1/* 2 * Copyright (c) 2003-2004,2011-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25/* 26 * AuthorizationTagsPriv.h -- private Authorization tags 27 * 28 */ 29 30#ifndef _SECURITY_AUTHORIZATIONTAGSPRIV_H_ 31#define _SECURITY_AUTHORIZATIONTAGSPRIV_H_ 32 33/*! 34 @header AuthorizationTagsPriv 35 Version 1.0 10/2003 36 37 This header contains private details for authorization services. 38*/ 39 40 41/* 42 * meta-rightname prefixes that configure authorization for policy changes 43 */ 44 45/*! 46 @defined kConfigRightAdd 47 meta-rightname for prefix adding rights. 48*/ 49#define kAuthorizationConfigRightAdd "config.add." 50/*! 51 @defined kConfigRightModify 52 meta-rightname prefix for modifying rights. 53*/ 54#define kAuthorizationConfigRightModify "config.modify." 55/*! 56 @defined kConfigRightRemove 57 meta-rightname prefix for removing rights. 58*/ 59#define kAuthorizationConfigRightRemove "config.remove." 60/*! 61 @defined kConfigRight 62 meta-rightname prefix. 63*/ 64#define kConfigRight "config." 65 66/* 67 * Other rights 68 */ 69 70/*! @defined kAuthorizationRightScreensaver 71 the right requested to unlock the screen 72*/ 73#define kAuthorizationRightScreensaver "system.login.screensaver" 74 75/*! @defined LOGIN_KC_CREATION_RIGHT 76 the right used to invoke the right mechanisms to (re)create a login 77 keychain 78*/ 79#define LOGIN_KC_CREATION_RIGHT "system.keychain.create.loginkc" 80 81/* 82 * Miscellaneous rules 83 */ 84 85/*! 86 @defined kRuleIsRoot 87 canned rule for daemon to daemon convincing (see AuthorizationDB.h for 88 public ones) 89*/ 90#define kAuthorizationRuleIsRoot "is-root" 91 92/* 93 * Rule classes 94 */ 95 96/*! @defined kAuthorizationRuleClass 97 Specifying rule class 98*/ 99#define kAuthorizationRuleClass "class" 100 101/*! @defined kAuthorizationRuleClassUser 102 Specifying user class 103*/ 104#define kAuthorizationRuleClassUser "user" 105 106/*! @defined kAuthorizationRuleClassMechanisms 107 Specifying evaluate-mechanisms class 108*/ 109#define kAuthorizationRuleClassMechanisms "evaluate-mechanisms" 110 111/* 112 * Rule attributes to specify above classes 113 */ 114 115/*! @defined kAuthorizationRuleParameterGroup 116 string, group specification for user rules. 117*/ 118#define kAuthorizationRuleParameterGroup "group" 119 120/*! @defined kAuthorizationRuleParameterKofN 121 number, k specification for k-of-n 122*/ 123#define kAuthorizationRuleParameterKofN "k-of-n" 124 125/*! @defined kAuthorizationRuleParameterRules 126 rules specification for rule delegation (incl. k-of-n) 127*/ 128#define kAuthorizationRuleParameterRules "rules" 129 130/*! @defined kAuthorizationRuleParameterMechanisms 131 mechanism specification, a sequence of mechanisms to be evaluated 132*/ 133#define kAuthorizationRuleParameterMechanisms "mechanisms" 134 135/*! @defined kAuthorizationRightParameterTimeout 136 Timeout if any when a remembered right expires. 137 Special values: 138 - not specified retains previous behavior: most privileged, credential- 139 based. 140 - zero grants the right once (can be achieved with zero credential 141 timeout, needed?) 142 - all other values are interpreted as number of seconds since granted. 143*/ 144#define kAuthorizationRightParameterTimeout "timeout-right" 145 146/*! @defined kAuthorizationRuleParameterCredentialTimeout 147 Timeout if any for the use of cached credentials when authorizing rights. 148 - not specified allows for any credentials regardless of age; rights 149 will be remembered in authorizations, removing a credential does not 150 stop it from granting this right, specifying a zero timeout for the 151 right will delegate it back to requiring a credential. 152 - all other values are interpreted as number of seconds since the 153 credential was created 154 - zero only allows for the use of credentials created "now" 155 (this is deprecated by means of specifying zero for kRightTimeout) 156*/ 157#define kAuthorizationRuleParameterCredentialTimeout "timeout" 158 159/*! @defined kAuthorizationRuleParameterCredentialShared 160 boolean that indicates whether credentials acquired during 161 authorization are added to the shared pool. 162*/ 163#define kAuthorizationRuleParameterCredentialShared "shared" 164 165/*! @defined kAuthorizationRuleParameterAllowRoot 166 boolean that indicates whether to grant a right purely because the 167 caller is root 168*/ 169#define kAuthorizationRuleParameterAllowRoot "allow-root" 170 171/*! @defined kAuthorizationRuleParameterCredentialSessionOwner 172 boolean that indicates whether to grant a right based on a valid 173 session-owner credential 174*/ 175#define kAuthorizationRuleParameterCredentialSessionOwner "session-owner" 176 177/*! @defined kAuthorizationRuleParameterDefaultPrompt 178 dictionary of localization-name and localized prompt pairs 179*/ 180#define kAuthorizationRuleParameterDefaultPrompt "default-prompt" 181 182/*! @defined kAuthorizationRuleParameterDefaultButton 183 dictionary of localization-name and localized button name pairs 184 */ 185#define kAuthorizationRuleParameterDefaultButton "default-button" 186 187/*! @defined kAuthorizationRuleParameterDescription 188 string, default description of right. Usually localized versions are 189 added using the AuthorizationDBSet call (@see AuthorizationDB.h). 190*/ 191#define kAuthorizationRuleParameterDescription "description" 192 193/*! @defined kAuthorizationRuleParameterButton 194 string, name of the default button. Usually localized versions are 195 added using the AuthorizationDBSet call (@see AuthorizationDB.h). 196 */ 197#define kAuthorizationRuleParameterButton "button" 198 199/*! @defined kAuthorizationRuleParameterAuthenticateUser 200 boolean that indicates whether to authenticate the user requesting 201 authorization 202*/ 203#define kAuthorizationRuleParameterAuthenticateUser "authenticate-user" 204 205/*! @defined kAuthorizationRuleParameterExtractPassword 206 boolean that indicates that the password should be extracted to the context 207 */ 208#define kAuthorizationRuleParameterExtractPassword "extract-password" 209 210/*! @defined kAuthorizationRuleParameterEntitled 211 boolean that indicates whether to grant a right based on the entitlement 212 */ 213#define kAuthorizationRuleParameterEntitled "entitled" 214 215/*! @defined kAuthorizationRuleParameterEntitledAndGroup 216 boolean that indicates whether to grant a right base on the entitlement 217 and if the user is a member of kAuthorizationRuleParameterGroup 218 */ 219#define kAuthorizationRuleParameterEntitledAndGroup "entitled-group" 220 221/*! @defined kAuthorizationRuleParameterVPNEntitledAndGroup 222 boolean that indicates whether to grant a right base on the VPN entitlement 223 and if the user is a member of kAuthorizationRuleParameterGroup 224 */ 225#define kAuthorizationRuleParameterVPNEntitledAndGroup "vpn-entitled-group" 226 227/*! @defined kAuthorizationRuleParameterRequireAppleSigned 228 boolean require the caller to be signed by apple 229 */ 230#define kAuthorizationRuleParameterRequireAppleSigned "require-apple-signed" 231 232/* 233 * Hints for internal Authorization use 234 */ 235 236/* passed between securityd and agent */ 237#define AGENT_HINT_SUGGESTED_USER "suggested-user" 238#define AGENT_HINT_SUGGESTED_USER_LONG "suggested-realname" 239#define AGENT_HINT_REQUIRE_USER_IN_GROUP "require-user-in-group" 240#define AGENT_HINT_CUSTOM_PROMPT "prompt" 241#define AGENT_HINT_AUTHORIZE_RIGHT "authorize-right" 242#define AGENT_HINT_CLIENT_PID "client-pid" 243#define AGENT_HINT_CLIENT_UID "client-uid" 244#define AGENT_HINT_CLIENT_VALIDITY "client-signature-validity" 245#define AGENT_HINT_CREATOR_PID "creator-pid" 246#define AGENT_HINT_CREATOR_AUDIT_TOKEN "creator-audit-token" 247#define AGENT_HINT_CLIENT_TYPE "client-type" 248#define AGENT_HINT_CLIENT_PATH "client-path" 249#define AGENT_HINT_CLIENT_NAME "client-name" 250#define AGENT_HINT_TRIES "tries" 251#define AGENT_HINT_RETRY_REASON "reason" 252#define AGENT_HINT_AUTHORIZE_RULE "authorize-rule" 253#define AGENT_HINT_TOKEN_NAME "token-name" 254#define AGENT_HINT_PROCESS_SIGNED "process-apple-signed" 255#define AGENT_HINT_SHOW_RESET "show-reset" 256 257/* passed by loginwindow to securityd and agent */ 258#define AGENT_HINT_IMMEDIATE_LAUNCH "immediate-agent" 259 260/* keychain panels */ 261// ACLowner etc. code identity panel 262 263// Application Path is needed at this stage for identifying the application 264// for which the ACL entry is about to be updated 265#define AGENT_HINT_APPLICATION_PATH "application-path" 266#define AGENT_HINT_ACL_TAG "acl-tag" 267#define AGENT_HINT_GROUPKEY "group-key" 268#define AGENT_HINT_ACL_MISMATCH "acl-mismatch" 269#define AGENT_HINT_KEYCHAIN_ITEM_NAME "keychain-item-name" 270#define AGENT_HINT_KEYCHAIN_PATH "keychain-path" 271#define AGENT_HINT_WINDOW_LEVEL "window-level" 272 273/* Login Keychain Creation hint keys */ 274#define AGENT_HINT_ATTR_NAME "loginKCCreate:attributeName" 275#define AGENT_HINT_LOGIN_KC_NAME "loginKCCreate:pathName" 276#define AGENT_HINT_LOGIN_KC_EXISTS_IN_KC_FOLDER "loginKCCreate:exists" 277#define AGENT_HINT_LOGIN_KC_USER_NAME "loginKCCreate:userName" 278#define AGENT_HINT_LOGIN_KC_CUST_STR1 "loginKCCreate:customStr1" 279#define AGENT_HINT_LOGIN_KC_CUST_STR2 "loginKCCreate:customStr2" 280#define AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR "loginKCCreate:moreThanOneKeychainExists" 281 282/* Keychain synchronization */ 283// iDisk keychain blob metainfo dictionary; follows "defaults" naming 284#define AGENT_HINT_KCSYNC_DICT "com.apple.keychainsync.dictionary" 285 286/* 287 * Context values for specific internal clients 288 */ 289 290/* passed from mechanisms to loginwindow */ 291#define kAuthorizationEnvironmentTokenSubserviceID "token-subservice-uid" 292 293// remote home directory specification 294#define AGENT_CONTEXT_AFP_DIR "afp_dir" 295// home directory (where it's locally mounted) 296#define AGENT_CONTEXT_HOME "home" 297#define AGENT_CONTEXT_UID "uid" 298#define AGENT_CONTEXT_GID "gid" 299// kerberos principal; decoded from auth-authority specification 300#define AGENT_CONTEXT_KERBEROSPRINCIPAL "kerberos-principal" 301// tell loginwindow where we're mounted 302// (this should really be equal to our homedirectory according to HOME 303#define AGENT_CONTEXT_MOUNTPOINT "mountpoint" 304 305/* authorization context passed from agent to securityd */ 306#define AGENT_USERNAME "username" 307#define AGENT_PASSWORD "password" 308#define AGENT_CONTEXT_NEW_PASSWORD "new-password" 309#define AGENT_CONTEXT_AUTO_LOGIN "auto-login" 310#define AGENT_CONTEXT_USER_CONSENT "user-consent" 311 312// Allow the user to choose to display their password 313#define AGENT_HINT_ALLOW_SHOW_PASSWORD "show-add-password" 314 315#define AGENT_HINT_SHOW_ADD_TO_KEYCHAIN "show-add-to-keychain" 316#define AGENT_CONTEXT_RESET_PASSWORD "reset-password" 317 318/* can be in hints or context */ 319#define AGENT_ADD_TO_KEYCHAIN "add-to-keychain" 320 321#define AGENT_CONTEXT_AUTHENTICATION_FAILURE "authentication-failure" 322 323/* keychain panels */ 324// ACLowner etc. code identity panel 325#define AGENT_CONTEXT_REMEMBER_ACTION "remember-action" 326#define AGENT_CONTEXT_ALLOW "allow" 327 328#endif /* !_SECURITY_AUTHORIZATIONTAGSPRIV_H_ */ 329