securityd-55199.3.tar.gz

[apple/securityd.git] / src / AuthorizationRule.cpp
diff --git a/src/AuthorizationRule.cpp b/src/AuthorizationRule.cpp

index fdbbac9fa9f54dcda52fe7b62aa312523c6e3d52..451618f51c13adbdcf880d429f9abf4a8c042dfb 100644 (file)
--- a/src/AuthorizationRule.cpp
+++ b/src/AuthorizationRule.cpp
@@ -1,5 +1,5 @@
  /*
  /*
- *  Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
+ *  Copyright (c) 2003-2004,2008-2009 Apple Inc. All Rights Reserved.
   *
   *  @APPLE_LICENSE_HEADER_START@
   *  
   *
   *  @APPLE_LICENSE_HEADER_START@
   *  
@@ -31,14 +31,15 @@
  #include <Security/AuthorizationDB.h>
  #include <Security/AuthorizationPriv.h>
  #include <security_utilities/logging.h>
  #include <Security/AuthorizationDB.h>
  #include <Security/AuthorizationPriv.h>
  #include <security_utilities/logging.h>
-#include <security_utilities/ccaudit.h>
  #include <bsm/audit_uevents.h>
  #include <bsm/audit_uevents.h>
+#include "ccaudit_extensions.h"
  #include "authority.h"
  #include "server.h"
  #include "process.h"
  #include "agentquery.h"
  #include "AuthorizationMechEval.h"
  
  #include "authority.h"
  #include "server.h"
  #include "process.h"
  #include "agentquery.h"
  #include "AuthorizationMechEval.h"
  
+#include <asl.h>
  #include <pwd.h>
  #include <grp.h>
  #include <unistd.h>
  #include <pwd.h>
  #include <grp.h>
  #include <unistd.h>
@@ -48,6 +49,8 @@ extern "C" {
  #include <membershipPriv.h>
  }
  
  #include <membershipPriv.h>
  }
  
+using namespace CommonCriteria::Securityd;
+    
  //
  // Rule class
  //
  //
  // Rule class
  //
@@ -61,7 +64,9 @@ CFStringRef RuleImpl::kMechanismsID = CFSTR(kAuthorizationRuleParameterMechanism
  CFStringRef RuleImpl::kSessionOwnerID = CFSTR(kAuthorizationRuleParameterCredentialSessionOwner);
  CFStringRef RuleImpl::kKofNID = CFSTR(kAuthorizationRuleParameterKofN);
  CFStringRef RuleImpl::kPromptID = CFSTR(kAuthorizationRuleParameterDefaultPrompt);
  CFStringRef RuleImpl::kSessionOwnerID = CFSTR(kAuthorizationRuleParameterCredentialSessionOwner);
  CFStringRef RuleImpl::kKofNID = CFSTR(kAuthorizationRuleParameterKofN);
  CFStringRef RuleImpl::kPromptID = CFSTR(kAuthorizationRuleParameterDefaultPrompt);
+CFStringRef RuleImpl::kButtonID = CFSTR(kAuthorizationRuleParameterDefaultButton);
  CFStringRef RuleImpl::kTriesID = CFSTR("tries"); // XXX/cs move to AuthorizationTagsPriv.h
  CFStringRef RuleImpl::kTriesID = CFSTR("tries"); // XXX/cs move to AuthorizationTagsPriv.h
+CFStringRef RuleImpl::kExtractPasswordID = CFSTR(kAuthorizationRuleParameterExtractPassword);
  
  CFStringRef RuleImpl::kRuleClassID = CFSTR(kAuthorizationRuleClass);
  CFStringRef RuleImpl::kRuleAllowID = CFSTR(kAuthorizationRuleClassAllow);
  
  CFStringRef RuleImpl::kRuleClassID = CFSTR(kAuthorizationRuleClass);
  CFStringRef RuleImpl::kRuleAllowID = CFSTR(kAuthorizationRuleClassAllow);
@@ -73,7 +78,7 @@ CFStringRef RuleImpl::kRuleAuthenticateUserID = CFSTR(kAuthorizationRuleParamete
  
  
  string
  
  
  string
-RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool required = false, char *defaultValue = "")
+RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool required = false, const char *defaultValue = "")
  {
         CFTypeRef value = CFDictionaryGetValue(config, key);
         if (value && (CFGetTypeID(value) == CFStringGetTypeID()))
  {
         CFTypeRef value = CFDictionaryGetValue(config, key);
         if (value && (CFGetTypeID(value) == CFStringGetTypeID()))
@@ -86,7 +91,10 @@ RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool req
                         if (CFStringGetCString(stringValue, buffer, sizeof(buffer), kCFStringEncodingUTF8))
                                 ptr = buffer;
                         else
                         if (CFStringGetCString(stringValue, buffer, sizeof(buffer), kCFStringEncodingUTF8))
                                 ptr = buffer;
                         else
-                               MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+                       {
+                               Syslog::alert("Could not convert CFString to C string");
+                               MacOSError::throwMe(errAuthorizationInternal);
+                       }
                 }
  
                 return string(ptr);
                 }
  
                 return string(ptr);
@@ -95,7 +103,10 @@ RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool req
                 if (!required)
                         return string(defaultValue);
                 else
                 if (!required)
                         return string(defaultValue);
                 else
-                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+               {
+                       Syslog::alert("Failed to get rule string");
+                       MacOSError::throwMe(errAuthorizationInternal);
+               }
  }                      
  
  double
  }                      
  
  double
@@ -112,7 +123,10 @@ RuleImpl::Attribute::getDouble(CFDictionaryRef config, CFStringRef key, bool req
                 if (!required)
                         return defaultValue;
                 else
                 if (!required)
                         return defaultValue;
                 else
-                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+               {
+                       Syslog::alert("Failed to get rule double value");
+                       MacOSError::throwMe(errAuthorizationInternal);
+               }
                         
         return doubleValue;
  }
                         
         return doubleValue;
  }
@@ -131,7 +145,10 @@ RuleImpl::Attribute::getBool(CFDictionaryRef config, CFStringRef key, bool requi
                 if (!required)
                         return defaultValue;
                 else
                 if (!required)
                         return defaultValue;
                 else
-                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+               {
+                       Syslog::alert("Failed to get rule bool value");
+                       MacOSError::throwMe(errAuthorizationInternal);
+               }
         
         return boolValue;
  }
         
         return boolValue;
  }
@@ -146,7 +163,8 @@ RuleImpl::Attribute::getVector(CFDictionaryRef config, CFStringRef key, bool req
         {
                 CFArrayRef evalArray = reinterpret_cast<CFArrayRef>(value);
  
         {
                 CFArrayRef evalArray = reinterpret_cast<CFArrayRef>(value);
  
-               for (int index=0; index < CFArrayGetCount(evalArray); index++)
+        CFIndex numItems = CFArrayGetCount(evalArray);
+               for (CFIndex index=0; index < numItems; index++)
                 {
                         CFTypeRef arrayValue = CFArrayGetValueAtIndex(evalArray, index);
                         if (arrayValue && (CFGetTypeID(arrayValue) == CFStringGetTypeID()))
                 {
                         CFTypeRef arrayValue = CFArrayGetValueAtIndex(evalArray, index);
                         if (arrayValue && (CFGetTypeID(arrayValue) == CFStringGetTypeID()))
@@ -159,7 +177,10 @@ RuleImpl::Attribute::getVector(CFDictionaryRef config, CFStringRef key, bool req
                                         if (CFStringGetCString(stringValue, buffer, sizeof(buffer), kCFStringEncodingUTF8))
                                                 ptr = buffer;
                                         else
                                         if (CFStringGetCString(stringValue, buffer, sizeof(buffer), kCFStringEncodingUTF8))
                                                 ptr = buffer;
                                         else
-                                               MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+                                       {
+                                               Syslog::alert("Failed to convert CFString to C string for item %u in array", index);
+                                               MacOSError::throwMe(errAuthorizationInternal);
+                                       }
                                 }
                                 valueArray.push_back(string(ptr));
                         }
                                 }
                                 valueArray.push_back(string(ptr));
                         }
@@ -167,19 +188,22 @@ RuleImpl::Attribute::getVector(CFDictionaryRef config, CFStringRef key, bool req
         }
         else
                 if (required)
         }
         else
                 if (required)
-                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+               {
+                       Syslog::alert("Value for key either not present or not a CFArray");
+                       MacOSError::throwMe(errAuthorizationInternal);
+               }
                         
         return valueArray;
  }
  
  
                         
         return valueArray;
  }
  
  
-bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config, map<string,string> &localizedPrompts)
+bool RuleImpl::Attribute::getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey)
  {
         CFIndex numberOfPrompts = 0;
         CFDictionaryRef promptsDict;
  {
         CFIndex numberOfPrompts = 0;
         CFDictionaryRef promptsDict;
-       if (CFDictionaryContainsKey(config, kPromptID))
+       if (CFDictionaryContainsKey(config, dictKey))
         {
         {
-               promptsDict = reinterpret_cast<CFDictionaryRef>(CFDictionaryGetValue(config, kPromptID));
+               promptsDict = reinterpret_cast<CFDictionaryRef>(CFDictionaryGetValue(config, dictKey));
                 if (promptsDict && (CFGetTypeID(promptsDict) == CFDictionaryGetTypeID()))
                         numberOfPrompts = CFDictionaryGetCount(promptsDict);
         }
                 if (promptsDict && (CFGetTypeID(promptsDict) == CFDictionaryGetTypeID()))
                         numberOfPrompts = CFDictionaryGetCount(promptsDict);
         }
@@ -194,13 +218,15 @@ bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config, map<string
         {
                 CFStringRef keyRef = reinterpret_cast<CFStringRef>(keys[numberOfPrompts]);
                 CFStringRef valueRef = reinterpret_cast<CFStringRef>(values[numberOfPrompts]);
         {
                 CFStringRef keyRef = reinterpret_cast<CFStringRef>(keys[numberOfPrompts]);
                 CFStringRef valueRef = reinterpret_cast<CFStringRef>(values[numberOfPrompts]);
-               if (!keyRef || (CFGetTypeID(keyRef) != CFStringGetTypeID()))
+               if (!keyRef || (CFGetTypeID(keyRef) != CFStringGetTypeID())) {
                         continue;
                         continue;
-               if (!valueRef || (CFGetTypeID(valueRef) != CFStringGetTypeID()))
+               }
+               if (!valueRef || (CFGetTypeID(valueRef) != CFStringGetTypeID())) {
                         continue;
                         continue;
+               }
                 string key = cfString(keyRef);
                 string value = cfString(valueRef);
                 string key = cfString(keyRef);
                 string value = cfString(valueRef);
-               localizedPrompts[kAuthorizationRuleParameterDescription+key] = value;
+               localizedPrompts[descriptionKey + key] = value;
         }
  
         return true;
         }
  
         return true;
@@ -209,19 +235,22 @@ bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config, map<string
  
  // default rule
  RuleImpl::RuleImpl() :
  
  // default rule
  RuleImpl::RuleImpl() :
-mType(kUser), mGroupName("admin"), mMaxCredentialAge(300.0), mShared(true), mAllowRoot(false), mSessionOwner(false), mTries(0), mAuthenticateUser(true)
+mType(kUser), mGroupName("admin"), mMaxCredentialAge(300.0), mShared(true), mAllowRoot(false), mSessionOwner(false), mTries(0), mAuthenticateUser(true), mExtractPassword(false)
  {
         // XXX/cs read default descriptions from somewhere
         // @@@ Default rule is shared admin group with 5 minute timeout
  }
  
  // return rule built from rule definition; throw if invalid.
  {
         // XXX/cs read default descriptions from somewhere
         // @@@ Default rule is shared admin group with 5 minute timeout
  }
  
  // return rule built from rule definition; throw if invalid.
-RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules) : mRightName(inRightName)
+RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules) : mRightName(inRightName), mExtractPassword(false)
  {
         // @@@ make sure cfRight is non mutable and never used that way
         
         if (CFGetTypeID(cfRight) != CFDictionaryGetTypeID())
  {
         // @@@ make sure cfRight is non mutable and never used that way
         
         if (CFGetTypeID(cfRight) != CFDictionaryGetTypeID())
-               MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+       {
+               Syslog::alert("Invalid rights set");
+               MacOSError::throwMe(errAuthorizationInternal);
+       }
                         
         mTries = 0;
  
                         
         mTries = 0;
  
@@ -250,14 +279,15 @@ RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDiction
                         mSessionOwner = Attribute::getBool(cfRight, kSessionOwnerID);
                         // authorization tags can have eval now too
                         mEvalDef = Attribute::getVector(cfRight, kMechanismsID);
                         mSessionOwner = Attribute::getBool(cfRight, kSessionOwnerID);
                         // authorization tags can have eval now too
                         mEvalDef = Attribute::getVector(cfRight, kMechanismsID);
-            if (mEvalDef.size() == 0 && cfRules /*only rights default see appserver-admin*/)
-            {
-                CFDictionaryRef cfRuleDef = reinterpret_cast<CFDictionaryRef>(CFDictionaryGetValue(cfRules, CFSTR("authenticate")));
+                       if (mEvalDef.size() == 0 && cfRules /*only rights default see appserver-admin*/)
+                       {
+                               CFDictionaryRef cfRuleDef = reinterpret_cast<CFDictionaryRef>(CFDictionaryGetValue(cfRules, CFSTR("authenticate")));
                                 if (cfRuleDef && CFGetTypeID(cfRuleDef) == CFDictionaryGetTypeID())
                                 if (cfRuleDef && CFGetTypeID(cfRuleDef) == CFDictionaryGetTypeID())
-                    mEvalDef = Attribute::getVector(cfRuleDef, kMechanismsID);
-            }
-                       mTries = int(Attribute::getDouble(cfRight, kTriesID, false, 3.0)); // XXX/cs double(kAuthorizationMaxTries)
+                                       mEvalDef = Attribute::getVector(cfRuleDef, kMechanismsID);
+                       }
+                       mTries = int(Attribute::getDouble(cfRight, kTriesID, false, double(kMaximumAuthorizationTries)));
                         mAuthenticateUser = Attribute::getBool(cfRight, kRuleAuthenticateUserID, false, true);
                         mAuthenticateUser = Attribute::getBool(cfRight, kRuleAuthenticateUserID, false, true);
+                       mExtractPassword = Attribute::getBool(cfRight, kExtractPasswordID, false, false);
  
                         secdebug("authrule", "%s : rule user in group \"%s\" timeout %g%s%s",
                                 inRightName.c_str(),
  
                         secdebug("authrule", "%s : rule user in group \"%s\" timeout %g%s%s",
                                 inRightName.c_str(),
@@ -273,10 +303,11 @@ RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDiction
                         mEvalDef = Attribute::getVector(cfRight, kMechanismsID, true);
                         mTries = int(Attribute::getDouble(cfRight, kTriesID, false, 0.0)); // "forever"
                         mShared = Attribute::getBool(cfRight, kSharedID, false, true);
                         mEvalDef = Attribute::getVector(cfRight, kMechanismsID, true);
                         mTries = int(Attribute::getDouble(cfRight, kTriesID, false, 0.0)); // "forever"
                         mShared = Attribute::getBool(cfRight, kSharedID, false, true);
+                       mExtractPassword = Attribute::getBool(cfRight, kExtractPasswordID, false, false);
                 }
                 else if (classTag == kAuthorizationRightRule)
                 {
                 }
                 else if (classTag == kAuthorizationRightRule)
                 {
-            assert(cfRules); // rules can't delegate to other rules
+                       assert(cfRules); // rules can't delegate to other rules
                         secdebug("authrule", "%s : rule delegate rule", inRightName.c_str());
                         mType = kRuleDelegation;
  
                         secdebug("authrule", "%s : rule delegate rule", inRightName.c_str());
                         mType = kRuleDelegation;
  
@@ -289,7 +320,10 @@ RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDiction
                                 if (ruleDefRef)
                                         CFRelease(ruleDefRef);
                                 if (!cfRuleDef || CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID())
                                 if (ruleDefRef)
                                         CFRelease(ruleDefRef);
                                 if (!cfRuleDef || CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID())
-                                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+                               {
+                                       Syslog::alert("'%s' does not name a built-in rule", ruleDefString.c_str());
+                                       MacOSError::throwMe(errAuthorizationInternal);
+                               }
                                 mRuleDef.push_back(Rule(ruleDefString, cfRuleDef, cfRules));
                         }
                         else // array
                                 mRuleDef.push_back(Rule(ruleDefString, cfRuleDef, cfRules));
                         }
                         else // array
@@ -302,7 +336,10 @@ RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDiction
                                         if (ruleNameRef)
                                                 CFRelease(ruleNameRef);
                                         if (!cfRuleDef || (CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID()))
                                         if (ruleNameRef)
                                                 CFRelease(ruleNameRef);
                                         if (!cfRuleDef || (CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID()))
-                                               MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+                                       {
+                                               Syslog::alert("Invalid rule '%s'in rule set", it->c_str());
+                                               MacOSError::throwMe(errAuthorizationInternal);
+                                       }
                                         mRuleDef.push_back(Rule(*it, cfRuleDef, cfRules));
                                 }
                         }
                                         mRuleDef.push_back(Rule(*it, cfRuleDef, cfRules));
                                 }
                         }
@@ -314,8 +351,9 @@ RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDiction
                 }
                 else
                 {
                 }
                 else
                 {
-                       secdebug("authrule", "%s : rule class unknown %s.", inRightName.c_str(), classTag.c_str());
-                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+                       secdebug("authrule", "%s : rule class '%s' unknown.", inRightName.c_str(), classTag.c_str());
+                       Syslog::alert("%s : rule class '%s' unknown", inRightName.c_str(), classTag.c_str());
+                       MacOSError::throwMe(errAuthorizationInternal);
                 }
         }
         else
                 }
         }
         else
@@ -332,11 +370,15 @@ RuleImpl::RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDiction
                 if (ruleNameRef)
                         CFRelease(ruleNameRef);
                 if (!cfRuleDef || CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID())
                 if (ruleNameRef)
                         CFRelease(ruleNameRef);
                 if (!cfRuleDef || CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID())
-                       MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+               {
+                       Syslog::alert("Rule '%s' for right '%s' does not exist or is not properly formed", ruleName.c_str(), inRightName.c_str());
+                       MacOSError::throwMe(errAuthorizationInternal);
+               }
                 mRuleDef.push_back(Rule(ruleName, cfRuleDef, cfRules));
         }
  
                 mRuleDef.push_back(Rule(ruleName, cfRuleDef, cfRules));
         }
  
-       Attribute::getLocalizedPrompts(cfRight, mLocalizedPrompts);
+       Attribute::getLocalizedText(cfRight, mLocalizedPrompts, kPromptID, kAuthorizationRuleParameterDescription);
+       Attribute::getLocalizedText(cfRight, mLocalizedButtons, kButtonID, kAuthorizationRuleParameterButton);
  }
  
  /*
  }
  
  /*
@@ -349,41 +391,36 @@ void
  RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const
  {
         string authorizeString(inRight->name());
  RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const
  {
         string authorizeString(inRight->name());
-    environmentToClient.erase(AuthItemRef(AGENT_HINT_AUTHORIZE_RIGHT)); 
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_AUTHORIZE_RIGHT)); 
         environmentToClient.insert(AuthItemRef(AGENT_HINT_AUTHORIZE_RIGHT, AuthValueOverlay(authorizeString)));
  
         pid_t creatorPid = auth.creatorPid();
         environmentToClient.insert(AuthItemRef(AGENT_HINT_AUTHORIZE_RIGHT, AuthValueOverlay(authorizeString)));
  
         pid_t creatorPid = auth.creatorPid();
-    environmentToClient.erase(AuthItemRef(AGENT_HINT_CREATOR_PID)); 
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_CREATOR_PID)); 
         environmentToClient.insert(AuthItemRef(AGENT_HINT_CREATOR_PID, AuthValueOverlay(sizeof(pid_t), &creatorPid)));
  
         environmentToClient.insert(AuthItemRef(AGENT_HINT_CREATOR_PID, AuthValueOverlay(sizeof(pid_t), &creatorPid)));
  
+       audit_token_t creatorAuditToken = auth.creatorAuditToken().auditToken();
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_CREATOR_AUDIT_TOKEN));
+       environmentToClient.insert(AuthItemRef(AGENT_HINT_CREATOR_AUDIT_TOKEN, AuthValueOverlay(sizeof(audit_token_t), &creatorAuditToken)));
+
         Process &thisProcess = Server::process();
         Process &thisProcess = Server::process();
-       RefPointer<OSXCode> clientCode = auth.creatorCode();
-       SecurityAgent::RequestorType requestorType = SecurityAgent::unknown;
         string bundlePath;
         string bundlePath;
-       
-       if (clientCode)
-       {
-               string encodedBundle = clientCode->encode();
-               char bundleType = (encodedBundle.c_str())[0]; // yay, no accessor
-               switch(bundleType)
-               {
-                  case 'b': requestorType = SecurityAgent::bundle; break;
-                  case 't': requestorType = SecurityAgent::tool; break;
-               }
-               bundlePath = clientCode->canonicalPath();
-       }
-
-       AuthItemSet processHints = SecurityAgent::Client::clientHints(requestorType, bundlePath, thisProcess.pid(), thisProcess.uid());
-    environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_TYPE));
-    environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_PATH));
-    environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_PID));
-    environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_UID));
-    environmentToClient.insert(processHints.begin(), processHints.end());
+       if (SecStaticCodeRef clientCode = auth.creatorCode())
+               bundlePath = codePath(clientCode);
+       AuthItemSet processHints = SecurityAgent::Client::clientHints(
+               SecurityAgent::bundle, bundlePath, thisProcess.pid(), thisProcess.uid());
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_TYPE));
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_PATH));
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_PID));
+       environmentToClient.erase(AuthItemRef(AGENT_HINT_CLIENT_UID));
+       environmentToClient.insert(processHints.begin(), processHints.end());
  
         map<string,string> defaultPrompts = inTopLevelRule->localizedPrompts();
  
         map<string,string> defaultPrompts = inTopLevelRule->localizedPrompts();
+       map<string,string> defaultButtons = inTopLevelRule->localizedButtons();
  
         if (defaultPrompts.empty())
                 defaultPrompts = localizedPrompts();
  
         if (defaultPrompts.empty())
                 defaultPrompts = localizedPrompts();
+       if (defaultButtons.empty())
+               defaultButtons = localizedButtons();
                 
         if (!defaultPrompts.empty())
         {
                 
         if (!defaultPrompts.empty())
         {
@@ -395,6 +432,16 @@ RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule,
                         environmentToClient.insert(AuthItemRef(key.c_str(), AuthValueOverlay(value)));
                 }
         }
                         environmentToClient.insert(AuthItemRef(key.c_str(), AuthValueOverlay(value)));
                 }
         }
+       if (!defaultButtons.empty())
+       {
+               map<string,string>::const_iterator it;
+               for (it = defaultButtons.begin(); it != defaultButtons.end(); it++)
+               {
+                       const string &key = it->first;
+                       const string &value = it->second;
+                       environmentToClient.insert(AuthItemRef(key.c_str(), AuthValueOverlay(value)));
+               }
+       }       
  
         // add rulename as a hint
         string ruleName = name();
  
         // add rulename as a hint
         string ruleName = name();
@@ -402,127 +449,184 @@ RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule,
         environmentToClient.insert(AuthItemRef(AGENT_HINT_AUTHORIZE_RULE, AuthValueOverlay(ruleName)));
  }
  
         environmentToClient.insert(AuthItemRef(AGENT_HINT_AUTHORIZE_RULE, AuthValueOverlay(ruleName)));
  }
  
+// If a different evaluation for getting a credential is prescribed,
+// we'll run that and validate the credentials from there.
+// we fall back on a default configuration from the authenticate rule
  OSStatus
  OSStatus
-RuleImpl::evaluateAuthorization(const AuthItemRef &inRight, const Rule &inRule,
-               AuthItemSet &environmentToClient, 
-        AuthorizationFlags flags, CFAbsoluteTime now, 
-        const CredentialSet *inCredentials, 
-        CredentialSet &credentials, AuthorizationToken &auth) const
+RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
  {
  {
-    OSStatus status = errAuthorizationDenied;
-
-    string usernamehint;
-       evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, usernamehint);
-    if (usernamehint.length())
-               environmentToClient.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER, AuthValueOverlay(usernamehint)));
+       OSStatus status = errAuthorizationDenied;
+
+       Credential hintCredential;
+       if (errAuthorizationSuccess == evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, hintCredential, reason)) {
+               if (hintCredential->name().length())
+                       environmentToClient.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER, AuthValueOverlay(hintCredential->name())));
+               if (hintCredential->realname().length())
+                       environmentToClient.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER_LONG, AuthValueOverlay(hintCredential->realname())));
+       }
  
  
-    if ((mType == kUser) && (mGroupName.length()))
-        environmentToClient.insert(AuthItemRef(AGENT_HINT_REQUIRE_USER_IN_GROUP, AuthValueOverlay(mGroupName)));
+       if ((mType == kUser) && (mGroupName.length()))
+               environmentToClient.insert(AuthItemRef(AGENT_HINT_REQUIRE_USER_IN_GROUP, AuthValueOverlay(mGroupName)));
  
  
-    uint32 tries;
-    SecurityAgent::Reason reason = SecurityAgent::noReason;
+       uint32 tries;
+       reason = SecurityAgent::noReason;
  
         Process &cltProc = Server::process();
  
         Process &cltProc = Server::process();
-    // Authorization preserves creator's UID in setuid processes
-    uid_t cltUid = (cltProc.uid() != 0) ? cltProc.uid() : auth.creatorUid();
-    secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc.pid(), cltUid);
+       // Authorization preserves creator's UID in setuid processes
+    // (which is nice, but cltUid ends up being unused except by the debug
+    // message -- AgentMechanismEvaluator ignores it)
+       uid_t cltUid = (cltProc.uid() != 0) ? cltProc.uid() : auth.creatorUid();
+       secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc.pid(), cltUid);
   
   
-    AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef);
-        
-    for (tries = 0; tries < mTries; tries++)
-    {
+    // For auditing within AuthorizationMechEval, pass the right name.  
+    size_t rightNameSize = inRight->name() ? strlen(inRight->name()) : 0;
+    AuthorizationString rightName = inRight->name() ? inRight->name() : "";
+    // @@@  AuthValueRef's ctor ought to take a const void *
+    AuthValueRef rightValue(rightNameSize, const_cast<char *>(rightName));
+    AuthValueVector authValueVector;
+    authValueVector.push_back(rightValue);
+    
+    RightAuthenticationLogger rightAuthLogger(auth.creatorAuditToken(), AUE_ssauthint);
+    rightAuthLogger.setRight(rightName);
+
+       // Just succeed for a continuously active session owner.
+       if (auth.session().originatorUid() == auth.creatorUid() && auth.session().attributes() & AU_SESSION_FLAG_HAS_AUTHENTICATED) {
+               secdebug("AuthEvalMech", "We are an active session owner.");
+               aslmsg m = asl_new(ASL_TYPE_MSG);
+               asl_set(m, "com.apple.message.domain", "com.apple.securityd.UserActivity");
+               asl_set(m, "com.apple.message.signature", "userIsActive");
+               asl_set(m, "com.apple.message.signature2", rightName);
+               asl_set(m, "com.apple.message.result", "failure");
+               asl_log(NULL, m, ASL_LEVEL_NOTICE, "We are an active session owner.");
+               asl_free(m);
+//             Credential rightCredential(rightName, auth.creatorUid(), mShared);
+//             credentials.erase(rightCredential); credentials.insert(rightCredential);
+//             return errAuthorizationSuccess;
+       }
+       else {
+               secdebug("AuthEvalMech", "We are not an active session owner.");
+               aslmsg m = asl_new(ASL_TYPE_MSG);
+               asl_set(m, "com.apple.message.domain", "com.apple.securityd.UserActivity");
+               asl_set(m, "com.apple.message.signature", "userIsNotActive");
+               asl_set(m, "com.apple.message.signature2", rightName);
+               asl_set(m, "com.apple.message.result", "success");
+               asl_log(NULL, m, ASL_LEVEL_NOTICE, "We are not an active session owner.");
+               asl_free(m);
+       }
+       
+       AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef);
+
+       for (tries = 0; tries < mTries; tries++)
+       {
                 AuthItemRef retryHint(AGENT_HINT_RETRY_REASON, AuthValueOverlay(sizeof(reason), &reason));
                 environmentToClient.erase(retryHint); environmentToClient.insert(retryHint); // replace
                 AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
                 environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
  
                 AuthItemRef retryHint(AGENT_HINT_RETRY_REASON, AuthValueOverlay(sizeof(reason), &reason));
                 environmentToClient.erase(retryHint); environmentToClient.insert(retryHint); // replace
                 AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
                 environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
  
-        status = eval.run(AuthValueVector(), environmentToClient, auth);
+            status = eval.run(authValueVector, environmentToClient, auth);
  
  
-        if ((status == errAuthorizationSuccess) ||
-            (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
-        {
-            secdebug("AuthEvalMech", "storing new context for authorization");
-            auth.setInfoSet(eval.context());
-        }
-        
-        // successfully ran mechanisms to obtain credential
-        if (status == errAuthorizationSuccess)
-        {
-            // deny is the default
-            status = errAuthorizationDenied;
-            
-            CredentialSet newCredentials = makeCredentials(auth);
-            // clear context after extracting credentials
-            auth.scrubInfoSet(); 
-            
-            for (CredentialSet::const_iterator it = newCredentials.begin(); it != newCredentials.end(); ++it)
+            if ((status == errAuthorizationSuccess) ||
+                (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
              {
              {
-                const Credential& newCredential = *it;
-
-                               // @@@ we log the uid a process was running under when it created the authref, which is misleading in the case of loginwindow
-                               if (newCredential->isValid())
-                                       Syslog::info("uid %lu succeeded authenticating as user %s (uid %lu) for right %s.", auth.creatorUid(), newCredential->username().c_str(), newCredential->uid(), inRight->name());
-                               else
-                                       // we can't be sure that the user actually exists so inhibit logging of uid
-                                       Syslog::error("uid %lu failed to authenticate as user %s for right %s.", auth.creatorUid(), newCredential->username().c_str(), inRight->name());
-                
-                if (!newCredential->isValid())
-                {
-                    reason = SecurityAgent::invalidPassphrase; //invalidPassphrase;
-                    continue;
-                }
-            
-                // verify that this credential authorizes right
-                status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, newCredential, true);
-
-                if (status == errAuthorizationSuccess)
-                {
-                                       // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent
-                    credentials.erase(newCredential); credentials.insert(newCredential);
-                    // use valid credential to set context info
-                                       // XXX/cs keeping this for now, such that the uid is passed back
-                    auth.setCredentialInfo(newCredential);
-                    secdebug("SSevalMech", "added valid credential for user %s", newCredential->username().c_str());
-                    status = errAuthorizationSuccess;
-                    break;
-                }
-                else
-                    reason = SecurityAgent::userNotInGroup; //unacceptableUser; // userNotInGroup
+                secdebug("AuthEvalMech", "storing new context for authorization");
+                auth.setInfoSet(eval.context(), savePassword);
              }
              }
-            
+
+            // successfully ran mechanisms to obtain credential
              if (status == errAuthorizationSuccess)
              if (status == errAuthorizationSuccess)
-                break;
-        }
-        else
-            if ((status == errAuthorizationCanceled) ||
-               (status == errAuthorizationInternal))
+            {
+                // deny is the default
+                status = errAuthorizationDenied;
+                
+                CredentialSet newCredentials = makeCredentials(auth);
+                // clear context after extracting credentials
+                auth.scrubInfoSet(savePassword);
+                
+                for (CredentialSet::const_iterator it = newCredentials.begin(); it != newCredentials.end(); ++it)
                  {
                  {
-                    auth.scrubInfoSet();
-                    break;
+                    const Credential& newCredential = *it;
+
+                    // @@@ we log the uid a process was running under when it created the authref, which is misleading in the case of loginwindow
+                    if (newCredential->isValid()) {
+                        Syslog::info("UID %u authenticated as user %s (UID %u) for right '%s'", auth.creatorUid(), newCredential->name().c_str(), newCredential->uid(), rightName);
+                        rightAuthLogger.logSuccess(auth.creatorUid(), newCredential->uid(), newCredential->name().c_str());
+                    } else {
+                        // we can't be sure that the user actually exists so inhibit logging of uid
+                        Syslog::error("UID %u failed to authenticate as user '%s' for right '%s'", auth.creatorUid(), newCredential->name().c_str(), rightName);
+                        rightAuthLogger.logFailure(auth.creatorUid(), newCredential->name().c_str());
+                    }
+                    
+                    if (!newCredential->isValid())
+                    {
+                        reason = SecurityAgent::invalidPassphrase;
+                        continue;
+                    }
+
+                    // verify that this credential authorizes right
+                    status = evaluateUserCredentialForRight(auth, inRight, inRule, environmentToClient, now, newCredential, true, reason);
+                    
+                    if (status == errAuthorizationSuccess)
+                    {
+                        if (auth.operatesAsLeastPrivileged()) {
+                            Credential rightCredential(rightName, mShared);
+                            credentials.erase(rightCredential); credentials.insert(rightCredential);
+                            if (mShared)
+                                credentials.insert(Credential(rightName, false));
+                        } 
+
+                        // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent
+                        credentials.erase(newCredential); credentials.insert(newCredential);
+                        // just got a new credential - if it's shared also add a non-shared one that to stick in the authorizationref local cache
+                        if (mShared)
+                            credentials.insert(Credential(newCredential->uid(), newCredential->name(), newCredential->realname(), false));
+                        
+                        // use valid credential to set context info
+                        // XXX/cs keeping this for now, such that the uid is passed back
+                        auth.setCredentialInfo(newCredential, savePassword);
+                        secdebug("SSevalMech", "added valid credential for user %s", newCredential->name().c_str());
+                                               // set the sessionHasAuthenticated
+                                               if (newCredential->uid() == auth.session().originatorUid()) {
+                                                       secdebug("AuthEvalMech", "We authenticated as the session owner.\n");
+                                                       SessionAttributeBits flags = auth.session().attributes();
+                                                       flags |= AU_SESSION_FLAG_HAS_AUTHENTICATED;
+                                                       auth.session().setAttributes(flags);
+                                               }
+
+                        status = errAuthorizationSuccess;
+                        break;
+                    }
                  }
                  }
-            else // last mechanism is now authentication - fail
-                if (status == errAuthorizationDenied)
-                    reason = SecurityAgent::invalidPassphrase;
  
  
-    }
+                       if (status == errAuthorizationSuccess)
+                               break;
+               }
+               else
+                       if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal))
+                       {
+                               auth.scrubInfoSet(false);
+                               break;
+                       }
+                       else // last mechanism is now authentication - fail
+                               if (status == errAuthorizationDenied)
+                                       reason = SecurityAgent::invalidPassphrase;
+        }
  
  
-    // If we fell out of the loop because of too many tries, notify user
-    if (tries == mTries)
-    {
-        reason = SecurityAgent::tooManyTries;
+       // If we fell out of the loop because of too many tries, notify user
+       if (tries == mTries)
+       {
+               reason = SecurityAgent::tooManyTries;
                 AuthItemRef retryHint (AGENT_HINT_RETRY_REASON, AuthValueOverlay(sizeof(reason), &reason));
                 environmentToClient.erase(retryHint); environmentToClient.insert(retryHint); // replace
                 AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
                 environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
                 AuthItemRef retryHint (AGENT_HINT_RETRY_REASON, AuthValueOverlay(sizeof(reason), &reason));
                 environmentToClient.erase(retryHint); environmentToClient.insert(retryHint); // replace
                 AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
                 environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
-        eval.run(AuthValueVector(), environmentToClient, auth);
-        // XXX/cs is this still necessary?
-        auth.scrubInfoSet();
+            eval.run(AuthValueVector(), environmentToClient, auth);
+               // XXX/cs is this still necessary?
+               auth.scrubInfoSet(false);
                 
                 
-               CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
-               auditrec.submit(AUE_ssauthorize, CommonCriteria::errTooManyTries, inRight->name());
-    }
+        rightAuthLogger.logFailure(NULL, CommonCriteria::errTooManyTries);
+       }
  
  
-    return status;
+       return status;
  }
  
  // create externally verified credentials on the basis of 
  }
  
  // create externally verified credentials on the basis of 
@@ -530,129 +634,127 @@ RuleImpl::evaluateAuthorization(const AuthItemRef &inRight, const Rule &inRule,
  CredentialSet
  RuleImpl::makeCredentials(const AuthorizationToken &auth) const
  {
  CredentialSet
  RuleImpl::makeCredentials(const AuthorizationToken &auth) const
  {
-    // fetch context and construct a credential to be tested
-    const AuthItemSet &context = const_cast<AuthorizationToken &>(auth).infoSet();
-    CredentialSet newCredentials;
-
-    do {    
-        AuthItemSet::const_iterator found = find_if(context.begin(), context.end(), FindAuthItemByRightName(kAuthorizationEnvironmentUsername) );
-        if (found == context.end())
-            break;
-        string username = (**found).stringValue();
-        secdebug("AuthEvalMech", "found username");
-
-        const uid_t *uid = NULL;
-        found = find_if(context.begin(), context.end(), FindAuthItemByRightName("uid") );
-        if (found != context.end())
-        {
-            uid = static_cast<const uid_t *>((**found).value().data);
-            secdebug("AuthEvalMech", "found uid");
-        }
-
-        const gid_t *gid = NULL;
-        found = find_if(context.begin(), context.end(), FindAuthItemByRightName("gid") );
-        if (found != context.end())
-        {
-            gid = static_cast<const gid_t *>((**found).value().data);
-            secdebug("AuthEvalMech", "found gid");
-        }
+       // fetch context and construct a credential to be tested
+       const AuthItemSet &context = const_cast<AuthorizationToken &>(auth).infoSet();
+       CredentialSet newCredentials;
+       
+       do {
+               AuthItemSet::const_iterator found = find_if(context.begin(), context.end(), FindAuthItemByRightName(kAuthorizationEnvironmentUsername) );
+               if (found == context.end())
+                       break;
+               string username = (**found).stringValue();
+               secdebug("AuthEvalMech", "found username");
+               
+               const uid_t *uid = NULL;
+               found = find_if(context.begin(), context.end(), FindAuthItemByRightName("uid") );
+               if (found != context.end())
+               {
+                       uid = static_cast<const uid_t *>((**found).value().data);
+                       secdebug("AuthEvalMech", "found uid");
+               }
  
  
-        if (username.length() && uid && gid)
-        {
-            // credential is valid because mechanism says so
-            newCredentials.insert(Credential(username, *uid, *gid, mShared));
-        }
-        else
-        {
-            found = find_if(context.begin(), context.end(), FindAuthItemByRightName(kAuthorizationEnvironmentPassword) );
-            if (found != context.end())
-            {
-                secdebug("AuthEvalMech", "found password");
-                string password = (**found).stringValue();
-                secdebug("AuthEvalMech", "falling back on username/password credential if valid");
-                               Credential newCred(username, password, mShared);
-                newCredentials.insert(newCred);
-                               CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
-                               if (newCred->isValid())
-                                       auditrec.submit(AUE_ssauthorize, CommonCriteria::errNone, name().c_str());
-                               else
-                                       auditrec.submit(AUE_ssauthorize, CommonCriteria::errInvalidCredential, name().c_str());
-            }
-        }
-    } while(0);
+               if (username.length() && uid)
+               {
+                       // credential is valid because mechanism says so
+                       newCredentials.insert(Credential(*uid, username, "", mShared));
+               }
+       } while(0);
  
  
-    return newCredentials;
+       return newCredentials;
  }
  
  // evaluate whether a good credential of the current session owner would authorize a right
  OSStatus
  }
  
  // evaluate whether a good credential of the current session owner would authorize a right
  OSStatus
-RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule,
-                           const AuthItemSet &environment,
-                           const CFAbsoluteTime now,
-                           const AuthorizationToken &auth,
-                           string& usernamehint) const
+RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const
  {
  {
-    // username hint is taken from the user who created the authorization, unless it's clearly ineligible
-       OSStatus status = noErr;
+       // username hint is taken from the user who created the authorization, unless it's clearly ineligible
         // @@@ we have no access to current requester uid here and the process uid is only taken when the authorization is created
         // meaning that a process like loginwindow that drops privs later is screwed.
         
         // @@@ we have no access to current requester uid here and the process uid is only taken when the authorization is created
         // meaning that a process like loginwindow that drops privs later is screwed.
         
-       uid_t uid;
-       Session &session = auth.session();
-       
-       if (session.haveOriginatorUid())
-               uid = session.originatorUid();
-       else
-               uid = auth.creatorUid();
-       
+       Credential sessionCredential;
+       uid_t uid = auth.session().originatorUid();
         Server::active().longTermActivity();
         struct passwd *pw = getpwuid(uid);
         Server::active().longTermActivity();
         struct passwd *pw = getpwuid(uid);
-       if (pw != NULL)
-       {
+       if (pw != NULL) {
                 // avoid hinting a locked account
                 if ( (pw->pw_passwd == NULL) ||
                 // avoid hinting a locked account
                 if ( (pw->pw_passwd == NULL) ||
-                               strcmp(pw->pw_passwd, "*") ) {
+                       strcmp(pw->pw_passwd, "*") ) {
                         // Check if username will authorize the request and set username to
                         // be used as a hint to the user if so
                         secdebug("AuthEvalMech", "preflight credential from current user, result follows:");
                         // Check if username will authorize the request and set username to
                         // be used as a hint to the user if so
                         secdebug("AuthEvalMech", "preflight credential from current user, result follows:");
-                       status = evaluateCredentialForRight(auth, inRight, inRule, environment, now, Credential(pw->pw_name, pw->pw_uid, pw->pw_gid, mShared), true);
-                       
-                       if (status == errAuthorizationSuccess) 
-                               usernamehint = pw->pw_name;
+                       sessionCredential = Credential(pw->pw_uid, pw->pw_name, pw->pw_gecos, mShared/*ignored*/);
                 } //fi
                 endpwent();
         }
                 } //fi
                 endpwent();
         }
+       OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, sessionCredential, true, reason);
+       if (errAuthorizationSuccess == status)
+               credential = sessionCredential;
+
         return status;
  }
  
  
         return status;
  }
  
  
+OSStatus
+RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const
+{
+       if (auth.operatesAsLeastPrivileged()) {
+        if (credential->isRight() && credential->isValid() && (inRight->name() == credential->name())) 
+        {
+            if (!ignoreShared && !mShared && credential->isShared())
+            {
+                // @@@  no proper SA::Reason
+                reason = SecurityAgent::unknownReason;
+                secdebug("autheval", "shared credential cannot be used, denying right %s", inRight->name());
+                return errAuthorizationDenied;
+            } else {
+                return errAuthorizationSuccess;
+            }
+        } else {
+            // @@@  no proper SA::Reason
+            reason = SecurityAgent::unknownReason;
+            return errAuthorizationDenied;
+        }
+       } else
+               return evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, credential, false, reason);
+}
  
  // Return errAuthorizationSuccess if this rule allows access based on the specified credential,
  // return errAuthorizationDenied otherwise.
  OSStatus
  
  // Return errAuthorizationSuccess if this rule allows access based on the specified credential,
  // return errAuthorizationDenied otherwise.
  OSStatus
-RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const
+RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const
  {
         assert(mType == kUser);
  
  {
         assert(mType == kUser);
  
+    // Ideally we'd set the AGENT_HINT_RETRY_REASON hint in this method, but
+    // evaluateAuthentication() overwrites it before 
+    // AgentMechanismEvaluator::run().  That's what led to passing "reason"
+    // everywhere, from RuleImpl::evaluate() on down.  
+
         // Get the username from the credential
         // Get the username from the credential
-       const char *user = credential->username().c_str();
+       const char *user = credential->name().c_str();
  
  
-       // If the credential is not valid or it's age is more than the allowed maximum age
+       // If the credential is not valid or its age is more than the allowed maximum age
         // for a credential, deny.
         if (!credential->isValid())
         {
         // for a credential, deny.
         if (!credential->isValid())
         {
+        // @@@  it could be the username, not password, was invalid
+        reason = SecurityAgent::invalidPassphrase;
                 secdebug("autheval", "credential for user %s is invalid, denying right %s", user, inRight->name());
                 return errAuthorizationDenied;
         }
  
         if (now - credential->creationTime() > mMaxCredentialAge)
         {
                 secdebug("autheval", "credential for user %s is invalid, denying right %s", user, inRight->name());
                 return errAuthorizationDenied;
         }
  
         if (now - credential->creationTime() > mMaxCredentialAge)
         {
+        // @@@  no proper SA::Reason
+        reason = SecurityAgent::unknownReason;
                 secdebug("autheval", "credential for user %s has expired, denying right %s", user, inRight->name());
                 return errAuthorizationDenied;
         }
  
         if (!ignoreShared && !mShared && credential->isShared())
         {
                 secdebug("autheval", "credential for user %s has expired, denying right %s", user, inRight->name());
                 return errAuthorizationDenied;
         }
  
         if (!ignoreShared && !mShared && credential->isShared())
         {
+        // @@@  no proper SA::Reason
+        reason = SecurityAgent::unknownReason;
                 secdebug("autheval", "shared credential for user %s cannot be used, denying right %s", user, inRight->name());
                 return errAuthorizationDenied;
         }
                 secdebug("autheval", "shared credential for user %s cannot be used, denying right %s", user, inRight->name());
                 return errAuthorizationDenied;
         }
@@ -664,22 +766,24 @@ RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthI
                 return errAuthorizationSuccess;
         }
  
                 return errAuthorizationSuccess;
         }
  
-    if (mSessionOwner)
-    {
+       if (mSessionOwner)
+       {
                 Session &session = auth.session();
                 Session &session = auth.session();
-               if (session.haveOriginatorUid())
-               {
-                       uid_t console_user = session.originatorUid();
+               uid_t console_user = session.originatorUid();
  
  
-            if (credential->uid() == console_user)
-            {
-                secdebug("autheval", "user %s is session-owner(uid: %d), granting right %s", user, console_user, inRight->name());
-                return errAuthorizationSuccess;
-            }
-        }
-        else
-            secdebug("autheval", "session-owner check failed.");
-    }
+               if (credential->uid() == console_user)
+               {
+                       secdebug("autheval", "user %s is session-owner(uid: %d), granting right %s", user, console_user, inRight->name());
+                       return errAuthorizationSuccess;
+               }
+               // set "reason" in this case?  not that a proper SA::Reason exists
+       }
+       else
+       {
+               // @@@  no proper SA::Reason
+               reason = SecurityAgent::unknownReason;
+               secdebug("autheval", "session-owner check failed.");
+       }
         
         if (mGroupName.length())
         {
         
         if (mGroupName.length())
         {
@@ -693,12 +797,21 @@ RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthI
                 {
                         uuid_t group_uuid, user_uuid;
                         int is_member;
                 {
                         uuid_t group_uuid, user_uuid;
                         int is_member;
-                       
+
+            // @@@  it'd be nice to have SA::Reason codes for the failures
+            // associated with the pre-check-membership mbr_*() functions, 
+            // but userNotInGroup will do
                         if (mbr_group_name_to_uuid(groupname, group_uuid))
                                 break;
                                 
                         if (mbr_uid_to_uuid(credential->uid(), user_uuid))
                         if (mbr_group_name_to_uuid(groupname, group_uuid))
                                 break;
                                 
                         if (mbr_uid_to_uuid(credential->uid(), user_uuid))
-                               break;
+                       {
+                               struct passwd *pwd;
+                               if (NULL == (pwd = getpwnam(user)))
+                                       break;
+                               if (mbr_uid_to_uuid(pwd->pw_uid, user_uuid))
+                                       break;                          
+                       }
  
                         if (mbr_check_membership(user_uuid, group_uuid, &is_member))
                                 break;
  
                         if (mbr_check_membership(user_uuid, group_uuid, &is_member))
                                 break;
@@ -712,10 +825,15 @@ RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthI
                                 
                 }
                 while (0);
                                 
                 }
                 while (0);
-
+        
+        reason = SecurityAgent::userNotInGroup;
                 secdebug("autheval", "user %s is not a member of group %s, denying right %s",
                         user, groupname, inRight->name());
         }
                 secdebug("autheval", "user %s is not a member of group %s, denying right %s",
                         user, groupname, inRight->name());
         }
+    else if (mSessionOwner) // rule asks only if user is the session owner
+    {
+        reason = SecurityAgent::unacceptableUser;
+    }
         
         return errAuthorizationDenied;
  }
         
         return errAuthorizationDenied;
  }
@@ -723,18 +841,17 @@ RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthI
  
  
  OSStatus
  
  
  OSStatus
-RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
-    AuthItemSet &environmentToClient, AuthorizationFlags flags,
-       CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
-       AuthorizationToken &auth) const
+RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
  {
  {
-       // If we got here, this is a kUser type rule, let's start looking for a
+    // If we got here, this is a kUser type rule, let's start looking for a
         // credential that is satisfactory
  
         // Zeroth -- Here is an extra special saucy ugly hack to allow authorizations
         // created by a proccess running as root to automatically get a right.
         if (mAllowRoot && auth.creatorUid() == 0)
         {
         // credential that is satisfactory
  
         // Zeroth -- Here is an extra special saucy ugly hack to allow authorizations
         // created by a proccess running as root to automatically get a right.
         if (mAllowRoot && auth.creatorUid() == 0)
         {
+        SECURITYD_AUTH_USER_ALLOWROOT(&auth);
+        
                 secdebug("autheval", "creator of authorization has uid == 0 granting right %s",
                         inRight->name());
                 return errAuthorizationSuccess;
                 secdebug("autheval", "creator of authorization has uid == 0 granting right %s",
                         inRight->name());
                 return errAuthorizationSuccess;
@@ -743,11 +860,14 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
         // if we're not supposed to authenticate evaluate the session-owner against the group
         if (!mAuthenticateUser)
         {
         // if we're not supposed to authenticate evaluate the session-owner against the group
         if (!mAuthenticateUser)
         {
-               string username;
-               OSStatus status = evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, username);
+               Credential hintCredential;
+               OSStatus status = evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, hintCredential, reason);
  
                 if (!status)
  
                 if (!status)
+        {
+            SECURITYD_AUTH_USER_ALLOWSESSIONOWNER(&auth);
                         return errAuthorizationSuccess;
                         return errAuthorizationSuccess;
+        }
  
                 return errAuthorizationDenied;
         }
  
                 return errAuthorizationDenied;
         }
@@ -755,13 +875,28 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
         // First -- go though the credentials we either already used or obtained during this authorize operation.
         for (CredentialSet::const_iterator it = credentials.begin(); it != credentials.end(); ++it)
         {
         // First -- go though the credentials we either already used or obtained during this authorize operation.
         for (CredentialSet::const_iterator it = credentials.begin(); it != credentials.end(); ++it)
         {
-               OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, true);
-               if (status != errAuthorizationDenied)
+               // Passed-in user credentials are allowed for least-privileged mode
+               if (auth.operatesAsLeastPrivileged() && !(*it)->isRight() && (*it)->isValid()) 
                 {
                 {
+                       OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false, reason);
+                       if (errAuthorizationSuccess == status) {
+                               Credential rightCredential(inRight->name(), mShared);
+                               credentials.erase(rightCredential); credentials.insert(rightCredential);
+                               if (mShared)
+                                       credentials.insert(Credential(inRight->name(), false));
+                               return status;
+                       }
+               }
+
+               // if this is least privileged, this will function differently: match credential to requested right
+               OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false, reason);
+                       
+               if (status != errAuthorizationDenied) {
                         // add credential to authinfo
                         // add credential to authinfo
-                       auth.setCredentialInfo(*it);
+                       auth.setCredentialInfo(*it, savePassword);
                         return status;
                 }
                         return status;
                 }
+
         }
  
         // Second -- go though the credentials passed in to this authorize operation by the state management layer.
         }
  
         // Second -- go though the credentials passed in to this authorize operation by the state management layer.
@@ -769,14 +904,16 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
         {
                 for (CredentialSet::const_iterator it = inCredentials->begin(); it != inCredentials->end(); ++it)
                 {
         {
                 for (CredentialSet::const_iterator it = inCredentials->begin(); it != inCredentials->end(); ++it)
                 {
-                       OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false);
+                       // if this is least privileged, this will function differently: match credential to requested right
+                       OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false, reason);
+
                         if (status == errAuthorizationSuccess)
                         {
                                 // Add the credential we used to the output set.
                                 // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent
                                 credentials.erase(*it); credentials.insert(*it);
                         if (status == errAuthorizationSuccess)
                         {
                                 // Add the credential we used to the output set.
                                 // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent
                                 credentials.erase(*it); credentials.insert(*it);
-                // add credential to authinfo
-                auth.setCredentialInfo(*it);
+                               // add credential to authinfo
+                               auth.setCredentialInfo(*it, savePassword);
  
                                 return status;
                         }
  
                                 return status;
                         }
@@ -785,8 +922,7 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
                 }
         }
  
                 }
         }
  
-       // Finally -- We didn't find the credential in our passed in credential lists.  Obtain a new credential if
-       // our flags let us do so.
+       // Finally -- We didn't find the credential in our passed in credential lists.  Obtain a new credential if our flags let us do so.
         if (!(flags & kAuthorizationFlagExtendRights))
                 return errAuthorizationDenied;
         
         if (!(flags & kAuthorizationFlagExtendRights))
                 return errAuthorizationDenied;
         
@@ -803,70 +939,104 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
  
         setAgentHints(inRight, inRule, environmentToClient, auth);
  
  
         setAgentHints(inRight, inRule, environmentToClient, auth);
  
-    // If a different evaluation is prescribed,
-    // we'll run that and validate the credentials from there
-    // we fall back on a default configuration
-       return evaluateAuthorization(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+       return evaluateAuthentication(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword);
  }
  
  OSStatus
  }
  
  OSStatus
-RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const
+RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const
  {
         uint32 tries = 0; 
         OSStatus status;
  
         Process &cltProc = Server::process();
  {
         uint32 tries = 0; 
         OSStatus status;
  
         Process &cltProc = Server::process();
-    // Authorization preserves creator's UID in setuid processes
-    uid_t cltUid = (cltProc.uid() != 0) ? cltProc.uid() : auth.creatorUid();
-    secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc.pid(), cltUid);
+       // Authorization preserves creator's UID in setuid processes
+       uid_t cltUid = (cltProc.uid() != 0) ? cltProc.uid() : auth.creatorUid();
+       secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc.pid(), cltUid);
  
  
-    {
-        AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef);
+       {
+               AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef);
+        // For auditing within AuthorizationMechEval, pass the right name.  
+        size_t rightNameSize = inRight->name() ? strlen(inRight->name()) : 0;
+        AuthorizationString rightName = inRight->name() ? inRight->name() : "";
+        // @@@  AuthValueRef's ctor ought to take a const void *
+        AuthValueRef rightValue(rightNameSize, const_cast<char *>(rightName));
+        AuthValueVector authValueVector;
+        authValueVector.push_back(rightValue);
          
          
-        do
-        {
-            setAgentHints(inRight, inRule, environmentToClient, auth);
-            AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
-            environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
-                
-            status = eval.run(AuthValueVector(), environmentToClient, auth);
+               do
+               {
+                       setAgentHints(inRight, inRule, environmentToClient, auth);
+                       AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
+                       environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
              
              
-            if ((status == errAuthorizationSuccess) ||
-                (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
-            {
-                secdebug("AuthEvalMech", "storing new context for authorization");
-                auth.setInfoSet(eval.context());
-                if (status == errAuthorizationSuccess)
-                {
-                    outCredentials = makeCredentials(auth);
-                }
-            }
-                
-            tries++;
-        }
-        while ((status == errAuthorizationDenied) // only if we have an expected failure we continue
-                    && ((mTries == 0)                          // mTries == 0 means we try forever
-                        || ((mTries > 0)                       // mTries > 0 means we try up to mTries times
-                            && (tries < mTries))));
-    }
+            status = eval.run(authValueVector, environmentToClient, auth);
+                       if ((status == errAuthorizationSuccess) ||
+                               (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
+                       {
+                               secdebug("AuthEvalMech", "storing new context for authorization");
+                               auth.setInfoSet(eval.context(), savePassword);
+                               if (status == errAuthorizationSuccess)
+                               {
+                    // (try to) attach the authorizing UID to the least-priv cred
+                                       if (auth.operatesAsLeastPrivileged())
+                    {
+                        outCredentials.insert(Credential(rightName, mShared));
+                        if (mShared) 
+                            outCredentials.insert(Credential(rightName, false));
+                        
+                        RightAuthenticationLogger logger(auth.creatorAuditToken(), AUE_ssauthint);
+                        logger.setRight(rightName);
+
+                        AuthItem *uidItem = eval.context().find(AGENT_CONTEXT_UID);
+                        if (uidItem)
+                        {
+                            uid_t authorizedUid;
+                            memcpy(&authorizedUid, uidItem->value().data, sizeof(authorizedUid));
+                            secdebug("AuthEvalMech", "generating least-privilege cred for '%s' authorized by UID %u", inRight->name(), authorizedUid);
+                            logger.logLeastPrivilege(authorizedUid, true);
+                        }
+                        else    // cltUid is better than nothing
+                        {
+                            secdebug("AuthEvalMech", "generating least-privilege cred for '%s' with process- or auth-UID %u", inRight->name(), cltUid);
+                            logger.logLeastPrivilege(cltUid, false);
+                        }
+                    }
+
+                    if (0 == strcmp(rightName, "system.login.console") && NULL == eval.context().find(AGENT_CONTEXT_AUTO_LOGIN)) {
+                        secdebug("AuthEvalMech", "We logged in as the session owner.\n");
+                        SessionAttributeBits flags = auth.session().attributes();
+                        flags |= AU_SESSION_FLAG_HAS_AUTHENTICATED;
+                        auth.session().setAttributes(flags);                                                   
+                    }
+                    CredentialSet newCredentials = makeCredentials(auth);
+                    outCredentials.insert(newCredentials.begin(), newCredentials.end());
+                               }
+                       }
+
+                       tries++;
+               }
+               while ((status == errAuthorizationDenied) // only if we have an expected failure we continue
+                                       && ((mTries == 0)                               // mTries == 0 means we try forever
+                                       || ((mTries > 0)                        // mTries > 0 means we try up to mTries times
+                                       && (tries < mTries))));
+       }
         
         
-    // HACK kill all hosts to free pages for low memory systems
-       if (name() == "system.login.console")
+       // HACK kill all hosts to free pages for low memory systems
+    // (XXX/gh  there should be a #define for this right)
+       if (name() == "system.login.done")
         {
         {
+        // one case where we don't want to mark the agents as "busy"
                 QueryInvokeMechanism query(securityAgent, auth.session());
                 query.terminateAgent();
                 QueryInvokeMechanism query2(privilegedAuthHost, auth.session());
                 query2.terminateAgent();
         }
                 QueryInvokeMechanism query(securityAgent, auth.session());
                 query.terminateAgent();
                 QueryInvokeMechanism query2(privilegedAuthHost, auth.session());
                 query2.terminateAgent();
         }
-    
+
         return status;
  }
  
  OSStatus
         return status;
  }
  
  OSStatus
-RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
-    AuthItemSet &environmentToClient, AuthorizationFlags flags,
-       CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
-       AuthorizationToken &auth) const
+RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
  {
         // line up the rules to try
         if (!mRuleDef.size())
  {
         // line up the rules to try
         if (!mRuleDef.size())
@@ -883,7 +1053,7 @@ RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
                         return errAuthorizationSuccess;
  
                 // get a rule and try it
                         return errAuthorizationSuccess;
  
                 // get a rule and try it
-               status = (*it)->evaluate(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+               status = (*it)->evaluate(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword);
  
                 // if status is cancel/internal error abort
                 if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal))
  
                 // if status is cancel/internal error abort
                 if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal))
@@ -900,39 +1070,42 @@ RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
                 else
                         count++;
         }
                 else
                         count++;
         }
+
+       if ((mType == kKofN) && (status == errAuthorizationSuccess) && (count < mKofN))
+               status = errAuthorizationDenied;
         
         return status; // return the last failure
  }
  
  
  OSStatus
         
         return status; // return the last failure
  }
  
  
  OSStatus
-RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule,
-    AuthItemSet &environmentToClient, AuthorizationFlags flags,
-       CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
-       AuthorizationToken &auth) const
+RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const
  {
         switch (mType)
         {
         case kAllow:
  {
         switch (mType)
         {
         case kAllow:
-               secdebug("autheval", "rule is always allow");
+        SECURITYD_AUTH_ALLOW(&auth, (char *)name().c_str());
                 return errAuthorizationSuccess;
         case kDeny:
                 return errAuthorizationSuccess;
         case kDeny:
-               secdebug("autheval", "rule is always deny");
+        SECURITYD_AUTH_DENY(&auth, (char *)name().c_str());
                 return errAuthorizationDenied;
         case kUser:
                 return errAuthorizationDenied;
         case kUser:
-               secdebug("autheval", "rule is user");
-               return evaluateUser(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+        SECURITYD_AUTH_USER(&auth, (char *)name().c_str());
+               return evaluateUser(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword);
         case kRuleDelegation:
         case kRuleDelegation:
-        secdebug("autheval", "rule evaluates rules");
-               return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+        SECURITYD_AUTH_RULES(&auth, (char *)name().c_str());
+               return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword);
         case kKofN:
         case kKofN:
-        secdebug("autheval", "rule evaluates k-of-n rules");
-               return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
-    case kEvaluateMechanisms:
-        secdebug("autheval", "rule evaluates mechanisms");
-        return evaluateMechanismOnly(inRight, inRule, environmentToClient, auth, credentials);
-    default:
-               MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+        SECURITYD_AUTH_KOFN(&auth, (char *)name().c_str());
+               return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword);
+       case kEvaluateMechanisms:
+        SECURITYD_AUTH_MECHRULE(&auth, (char *)name().c_str());
+            // if we had a SecurityAgent::Reason code for "mechanism denied,"
+            // it would make sense to pass down "reason"
+               return evaluateMechanismOnly(inRight, inRule, environmentToClient, auth, credentials, savePassword);
+       default:
+               Syslog::alert("Unrecognized rule type %d", mType);
+               MacOSError::throwMe(errAuthorizationInternal); // invalid rule
         }
  }
  
         }
  }