securityd-55199.3.tar.gz

[apple/securityd.git] / src / AuthorizationMechEval.cpp
diff --git a/src/AuthorizationMechEval.cpp b/src/AuthorizationMechEval.cpp

index 5f7a7934997f82d30660016aa3ad02b358e1b134..0080eb3b2971e646011d163de0a662adbf007b05 100644 (file)
--- a/src/AuthorizationMechEval.cpp
+++ b/src/AuthorizationMechEval.cpp
@@ -1,10 +1,8 @@
  /*
  /*
- *  Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
+ *  Copyright (c) 2003-2004,2008-2009 Apple Inc. All Rights Reserved.
   *
   *  @APPLE_LICENSE_HEADER_START@
   *  
   *
   *  @APPLE_LICENSE_HEADER_START@
   *  
- *  Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved.
- *  
   *  This file contains Original Code and/or Modifications of Original Code
   *  as defined in and that are subject to the Apple Public Source License
   *  Version 2.0 (the 'License'). You may not use this file except in
   *  This file contains Original Code and/or Modifications of Original Code
   *  as defined in and that are subject to the Apple Public Source License
   *  Version 2.0 (the 'License'). You may not use this file except in
@@ -26,27 +24,45 @@
   *  securityd
   *
   */
   *  securityd
   *
   */
-
  #include "AuthorizationMechEval.h"
  #include "AuthorizationMechEval.h"
+#include <security_utilities/logging.h>
+#include <bsm/audit_uevents.h>
+#include "ccaudit_extensions.h"
  
  namespace Authorization {
  
  
  namespace Authorization {
  
-AgentMechanismRef::AgentMechanismRef(uid_t clientUID, const Session &session) : 
-    RefPointer<QueryInvokeMechanism>(new QueryInvokeMechanism(clientUID, session)) {}
+using namespace CommonCriteria::Securityd;
  
  
-AgentMechanismRef::AgentMechanismRef() : 
-    RefPointer<QueryInvokeMechanism>(new QueryInvokeMechanism()) {}
+AgentMechanismRef::AgentMechanismRef(const AuthHostType type, Session &session) : 
+    RefPointer<QueryInvokeMechanism>(new QueryInvokeMechanism(type, session)) {}
  
  // we need the vector<string> of mechanisms
  
  // we need the vector<string> of mechanisms
-AgentMechanismEvaluator::AgentMechanismEvaluator(uid_t uid, const Session& session, const vector<string>& inMechanisms) : 
+AgentMechanismEvaluator::AgentMechanismEvaluator(uid_t uid, Session& session, const vector<string>& inMechanisms) : 
      mMechanisms(inMechanisms), mClientUid(uid), mSession(session)
  {
      //set up environment
  }
  
  OSStatus
      mMechanisms(inMechanisms), mClientUid(uid), mSession(session)
  {
      //set up environment
  }
  
  OSStatus
-AgentMechanismEvaluator::run(const AuthValueVector &inArguments, const AuthItemSet &inHints, const AuthItemSet &inContext)
+AgentMechanismEvaluator::run(const AuthValueVector &inArguments, const AuthItemSet &inHints, const AuthorizationToken &auth)
  {
  {
+    AuthMechLogger logger(auth.creatorAuditToken(), AUE_ssauthmech);
+    string rightName = "<unknown right>";   // for syslog
+    
+    // as of 10.6, the first item in inArguments should be the name of the
+    // requested right, for auditing
+    try
+    {
+        AuthorizationValue val = inArguments.at(0)->value();
+        string tmpstr(static_cast<const char *>(val.data), val.length);
+        logger.setRight(tmpstr);
+        rightName.clear();
+        rightName = tmpstr;
+    }
+    catch (...)  { }
+    
+    const AuthItemSet &inContext = const_cast<AuthorizationToken &>(auth).infoSet();
+    
      // add process specifics to context?
  
      vector<std::string>::const_iterator currentMechanism = mMechanisms.begin();
      // add process specifics to context?
  
      vector<std::string>::const_iterator currentMechanism = mMechanisms.begin();
@@ -55,10 +71,18 @@ AgentMechanismEvaluator::run(const AuthValueVector &inArguments, const AuthItemS
      
      AuthItemSet hints = inHints;
      AuthItemSet context = inContext;
      
      AuthItemSet hints = inHints;
      AuthItemSet context = inContext;
-        
+    // add saved-off sticky context values to context for evaluation
+    context.insert(mStickyContext.begin(), mStickyContext.end());
+    
      while ( (result == kAuthorizationResultAllow)  &&
              (currentMechanism != mMechanisms.end()) ) // iterate mechanisms
      {
      while ( (result == kAuthorizationResultAllow)  &&
              (currentMechanism != mMechanisms.end()) ) // iterate mechanisms
      {
+        SECURITYD_AUTH_MECH(&auth, (char *)(*currentMechanism).c_str());
+        
+        // set up the audit message
+        logger.setCurrentMechanism(*currentMechanism);
+        
+        // do the real work
          ClientMap::iterator iter = mClients.find(*currentMechanism);
          if (iter == mClients.end())
          {
          ClientMap::iterator iter = mClients.find(*currentMechanism);
          if (iter == mClients.end())
          {
@@ -67,79 +91,162 @@ AgentMechanismEvaluator::run(const AuthValueVector &inArguments, const AuthItemS
              {
                  // no whitespace removal
                  string pluginIn(currentMechanism->substr(0, extPlugin));
              {
                  // no whitespace removal
                  string pluginIn(currentMechanism->substr(0, extPlugin));
-                string mechanismIn(currentMechanism->substr(extPlugin + 1));
-                secdebug("AuthEvalMech", "external mech %s:%s", pluginIn.c_str(), mechanismIn.c_str());
+                               string mechanismIn, authhostIn;
+                               
+                               string::size_type extMechanism = currentMechanism->rfind(',');
+                               AuthHostType hostType = securityAgent;
+                               
+                               if (extMechanism != string::npos)
+                               {
+                                       if (extMechanism < extPlugin)
+                                       {
+                        string auditMsg = "badly formed mechanism name; ending rule evaluation";
+                        Syslog::alert("Right '%s', mech '%s': %s", rightName.c_str(), (*currentMechanism).c_str(), auditMsg.c_str());
+                        logger.logFailure(auditMsg);
+                                               return errAuthorizationInternal;
+                                       }
+                                               
+                                       mechanismIn = currentMechanism->substr(extPlugin + 1, extMechanism - extPlugin - 1);
+                                       authhostIn = currentMechanism->substr(extMechanism + 1);
+                                       if (authhostIn == "privileged")
+                                               hostType = privilegedAuthHost;
+                               }
+                               else
+                                       mechanismIn = currentMechanism->substr(extPlugin + 1);
+                                       
+                secdebug("AuthEvalMech", "external mechanism %s:%s", pluginIn.c_str(), mechanismIn.c_str());
                  
                  
-                AgentMechanismRef client(mClientUid, mSession);
-                client->initialize(pluginIn, mechanismIn);
-// XXX/cs                client->inferHints(Server::process());
-                mClients[*currentMechanism] = client;
+                AgentMechanismRef client(hostType, mSession);
+                client->initialize(pluginIn, mechanismIn, inArguments);
+                mClients.insert(ClientMap::value_type(*currentMechanism, client));
              }
              else if (*currentMechanism == "authinternal")
              {
                  secdebug("AuthEvalMech", "performing authentication");
                  result = authinternal(context);
              }
              else if (*currentMechanism == "authinternal")
              {
                  secdebug("AuthEvalMech", "performing authentication");
                  result = authinternal(context);
+
+                               if (kAuthorizationResultAllow == result)
+                {
+                    logger.logSuccess();
+                }
+                               else    // kAuthorizationResultDeny
+                {
+                    logger.logFailure();
+                }
              }
              else if (*currentMechanism == "push_hints_to_context")
              {
                  secdebug("AuthEvalMech", "evaluate push_hints_to_context");
              }
              else if (*currentMechanism == "push_hints_to_context")
              {
                  secdebug("AuthEvalMech", "evaluate push_hints_to_context");
-                result = kAuthorizationResultAllow; // snarfcredential doesn't block evaluation, ever, it may restart
-                                                    // create out context from input hints, no merge
-                                                    // @@@ global copy template not being invoked...
+                logger.logSuccess();
+                               // doesn't block evaluation, ever
+                result = kAuthorizationResultAllow; 
                  context = hints;
              }
                  context = hints;
              }
-#if 0
-            else if (*currentMechanism == "switch_to_user")
-            {
-                AgentMechanismRef client(mClientUid, mSession);
-                client->terminate();
-            }
-#endif
              else
              else
+                       {
+                               string auditMsg = "unknown mechanism; ending rule evaluation";
+                Syslog::alert("Right '%s', mech '%s': %s", rightName.c_str(), (*currentMechanism).c_str(), auditMsg.c_str());
+                logger.logFailure(auditMsg);
                  return errAuthorizationInternal;
                  return errAuthorizationInternal;
+                       }
          }
  
          iter = mClients.find(*currentMechanism);
          }
  
          iter = mClients.find(*currentMechanism);
-
          if (iter != mClients.end())
          {
              try
              {
          if (iter != mClients.end())
          {
              try
              {
-                iter->second->run(inArguments, hints, context, &result);
-                secdebug("AuthEvalMech", "evaluate(%s) succeeded with result: %lu.", (iter->first).c_str(), result);
+                AgentMechanismRef &client = iter->second;
+                client->run(inArguments, hints, context, &result);
+
+                               bool interrupted = false;
+                               while (client->state() == client->current)
+                               {
+                                       // check for interruption
+                                       vector<std::string>::const_iterator checkMechanism = mMechanisms.begin();
+                                       while (*checkMechanism != *currentMechanism) {
+                                               ClientMap::iterator iter2 = mClients.find(*checkMechanism);
+                                               if (iter2->second->state() == iter2->second->interrupting)
+                                               {
+                                                       client->deactivate();
+                                                       // nothing can happen until the client mechanism returns control to us
+                                                       while (client->state() == client->deactivating)
+                                                               client->receive();
+                                                               
+                            string auditMsg = "evaluation interrupted by "; 
+                            auditMsg += (iter2->first).c_str();
+                            auditMsg += "; restarting evaluation there";
+                            secdebug("AuthEvalMech", "%s", auditMsg.c_str());
+                            logger.logInterrupt(auditMsg);
+
+                                                       interrupted = true;
+                                                       hints = iter2->second->inHints();
+                                                       context = iter2->second->inContext();
+                                                       currentMechanism = checkMechanism;
+                                                       break;
+                                               }
+                                               else
+                                                       checkMechanism++;
+                                       }
+                                       if (client->state() == client->current)
+                                               client->receive();
+                               } 
+                               
+                if (interrupted)
+                {
+                                       // clear reason for restart from interrupt
+                                       uint32_t reason = SecurityAgent::worldChanged;
+                                       AuthItemRef retryHint(AGENT_HINT_RETRY_REASON, AuthValueOverlay(sizeof(reason), &reason));
+                                       hints.erase(retryHint); hints.insert(retryHint); // replace
+
+                    result = kAuthorizationResultAllow;
+                    continue;
+                }
+                               else
+                                       secdebug("AuthEvalMech", "evaluate(%s) with result: %u.", (iter->first).c_str(), (uint32_t)result);
              }
              catch (...) {
              }
              catch (...) {
-                secdebug("AuthEvalMech", "exception from mech eval or client death");
+                string auditMsg = "exception during evaluation of ";
+                auditMsg += (iter->first).c_str();
+                secdebug("AuthEvalMech", "%s", auditMsg.c_str());
+                logger.logFailure(auditMsg);
                  result = kAuthorizationResultUndefined;
              }
          }
      
                  result = kAuthorizationResultUndefined;
              }
          }
      
-        // we own outHints and outContext
-        switch(result)
+        if (result == kAuthorizationResultAllow)
          {
          {
-            case kAuthorizationResultAllow:
-                secdebug("AuthEvalMech", "result allow");
-                currentMechanism++;
-                break;
-            case kAuthorizationResultDeny:
-                secdebug("AuthEvalMech", "result deny");
-                break;
-            case kAuthorizationResultUndefined:
-                secdebug("AuthEvalMech", "result undefined");
-                break; // abort evaluation
-            case kAuthorizationResultUserCanceled:
-                secdebug("AuthEvalMech", "result canceled");
-                break; // stop evaluation, return some sideband
-            default:
-                break; // abort evaluation
+            logger.logSuccess();
+            currentMechanism++;
          }
      }
          }
      }
-    
+
      if ((result == kAuthorizationResultUserCanceled) ||
          (result == kAuthorizationResultAllow))
      {
          mHints = hints;
      if ((result == kAuthorizationResultUserCanceled) ||
          (result == kAuthorizationResultAllow))
      {
          mHints = hints;
-        mContext = context;
+        mContext.clear(); 
+        // only make non-sticky context values available externally
+        AuthItemSet::const_iterator end = context.end();
+        for (AuthItemSet::const_iterator it = context.begin(); it != end; ++it) {
+            const AuthItemRef &item = *it;
+            if (item->flags() != kAuthorizationContextFlagSticky)
+                mContext.insert(item);
+        }
+        if (result == kAuthorizationResultUserCanceled)
+            logger.logFailure(NULL, errAuthorizationCanceled);
+    }
+    else if (result == kAuthorizationResultDeny)
+    {
+        // save off sticky values in context
+        mStickyContext.clear();
+        AuthItemSet::const_iterator end = context.end();
+        for (AuthItemSet::const_iterator it = context.begin(); it != end; ++it) {
+            const AuthItemRef &item = *it;
+            if (item->flags() == kAuthorizationContextFlagSticky)
+                mStickyContext.insert(item);
+        }
+        logger.logFailure();
      }
      
      // convert AuthorizationResult to OSStatus
      }
      
      // convert AuthorizationResult to OSStatus
@@ -151,8 +258,14 @@ AgentMechanismEvaluator::run(const AuthValueVector &inArguments, const AuthItemS
              return errAuthorizationCanceled;
          case kAuthorizationResultAllow:
              return errAuthorizationSuccess;
              return errAuthorizationCanceled;
          case kAuthorizationResultAllow:
              return errAuthorizationSuccess;
+        case kAuthorizationResultUndefined:
+            return errAuthorizationInternal;
          default:
          default:
+        {
+                       Syslog::alert("Right '%s': unexpected error result (%u)", rightName.c_str(), result);
+            logger.logFailure("unexpected error result", result);
              return errAuthorizationInternal;
              return errAuthorizationInternal;
+        }
      }    
  }
  
      }    
  }
  
@@ -170,15 +283,10 @@ AuthorizationResult AgentMechanismEvaluator::authinternal(AuthItemSet &context)
              break;
          string password(static_cast<const char *>((*found)->value().data), (*found)->value().length);
          secdebug("AuthEvalMech", "found password");
              break;
          string password(static_cast<const char *>((*found)->value().data), (*found)->value().length);
          secdebug("AuthEvalMech", "found password");
+
          Credential newCredential(username, password, true); // create a new shared credential
          Credential newCredential(username, password, true); // create a new shared credential
-        
          if (newCredential->isValid())
          if (newCredential->isValid())
-        {
-            Syslog::info("authinternal authenticated user %s (uid %lu).", newCredential->username().c_str(), newCredential->uid());
              return kAuthorizationResultAllow;
              return kAuthorizationResultAllow;
-        }
-        
-        Syslog::error("authinternal failed to authenticate user %s.", newCredential->username().c_str());
          
      } while (0);
      
          
      } while (0);