL
) || 
 614                                 strcmp(pw
->pw_passwd
, "*") ) { 
 615                         // Check if username will authorize the request and set username to 
 616                         // be used as a hint to the user if so 
 617                         secdebug("AuthEvalMech", "preflight credential from current user, result follows:"); 
 618                         status 
= evaluateCredentialForRight(auth
, inRight
, inRule
, environment
, now
, Credential(pw
->pw_name
, pw
->pw_uid
, pw
->pw_gid
, mShared
), true); 
 620                         if (status 
== errAuthorizationSuccess
)  
 621                                 usernamehint 
= pw
->pw_name
; 
 630 // Return errAuthorizationSuccess if this rule allows access based on the specified credential, 
 631 // return errAuthorizationDenied otherwise. 
 633 RuleImpl::evaluateCredentialForRight(const AuthorizationToken 
&auth
, const AuthItemRef 
&inRight
, const Rule 
&inRule
, const AuthItemSet 
&environment
, CFAbsoluteTime now
, const Credential 
&credential
, bool ignoreShared
) const 
 635         assert(mType 
== kUser
); 
 637         // Get the username from the credential 
 638         const char *user 
= credential
->username().c_str(); 
 640         // If the credential is not valid or it's age is more than the allowed maximum age 
 641         // for a credential, deny. 
 642         if (!credential
->isValid()) 
 644                 secdebug("autheval", "credential for user %s is invalid, denying right %s", user
, inRight
->name()); 
 645                 return errAuthorizationDenied
; 
 648         if (now 
- credential
->creationTime() > mMaxCredentialAge
) 
 650                 secdebug("autheval", "credential for user %s has expired, denying right %s", user
, inRight
->name()); 
 651                 return errAuthorizationDenied
; 
 654         if (!ignoreShared 
&& !mShared 
&& credential
->isShared()) 
 656                 secdebug("autheval", "shared credential for user %s cannot be used, denying right %s", user
, inRight
->name()); 
 657                 return errAuthorizationDenied
; 
 660         // A root (uid == 0) user can do anything 
 661         if (credential
->uid() == 0) 
 663                 secdebug("autheval", "user %s has uid 0, granting right %s", user
, inRight
->name()); 
 664                 return errAuthorizationSuccess
; 
 669                 Session 
&session 
= auth
.session(); 
 670                 if (session
.haveOriginatorUid()) 
 672                         uid_t console_user 
= session
.originatorUid(); 
 674             if (credential
->uid() == console_user
) 
 676                 secdebug("autheval", "user %s is session-owner(uid: %d), granting right %s", user
, console_user
, inRight
->name()); 
 677                 return errAuthorizationSuccess
; 
 681             secdebug("autheval", "session-owner check failed."); 
 684         if (mGroupName
.length()) 
 686                 const char *groupname 
= mGroupName
.c_str(); 
 687                 Server::active().longTermActivity(); 
 690                         return errAuthorizationDenied
; 
 694                         uuid_t group_uuid
, user_uuid
; 
 697                         if (mbr_group_name_to_uuid(groupname
, group_uuid
)) 
 700                         if (mbr_uid_to_uuid(credential
->uid(), user_uuid
)) 
 703                         if (mbr_check_membership(user_uuid
, group_uuid
, &is_member
)) 
 708                                 secdebug("autheval", "user %s is a member of group %s, granting right %s", 
 709                                         user
, groupname
, inRight
->name()); 
 710                                 return errAuthorizationSuccess
; 
 716                 secdebug("autheval", "user %s is not a member of group %s, denying right %s", 
 717                         user
, groupname
, inRight
->name()); 
 720         return errAuthorizationDenied
; 
 726 RuleImpl::evaluateUser(const AuthItemRef 
&inRight
, const Rule 
&inRule
, 
 727     AuthItemSet 
&environmentToClient
, AuthorizationFlags flags
, 
 728         CFAbsoluteTime now
, const CredentialSet 
*inCredentials
, CredentialSet 
&credentials
, 
 729         AuthorizationToken 
&auth
) const 
 731         // If we got here, this is a kUser type rule, let's start looking for a 
 732         // credential that is satisfactory 
 734         // Zeroth -- Here is an extra special saucy ugly hack to allow authorizations 
 735         // created by a proccess running as root to automatically get a right. 
 736         if (mAllowRoot 
&& auth
.creatorUid() == 0) 
 738                 secdebug("autheval", "creator of authorization has uid == 0 granting right %s", 
 740                 return errAuthorizationSuccess
; 
 743         // if we're not supposed to authenticate evaluate the session-owner against the group 
 744         if (!mAuthenticateUser
) 
 747                 OSStatus status 
= evaluateSessionOwner(inRight
, inRule
, environmentToClient
, now
, auth
, username
); 
 750                         return errAuthorizationSuccess
; 
 752                 return errAuthorizationDenied
; 
 755         // First -- go though the credentials we either already used or obtained during this authorize operation. 
 756         for (CredentialSet::const_iterator it 
= credentials
.begin(); it 
!= credentials
.end(); ++it
) 
 758                 OSStatus status 
= evaluateCredentialForRight(auth
, inRight
, inRule
, environmentToClient
, now
, *it
, true); 
 759                 if (status 
!= errAuthorizationDenied
) 
 761                         // add credential to authinfo 
 762                         auth
.setCredentialInfo(*it
); 
 767         // Second -- go though the credentials passed in to this authorize operation by the state management layer. 
 770                 for (CredentialSet::const_iterator it 
= inCredentials
->begin(); it 
!= inCredentials
->end(); ++it
) 
 772                         OSStatus status 
= evaluateCredentialForRight(auth
, inRight
, inRule
, environmentToClient
, now
, *it
, false); 
 773                         if (status 
== errAuthorizationSuccess
) 
 775                                 // Add the credential we used to the output set. 
 776                                 // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent 
 777                                 credentials
.erase(*it
); credentials
.insert(*it
); 
 778                 // add credential to authinfo 
 779                 auth
.setCredentialInfo(*it
); 
 783                         else if (status 
!= errAuthorizationDenied
) 
 788         // Finally -- We didn't find the credential in our passed in credential lists.  Obtain a new credential if 
 789         // our flags let us do so. 
 790         if (!(flags 
& kAuthorizationFlagExtendRights
)) 
 791                 return errAuthorizationDenied
; 
 793         // authorizations that timeout immediately cannot be preauthorized 
 794         if ((flags 
& kAuthorizationFlagPreAuthorize
) &&  
 795                 (mMaxCredentialAge 
== 0.0)) 
 797                 inRight
->setFlags(inRight
->flags() | kAuthorizationFlagCanNotPreAuthorize
); 
 798                 return errAuthorizationSuccess
; 
 801         if (!(flags 
& kAuthorizationFlagInteractionAllowed
)) 
 802                 return errAuthorizationInteractionNotAllowed
; 
 804         setAgentHints(inRight
, inRule
, environmentToClient
, auth
); 
 806     // If a different evaluation is prescribed, 
 807     // we'll run that and validate the credentials from there 
 808     // we fall back on a default configuration 
 809         return evaluateAuthorization(inRight
, inRule
, environmentToClient
, flags
, now
, inCredentials
, credentials
, auth
); 
 813 RuleImpl::evaluateMechanismOnly(const AuthItemRef 
&inRight
, const Rule 
&inRule
, AuthItemSet 
&environmentToClient
, AuthorizationToken 
&auth
, CredentialSet 
&outCredentials
) const 
 818         Process 
&cltProc 
= Server::process(); 
 819     // Authorization preserves creator's UID in setuid processes 
 820     uid_t cltUid 
= (cltProc
.uid() != 0) ? cltProc
.uid() : auth
.creatorUid(); 
 821     secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc
.pid(), cltUid
); 
 824         AgentMechanismEvaluator 
eval(cltUid
, auth
.session(), mEvalDef
); 
 828             setAgentHints(inRight
, inRule
, environmentToClient
, auth
); 
 829             AuthItemRef 
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(tries
), &tries
)); 
 830             environmentToClient
.erase(triesHint
); environmentToClient
.insert(triesHint
); // replace 
 832             status 
= eval
.run(AuthValueVector(), environmentToClient
, auth
); 
 834             if ((status 
== errAuthorizationSuccess
) || 
 835                 (status 
== errAuthorizationCanceled
)) // @@@ can only pass back sideband through context 
 837                 secdebug("AuthEvalMech", "storing new context for authorization"); 
 838                 auth
.setInfoSet(eval
.context()); 
 839                 if (status 
== errAuthorizationSuccess
) 
 841                     outCredentials 
= makeCredentials(auth
); 
 847         while ((status 
== errAuthorizationDenied
) // only if we have an expected failure we continue 
 848                     && ((mTries 
== 0)                           // mTries == 0 means we try forever 
 849                         || ((mTries 
> 0)                        // mTries > 0 means we try up to mTries times 
 850                             && (tries 
< mTries
)))); 
 853     // HACK kill all hosts to free pages for low memory systems 
 854         if (name() == "system.login.console") 
 856                 QueryInvokeMechanism 
query(securityAgent
, auth
.session()); 
 857                 query
.terminateAgent(); 
 858                 QueryInvokeMechanism 
query2(privilegedAuthHost
, auth
.session()); 
 859                 query2
.terminateAgent(); 
 866 RuleImpl::evaluateRules(const AuthItemRef 
&inRight
, const Rule 
&inRule
, 
 867     AuthItemSet 
&environmentToClient
, AuthorizationFlags flags
, 
 868         CFAbsoluteTime now
, const CredentialSet 
*inCredentials
, CredentialSet 
&credentials
, 
 869         AuthorizationToken 
&auth
) const 
 871         // line up the rules to try 
 872         if (!mRuleDef
.size()) 
 873                 return errAuthorizationSuccess
; 
 876         OSStatus status 
= errAuthorizationSuccess
; 
 877         vector
<Rule
>::const_iterator it
; 
 879         for (it 
= mRuleDef
.begin();it 
!= mRuleDef
.end(); it
++) 
 882                 if ((mType 
== kKofN
) && (count 
== mKofN
)) 
 883                         return errAuthorizationSuccess
; 
 885                 // get a rule and try it 
 886                 status 
= (*it
)->evaluate(inRight
, inRule
, environmentToClient
, flags
, now
, inCredentials
, credentials
, auth
); 
 888                 // if status is cancel/internal error abort 
 889                 if ((status 
== errAuthorizationCanceled
) || (status 
== errAuthorizationInternal
)) 
 892                 if (status 
!= errAuthorizationSuccess
) 
 894                         // continue if we're only looking for k of n 
 904         return status
; // return the last failure 
 909 RuleImpl::evaluate(const AuthItemRef 
&inRight
, const Rule 
&inRule
, 
 910     AuthItemSet 
&environmentToClient
, AuthorizationFlags flags
, 
 911         CFAbsoluteTime now
, const CredentialSet 
*inCredentials
, CredentialSet 
&credentials
, 
 912         AuthorizationToken 
&auth
) const 
 917                 secdebug("autheval", "rule is always allow"); 
 918                 return errAuthorizationSuccess
; 
 920                 secdebug("autheval", "rule is always deny"); 
 921                 return errAuthorizationDenied
; 
 923                 secdebug("autheval", "rule is user"); 
 924                 return evaluateUser(inRight
, inRule
, environmentToClient
, flags
, now
, inCredentials
, credentials
, auth
); 
 925         case kRuleDelegation
: 
 926         secdebug("autheval", "rule evaluates rules"); 
 927                 return evaluateRules(inRight
, inRule
, environmentToClient
, flags
, now
, inCredentials
, credentials
, auth
); 
 929         secdebug("autheval", "rule evaluates k-of-n rules"); 
 930                 return evaluateRules(inRight
, inRule
, environmentToClient
, flags
, now
, inCredentials
, credentials
, auth
); 
 931     case kEvaluateMechanisms
: 
 932         secdebug("autheval", "rule evaluates mechanisms"); 
 933         return evaluateMechanismOnly(inRight
, inRule
, environmentToClient
, auth
, credentials
); 
 935                 MacOSError::throwMe(errAuthorizationInternal
); // XXX/cs invalid rule 
 939 Rule::Rule() : RefPointer
<RuleImpl
>(new RuleImpl()) {} 
 940 Rule::Rule(const string 
&inRightName
, CFDictionaryRef cfRight
, CFDictionaryRef cfRules
) : RefPointer
<RuleImpl
>(new RuleImpl(inRightName
, cfRight
, cfRules
)) {} 
 944 } // end namespace Authorization