1/* 2 * Copyright (c) 2004,2006-2007,2011 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25// 26// acl_preauth - a subject type for modeling PINs and similar slot-specific 27// pre-authentication schemes. 28// 29#ifndef _ACL_PREAUTH 30#define _ACL_PREAUTH 31 32#include <security_cdsa_utilities/cssmacl.h> 33#include <string> 34 35 36namespace Security { 37namespace PreAuthorizationAcls { 38 39 40class OriginMaker : public AclSubject::Maker { 41protected: 42 typedef LowLevelMemoryUtilities::Reader Reader; 43 typedef LowLevelMemoryUtilities::Writer Writer; 44public: 45 OriginMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH) { } 46 AclSubject *make(const TypedList &list) const; 47 AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const; 48}; 49 50class SourceMaker : public AclSubject::Maker { 51protected: 52 typedef LowLevelMemoryUtilities::Reader Reader; 53 typedef LowLevelMemoryUtilities::Writer Writer; 54public: 55 SourceMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE) { } 56 AclSubject *make(const TypedList &list) const; 57 AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const; 58}; 59 60 61// 62// The actual designation of the PreAuth source AclBearer is provide by the environment. 63// 64class Environment : public virtual AclValidationEnvironment { 65public: 66 virtual ObjectAcl *preAuthSource() = 0; 67}; 68 69 70// 71// This is the object that is being "attached" (as an Adornment) to hold 72// the pre-authorization state of a SourceAclSubject. 73// The Adornable used for storage is determined by the Environment's store() method. 74// 75struct AclState { 76 AclState() : accepted(false) { } 77 bool accepted; // was previously accepted by upstream 78}; 79 80 81// 82// This is the "origin" subject class that gets created the usual way. 83// It models a pre-auth "origin" - i.e. it points at a preauth slot and accepts 84// its verdict on validation. Think of it as the "come from" part of the link. 85// 86class OriginAclSubject : public AclSubject { 87public: 88 bool validate(const AclValidationContext &ctx) const; 89 CssmList toList(Allocator &alloc) const; 90 91 OriginAclSubject(AclAuthorization auth); 92 93 void exportBlob(Writer::Counter &pub, Writer::Counter &priv); 94 void exportBlob(Writer &pub, Writer &priv); 95 96 IFDUMP(void debugDump() const); 97 98private: 99 AclAuthorization mAuthTag; // authorization tag referred to (origin only) 100}; 101 102 103// 104// The "source" subject class describes the other end of the link; the "go to" part 105// if you will. Its sourceSubject is consulted for actual validation; and prior validation 106// state is remembered (through the environment store facility) so that future validation 107// attempts will automaticaly succeed (that's the "pre" in PreAuth). 108// 109class SourceAclSubject : public AclSubject { 110public: 111 bool validate(const AclValidationContext &ctx) const; 112 CssmList toList(Allocator &alloc) const; 113 114 SourceAclSubject(AclSubject *subSubject, 115 CSSM_ACL_PREAUTH_TRACKING_STATE state = CSSM_ACL_PREAUTH_TRACKING_UNKNOWN); 116 117 void exportBlob(Writer::Counter &pub, Writer::Counter &priv); 118 void exportBlob(Writer &pub, Writer &priv); 119 120 IFDUMP(void debugDump() const); 121 122private: 123 RefPointer<AclSubject> mSourceSubject; // subject determining outcome (source only) 124}; 125 126 127 128} // namespace PreAuthorizationAcls 129} // namespace Security 130 131 132#endif //_ACL_PREAUTH 133