1/*
2 * Copyright (c) 2003-2004,2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25/*
26 *  AuthorizationTagsPriv.h -- private Authorization tags
27 *
28 */
29
30#ifndef _SECURITY_AUTHORIZATIONTAGSPRIV_H_
31#define _SECURITY_AUTHORIZATIONTAGSPRIV_H_
32
33/*!
34	@header AuthorizationTagsPriv
35	Version 1.0 10/2003
36
37	This header contains private details for authorization services.
38*/
39
40
41/*
42 * meta-rightname prefixes that configure authorization for policy changes
43 */
44
45/*!
46	@defined kConfigRightAdd
47	meta-rightname for prefix adding rights.
48*/
49#define kAuthorizationConfigRightAdd	"config.add."
50/*!
51	@defined kConfigRightModify
52	meta-rightname prefix for modifying rights.
53*/
54#define kAuthorizationConfigRightModify	"config.modify."
55/*!
56	@defined kConfigRightRemove
57	meta-rightname prefix for removing rights.
58*/
59#define kAuthorizationConfigRightRemove	"config.remove."
60/*!
61	@defined kConfigRight
62	meta-rightname prefix.
63*/
64#define kConfigRight					"config."
65
66/*
67 * Other rights
68 */
69
70/*! @defined kAuthorizationRightScreensaver
71    the right requested to unlock the screen
72*/
73#define kAuthorizationRightScreensaver "system.login.screensaver"
74
75/*! @defined LOGIN_KC_CREATION_RIGHT
76	the right used to invoke the right mechanisms to (re)create a login
77	keychain
78*/
79#define LOGIN_KC_CREATION_RIGHT	"system.keychain.create.loginkc"
80
81/*
82 * Miscellaneous rules
83 */
84
85/*!
86	@defined kRuleIsRoot
87	canned rule for daemon to daemon convincing (see AuthorizationDB.h for
88    public ones)
89*/
90#define kAuthorizationRuleIsRoot				"is-root"
91
92/*
93 * Rule classes
94 */
95
96/*!	@defined kAuthorizationRuleClass
97	Specifying rule class
98*/
99#define kAuthorizationRuleClass					"class"
100
101/*! @defined kAuthorizationRuleClassUser
102	Specifying user class
103*/
104#define kAuthorizationRuleClassUser				"user"
105
106/*! @defined kAuthorizationRuleClassMechanisms
107	Specifying evaluate-mechanisms class
108*/
109#define kAuthorizationRuleClassMechanisms		"evaluate-mechanisms"
110
111/*
112 * Rule attributes to specify above classes
113 */
114
115/*! @defined kAuthorizationRuleParameterGroup
116	string, group specification for user rules.
117*/
118#define kAuthorizationRuleParameterGroup		"group"
119
120/*! @defined kAuthorizationRuleParameterKofN
121	number, k specification for k-of-n
122*/
123#define kAuthorizationRuleParameterKofN			"k-of-n"
124
125/*! @defined kAuthorizationRuleParameterRules
126	rules specification for rule delegation (incl. k-of-n)
127*/
128#define kAuthorizationRuleParameterRules		"rules"
129
130/*! @defined kAuthorizationRuleParameterMechanisms
131	mechanism specification, a sequence of mechanisms to be evaluated
132*/
133#define kAuthorizationRuleParameterMechanisms	"mechanisms"
134
135/*! @defined kAuthorizationRightParameterTimeout
136	Timeout if any when a remembered right expires.
137	Special values:
138	- not specified retains previous behavior: most privileged, credential-
139      based.
140	- zero grants the right once (can be achieved with zero credential
141      timeout, needed?)
142	- all other values are interpreted as number of seconds since granted.
143*/
144#define kAuthorizationRightParameterTimeout	"timeout-right"
145
146/*! @defined kAuthorizationRuleParameterCredentialTimeout
147	Timeout if any for the use of cached credentials when authorizing rights.
148	- not specified allows for any credentials regardless of age; rights
149      will be remembered in authorizations, removing a credential does not
150      stop it from granting this right, specifying a zero timeout for the
151      right will delegate it back to requiring a credential.
152	- all other values are interpreted as number of seconds since the
153      credential was created
154	- zero only allows for the use of credentials created "now"
155      (this is deprecated by means of specifying zero for kRightTimeout)
156*/
157#define kAuthorizationRuleParameterCredentialTimeout		"timeout"
158
159/*!	@defined kAuthorizationRuleParameterCredentialShared
160	boolean that indicates whether credentials acquired during
161    authorization are added to the shared pool.
162*/
163#define kAuthorizationRuleParameterCredentialShared		"shared"
164
165/*! @defined kAuthorizationRuleParameterAllowRoot
166	boolean that indicates whether to grant a right purely because the
167    caller is root
168*/
169#define kAuthorizationRuleParameterAllowRoot		"allow-root"
170
171/*! @defined kAuthorizationRuleParameterCredentialSessionOwner
172	boolean that indicates whether to grant a right based on a valid
173    session-owner credential
174*/
175#define kAuthorizationRuleParameterCredentialSessionOwner		"session-owner"
176
177/*! @defined kAuthorizationRuleParameterDefaultPrompt
178	dictionary of localization-name and localized prompt pairs
179*/
180#define kAuthorizationRuleParameterDefaultPrompt	"default-prompt"
181
182/*! @defined kAuthorizationRuleParameterDefaultButton
183 dictionary of localization-name and localized button name pairs
184 */
185#define kAuthorizationRuleParameterDefaultButton	"default-button"
186
187/*! @defined kAuthorizationRuleParameterDescription
188    string, default description of right.  Usually localized versions are
189    added using the AuthorizationDBSet call (@see AuthorizationDB.h).
190*/
191#define kAuthorizationRuleParameterDescription      "description"
192
193/*! @defined kAuthorizationRuleParameterButton
194 string, name of the default button.  Usually localized versions are
195 added using the AuthorizationDBSet call (@see AuthorizationDB.h).
196 */
197#define kAuthorizationRuleParameterButton      "button"
198
199/*! @defined kAuthorizationRuleParameterAuthenticateUser
200	boolean that indicates whether to authenticate the user requesting
201    authorization
202*/
203#define kAuthorizationRuleParameterAuthenticateUser		"authenticate-user"
204
205/*! @defined kAuthorizationRuleParameterExtractPassword
206	boolean that indicates that the password should be extracted to the context
207 */
208#define kAuthorizationRuleParameterExtractPassword		"extract-password"
209
210/*! @defined kAuthorizationRuleParameterEntitled
211 boolean that indicates whether to grant a right based on the entitlement
212 */
213#define kAuthorizationRuleParameterEntitled             "entitled"
214
215/*! @defined kAuthorizationRuleParameterEntitledAndGroup
216 boolean that indicates whether to grant a right base on the entitlement
217 and if the user is a member of kAuthorizationRuleParameterGroup
218 */
219#define kAuthorizationRuleParameterEntitledAndGroup		"entitled-group"
220
221/*! @defined kAuthorizationRuleParameterVPNEntitledAndGroup
222 boolean that indicates whether to grant a right base on the VPN entitlement
223 and if the user is a member of kAuthorizationRuleParameterGroup
224 */
225#define kAuthorizationRuleParameterVPNEntitledAndGroup		"vpn-entitled-group"
226
227/*! @defined kAuthorizationRuleParameterRequireAppleSigned
228 boolean require the caller to be signed by apple
229 */
230#define kAuthorizationRuleParameterRequireAppleSigned		"require-apple-signed"
231
232/*
233 * Hints for internal Authorization use
234 */
235
236/* passed between securityd and agent */
237#define AGENT_HINT_SUGGESTED_USER "suggested-user"
238#define AGENT_HINT_SUGGESTED_USER_LONG "suggested-realname"
239#define AGENT_HINT_REQUIRE_USER_IN_GROUP "require-user-in-group"
240#define AGENT_HINT_CUSTOM_PROMPT "prompt"
241#define AGENT_HINT_AUTHORIZE_RIGHT "authorize-right"
242#define AGENT_HINT_CLIENT_PID "client-pid"
243#define AGENT_HINT_CLIENT_UID "client-uid"
244#define AGENT_HINT_CLIENT_VALIDITY "client-signature-validity"
245#define AGENT_HINT_CREATOR_PID "creator-pid"
246#define AGENT_HINT_CREATOR_AUDIT_TOKEN "creator-audit-token"
247#define AGENT_HINT_CLIENT_TYPE "client-type"
248#define AGENT_HINT_CLIENT_PATH "client-path"
249#define AGENT_HINT_CLIENT_NAME "client-name"
250#define AGENT_HINT_TRIES "tries"
251#define AGENT_HINT_RETRY_REASON "reason"
252#define AGENT_HINT_AUTHORIZE_RULE "authorize-rule"
253#define AGENT_HINT_TOKEN_NAME "token-name"
254#define AGENT_HINT_PROCESS_SIGNED "process-apple-signed"
255#define AGENT_HINT_SHOW_RESET "show-reset"
256
257/* passed by loginwindow to securityd and agent */
258#define AGENT_HINT_IMMEDIATE_LAUNCH "immediate-agent"
259
260/* keychain panels */
261// ACLowner etc. code identity panel
262
263// Application Path is needed at this stage for identifying the application
264// for which the ACL entry is about to be updated
265#define AGENT_HINT_APPLICATION_PATH "application-path"
266#define AGENT_HINT_ACL_TAG "acl-tag"
267#define AGENT_HINT_GROUPKEY "group-key"
268#define AGENT_HINT_ACL_MISMATCH "acl-mismatch"
269#define AGENT_HINT_KEYCHAIN_ITEM_NAME "keychain-item-name"
270#define AGENT_HINT_KEYCHAIN_PATH "keychain-path"
271#define AGENT_HINT_WINDOW_LEVEL "window-level"
272
273/* Login Keychain Creation hint keys */
274#define AGENT_HINT_ATTR_NAME "loginKCCreate:attributeName"
275#define AGENT_HINT_LOGIN_KC_NAME "loginKCCreate:pathName"
276#define AGENT_HINT_LOGIN_KC_EXISTS_IN_KC_FOLDER "loginKCCreate:exists"
277#define AGENT_HINT_LOGIN_KC_USER_NAME "loginKCCreate:userName"
278#define AGENT_HINT_LOGIN_KC_CUST_STR1 "loginKCCreate:customStr1"
279#define AGENT_HINT_LOGIN_KC_CUST_STR2 "loginKCCreate:customStr2"
280#define AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR "loginKCCreate:moreThanOneKeychainExists"
281
282/* Keychain synchronization */
283// iDisk keychain blob metainfo dictionary; follows "defaults" naming
284#define AGENT_HINT_KCSYNC_DICT "com.apple.keychainsync.dictionary"
285
286/*
287 * Context values for specific internal clients
288 */
289
290/* passed from mechanisms to loginwindow */
291#define kAuthorizationEnvironmentTokenSubserviceID "token-subservice-uid"
292
293// remote home directory specification
294#define AGENT_CONTEXT_AFP_DIR	"afp_dir"
295// home directory (where it's locally mounted)
296#define AGENT_CONTEXT_HOME		"home"
297#define AGENT_CONTEXT_UID			"uid"
298#define AGENT_CONTEXT_GID			"gid"
299// kerberos principal; decoded from auth-authority specification
300#define AGENT_CONTEXT_KERBEROSPRINCIPAL	"kerberos-principal"
301// tell loginwindow where we're mounted
302// (this should really be equal to our homedirectory according to HOME
303#define AGENT_CONTEXT_MOUNTPOINT	"mountpoint"
304
305/* authorization context passed from agent to securityd */
306#define AGENT_USERNAME "username"
307#define AGENT_PASSWORD "password"
308#define AGENT_CONTEXT_NEW_PASSWORD "new-password"
309#define AGENT_CONTEXT_AUTO_LOGIN "auto-login"
310#define AGENT_CONTEXT_USER_CONSENT "user-consent"
311
312// Allow the user to choose to display their password
313#define AGENT_HINT_ALLOW_SHOW_PASSWORD "show-add-password"
314
315#define AGENT_HINT_SHOW_ADD_TO_KEYCHAIN "show-add-to-keychain"
316#define AGENT_CONTEXT_RESET_PASSWORD "reset-password"
317
318/* can be in hints or context */
319#define AGENT_ADD_TO_KEYCHAIN "add-to-keychain"
320
321#define AGENT_CONTEXT_AUTHENTICATION_FAILURE "authentication-failure"
322
323/* keychain panels */
324// ACLowner etc. code identity panel
325#define AGENT_CONTEXT_REMEMBER_ACTION   "remember-action"
326#define AGENT_CONTEXT_ALLOW   "allow"
327
328#endif /* !_SECURITY_AUTHORIZATIONTAGSPRIV_H_ */
329