1/*
2 * Copyright (c) 2004,2006-2007,2011 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25//
26// acl_preauth - a subject type for modeling PINs and similar slot-specific
27//		pre-authentication schemes.
28//
29#ifndef _ACL_PREAUTH
30#define _ACL_PREAUTH
31
32#include <security_cdsa_utilities/cssmacl.h>
33#include <string>
34
35
36namespace Security {
37namespace PreAuthorizationAcls {
38
39
40class OriginMaker : public AclSubject::Maker {
41protected:
42	typedef LowLevelMemoryUtilities::Reader Reader;
43	typedef LowLevelMemoryUtilities::Writer Writer;
44public:
45	OriginMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH) { }
46	AclSubject *make(const TypedList &list) const;
47	AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const;
48};
49
50class SourceMaker : public AclSubject::Maker {
51protected:
52	typedef LowLevelMemoryUtilities::Reader Reader;
53	typedef LowLevelMemoryUtilities::Writer Writer;
54public:
55	SourceMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE) { }
56	AclSubject *make(const TypedList &list) const;
57	AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const;
58};
59
60
61//
62// The actual designation of the PreAuth source AclBearer is provide by the environment.
63//
64class Environment : public virtual AclValidationEnvironment {
65public:
66	virtual ObjectAcl *preAuthSource() = 0;
67};
68
69
70//
71// This is the object that is being "attached" (as an Adornment) to hold
72// the pre-authorization state of a SourceAclSubject.
73// The Adornable used for storage is determined by the Environment's store() method.
74//
75struct AclState {
76	AclState() : accepted(false) { }
77	bool accepted;						// was previously accepted by upstream
78};
79
80
81//
82// This is the "origin" subject class that gets created the usual way.
83// It models a pre-auth "origin" - i.e. it points at a preauth slot and accepts
84// its verdict on validation. Think of it as the "come from" part of the link.
85//
86class OriginAclSubject : public AclSubject {
87public:
88    bool validate(const AclValidationContext &ctx) const;
89    CssmList toList(Allocator &alloc) const;
90
91    OriginAclSubject(AclAuthorization auth);
92
93    void exportBlob(Writer::Counter &pub, Writer::Counter &priv);
94    void exportBlob(Writer &pub, Writer &priv);
95
96	IFDUMP(void debugDump() const);
97
98private:
99	AclAuthorization mAuthTag;		// authorization tag referred to (origin only)
100};
101
102
103//
104// The "source" subject class describes the other end of the link; the "go to" part
105// if you will. Its sourceSubject is consulted for actual validation; and prior validation
106// state is remembered (through the environment store facility) so that future validation
107// attempts will automaticaly succeed (that's the "pre" in PreAuth).
108//
109class SourceAclSubject : public AclSubject {
110public:
111	bool validate(const AclValidationContext &ctx) const;
112	CssmList toList(Allocator &alloc) const;
113
114	SourceAclSubject(AclSubject *subSubject,
115		CSSM_ACL_PREAUTH_TRACKING_STATE state = CSSM_ACL_PREAUTH_TRACKING_UNKNOWN);
116
117	void exportBlob(Writer::Counter &pub, Writer::Counter &priv);
118	void exportBlob(Writer &pub, Writer &priv);
119
120	IFDUMP(void debugDump() const);
121
122private:
123	RefPointer<AclSubject> mSourceSubject;	// subject determining outcome (source only)
124};
125
126
127
128}	//  namespace PreAuthorizationAcls
129}	//  namespace Security
130
131
132#endif //_ACL_PREAUTH
133