/*
 * Copyright (c) 2003-2004,2011-2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


/*
 *  AuthorizationTagsPriv.h -- private Authorization tags
 *  
 */

#ifndef _SECURITY_AUTHORIZATIONTAGSPRIV_H_
#define _SECURITY_AUTHORIZATIONTAGSPRIV_H_

/*!
	@header AuthorizationTagsPriv
	Version 1.0 10/2003

	This header contains private details for authorization services.
*/


/* 
 * meta-rightname prefixes that configure authorization for policy changes 
 */

/*!
	@defined kConfigRightAdd
	meta-rightname for prefix adding rights.
*/
#define kAuthorizationConfigRightAdd	"config.add."
/*!
	@defined kConfigRightModify
	meta-rightname prefix for modifying rights.
*/
#define kAuthorizationConfigRightModify	"config.modify."
/*!
	@defined kConfigRightRemove
	meta-rightname prefix for removing rights.
*/
#define kAuthorizationConfigRightRemove	"config.remove."
/*!
	@defined kConfigRight
	meta-rightname prefix.
*/
#define kConfigRight					"config."

/*
 * Other rights
 */

/*! @defined kAuthorizationRightScreensaver
    the right requested to unlock the screen 
*/
#define kAuthorizationRightScreensaver "system.login.screensaver"

/*! @defined LOGIN_KC_CREATION_RIGHT
	the right used to invoke the right mechanisms to (re)create a login
	keychain 
*/
#define LOGIN_KC_CREATION_RIGHT	"system.keychain.create.loginkc"

/*
 * Miscellaneous rules
 */

/*!
	@defined kRuleIsRoot
	canned rule for daemon to daemon convincing (see AuthorizationDB.h for 
    public ones)
*/
#define kAuthorizationRuleIsRoot				"is-root"

/* 
 * Rule classes 
 */

/*!	@defined kAuthorizationRuleClass
	Specifying rule class 
*/
#define kAuthorizationRuleClass					"class"

/*! @defined kAuthorizationRuleClassUser
	Specifying user class
*/
#define kAuthorizationRuleClassUser				"user"

/*! @defined kAuthorizationRuleClassMechanisms
	Specifying evaluate-mechanisms class
*/
#define kAuthorizationRuleClassMechanisms		"evaluate-mechanisms"

/* 
 * Rule attributes to specify above classes 
 */

/*! @defined kAuthorizationRuleParameterGroup
	string, group specification for user rules. 
*/
#define kAuthorizationRuleParameterGroup		"group"

/*! @defined kAuthorizationRuleParameterKofN
	number, k specification for k-of-n
*/
#define kAuthorizationRuleParameterKofN			"k-of-n"

/*! @defined kAuthorizationRuleParameterRules
	rules specification for rule delegation (incl. k-of-n)
*/
#define kAuthorizationRuleParameterRules		"rules"

/*! @defined kAuthorizationRuleParameterMechanisms
	mechanism specification, a sequence of mechanisms to be evaluated 
*/
#define kAuthorizationRuleParameterMechanisms	"mechanisms"

/*! @defined kAuthorizationRightParameterTimeout
	Timeout if any when a remembered right expires.
	Special values:
	- not specified retains previous behavior: most privileged, credential-
      based.
	- zero grants the right once (can be achieved with zero credential 
      timeout, needed?)
	- all other values are interpreted as number of seconds since granted.
*/
#define kAuthorizationRightParameterTimeout	"timeout-right"

/*! @defined kAuthorizationRuleParameterCredentialTimeout
	Timeout if any for the use of cached credentials when authorizing rights.
	- not specified allows for any credentials regardless of age; rights 
      will be remembered in authorizations, removing a credential does not 
      stop it from granting this right, specifying a zero timeout for the 
      right will delegate it back to requiring a credential.
	- all other values are interpreted as number of seconds since the 
      credential was created
	- zero only allows for the use of credentials created "now" 
      (this is deprecated by means of specifying zero for kRightTimeout)
*/
#define kAuthorizationRuleParameterCredentialTimeout		"timeout"

/*!	@defined kAuthorizationRuleParameterCredentialShared
	boolean that indicates whether credentials acquired during 
    authorization are added to the shared pool.
*/
#define kAuthorizationRuleParameterCredentialShared		"shared"

/*! @defined kAuthorizationRuleParameterAllowRoot
	boolean that indicates whether to grant a right purely because the 
    caller is root 
*/
#define kAuthorizationRuleParameterAllowRoot		"allow-root"

/*! @defined kAuthorizationRuleParameterCredentialSessionOwner
	boolean that indicates whether to grant a right based on a valid 
    session-owner credential 
*/
#define kAuthorizationRuleParameterCredentialSessionOwner		"session-owner"

/*! @defined kAuthorizationRuleParameterDefaultPrompt
	dictionary of localization-name and localized prompt pairs 
*/
#define kAuthorizationRuleParameterDefaultPrompt	"default-prompt"

/*! @defined kAuthorizationRuleParameterDefaultButton
 dictionary of localization-name and localized button name pairs 
 */
#define kAuthorizationRuleParameterDefaultButton	"default-button"

/*! @defined kAuthorizationRuleParameterDescription
    string, default description of right.  Usually localized versions are 
    added using the AuthorizationDBSet call (@see AuthorizationDB.h). 
*/
#define kAuthorizationRuleParameterDescription      "description"

/*! @defined kAuthorizationRuleParameterButton
 string, name of the default button.  Usually localized versions are 
 added using the AuthorizationDBSet call (@see AuthorizationDB.h). 
 */
#define kAuthorizationRuleParameterButton      "button"

/*! @defined kAuthorizationRuleParameterAuthenticateUser
	boolean that indicates whether to authenticate the user requesting 
    authorization 
*/
#define kAuthorizationRuleParameterAuthenticateUser		"authenticate-user"

/*! @defined kAuthorizationRuleParameterExtractPassword
	boolean that indicates that the password should be extracted to the context
 */
#define kAuthorizationRuleParameterExtractPassword		"extract-password"

/*! @defined kAuthorizationRuleParameterEntitled
 boolean that indicates whether to grant a right based on the entitlement
 */
#define kAuthorizationRuleParameterEntitled             "entitled"

/*! @defined kAuthorizationRuleParameterEntitledAndGroup
 boolean that indicates whether to grant a right base on the entitlement 
 and if the user is a member of kAuthorizationRuleParameterGroup
 */
#define kAuthorizationRuleParameterEntitledAndGroup		"entitled-group"

/*! @defined kAuthorizationRuleParameterVPNEntitledAndGroup
 boolean that indicates whether to grant a right base on the VPN entitlement
 and if the user is a member of kAuthorizationRuleParameterGroup
 */
#define kAuthorizationRuleParameterVPNEntitledAndGroup		"vpn-entitled-group"

/*! @defined kAuthorizationRuleParameterRequireAppleSigned
 boolean require the caller to be signed by apple
 */
#define kAuthorizationRuleParameterRequireAppleSigned		"require-apple-signed"

/*
 * Hints for internal Authorization use
 */

/* passed between securityd and agent */
#define AGENT_HINT_SUGGESTED_USER "suggested-user"
#define AGENT_HINT_SUGGESTED_USER_LONG "suggested-realname"
#define AGENT_HINT_REQUIRE_USER_IN_GROUP "require-user-in-group"
#define AGENT_HINT_CUSTOM_PROMPT "prompt"
#define AGENT_HINT_AUTHORIZE_RIGHT "authorize-right"
#define AGENT_HINT_CLIENT_PID "client-pid"
#define AGENT_HINT_CLIENT_UID "client-uid"
#define AGENT_HINT_CLIENT_VALIDITY "client-signature-validity"
#define AGENT_HINT_CREATOR_PID "creator-pid"
#define AGENT_HINT_CREATOR_AUDIT_TOKEN "creator-audit-token"
#define AGENT_HINT_CLIENT_TYPE "client-type"
#define AGENT_HINT_CLIENT_PATH "client-path"
#define AGENT_HINT_CLIENT_NAME "client-name"
#define AGENT_HINT_TRIES "tries"
#define AGENT_HINT_RETRY_REASON "reason"
#define AGENT_HINT_AUTHORIZE_RULE "authorize-rule"
#define AGENT_HINT_TOKEN_NAME "token-name"
#define AGENT_HINT_PROCESS_SIGNED "process-apple-signed"
#define AGENT_HINT_SHOW_RESET "show-reset"

/* passed by loginwindow to securityd and agent */
#define AGENT_HINT_IMMEDIATE_LAUNCH "immediate-agent"

/* keychain panels */
// ACLowner etc. code identity panel

// Application Path is needed at this stage for identifying the application 
// for which the ACL entry is about to be updated
#define AGENT_HINT_APPLICATION_PATH "application-path"
#define AGENT_HINT_ACL_TAG "acl-tag"
#define AGENT_HINT_GROUPKEY "group-key"
#define AGENT_HINT_ACL_MISMATCH "acl-mismatch"
#define AGENT_HINT_KEYCHAIN_ITEM_NAME "keychain-item-name"
#define AGENT_HINT_KEYCHAIN_PATH "keychain-path"
#define AGENT_HINT_WINDOW_LEVEL "window-level"

/* Login Keychain Creation hint keys */
#define AGENT_HINT_ATTR_NAME "loginKCCreate:attributeName"
#define AGENT_HINT_LOGIN_KC_NAME "loginKCCreate:pathName"
#define AGENT_HINT_LOGIN_KC_EXISTS_IN_KC_FOLDER "loginKCCreate:exists"
#define AGENT_HINT_LOGIN_KC_USER_NAME "loginKCCreate:userName"
#define AGENT_HINT_LOGIN_KC_CUST_STR1 "loginKCCreate:customStr1"
#define AGENT_HINT_LOGIN_KC_CUST_STR2 "loginKCCreate:customStr2"
#define AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR "loginKCCreate:moreThanOneKeychainExists"

/* Keychain synchronization */
// iDisk keychain blob metainfo dictionary; follows "defaults" naming
#define AGENT_HINT_KCSYNC_DICT "com.apple.keychainsync.dictionary"

/*
 * Context values for specific internal clients
 */

/* passed from mechanisms to loginwindow */
#define kAuthorizationEnvironmentTokenSubserviceID "token-subservice-uid"

// remote home directory specification
#define AGENT_CONTEXT_AFP_DIR	"afp_dir"
// home directory (where it's locally mounted)
#define AGENT_CONTEXT_HOME		"home"
#define AGENT_CONTEXT_UID			"uid"
#define AGENT_CONTEXT_GID			"gid"
// kerberos principal; decoded from auth-authority specification
#define AGENT_CONTEXT_KERBEROSPRINCIPAL	"kerberos-principal"
// tell loginwindow where we're mounted
// (this should really be equal to our homedirectory according to HOME
#define AGENT_CONTEXT_MOUNTPOINT	"mountpoint"

/* authorization context passed from agent to securityd */
#define AGENT_USERNAME "username"
#define AGENT_PASSWORD "password"
#define AGENT_CONTEXT_NEW_PASSWORD "new-password"
#define AGENT_CONTEXT_AUTO_LOGIN "auto-login"
#define AGENT_CONTEXT_USER_CONSENT "user-consent"

// Allow the user to choose to display their password
#define AGENT_HINT_ALLOW_SHOW_PASSWORD "show-add-password"

#define AGENT_HINT_SHOW_ADD_TO_KEYCHAIN "show-add-to-keychain"
#define AGENT_CONTEXT_RESET_PASSWORD "reset-password"

/* can be in hints or context */
#define AGENT_ADD_TO_KEYCHAIN "add-to-keychain"

#define AGENT_CONTEXT_AUTHENTICATION_FAILURE "authentication-failure"

/* keychain panels */
// ACLowner etc. code identity panel
#define AGENT_CONTEXT_REMEMBER_ACTION   "remember-action"
#define AGENT_CONTEXT_ALLOW   "allow"

#endif /* !_SECURITY_AUTHORIZATIONTAGSPRIV_H_ */