1/*
2 * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24//
25// Access.h - Access control wrappers
26//
27#ifndef _SECURITY_ACCESS_H_
28#define _SECURITY_ACCESS_H_
29
30#include <security_keychain/ACL.h>
31#include <security_utilities/trackingallocator.h>
32#include <security_cdsa_utilities/cssmaclpod.h>
33#include <security_cdsa_utilities/cssmacl.h>
34#include <security_cdsa_client/aclclient.h>
35#include <security_keychain/TrustedApplication.h>
36#include <map>
37
38namespace Security {
39namespace KeychainCore {
40
41using CssmClient::AclBearer;
42
43
44class Access : public SecCFObject {
45	NOCOPY(Access)
46public:
47	SECCFFUNCTIONS(Access, SecAccessRef, errSecInvalidItemRef, gTypes().Access)
48
49	class Maker {
50		NOCOPY(Maker)
51		static const size_t keySize = 16;	// number of (random) bytes
52		friend class Access;
53	public:
54		enum MakerType {kStandardMakerType, kAnyMakerType};
55
56		Maker(Allocator &alloc = Allocator::standard(), MakerType makerType = kStandardMakerType);
57
58		void initialOwner(ResourceControlContext &ctx, const AccessCredentials *creds = NULL);
59		const AccessCredentials *cred();
60
61		TrackingAllocator allocator;
62
63		static const char creationEntryTag[];
64
65		MakerType makerType() {return mMakerType;}
66
67	private:
68		CssmAutoData mKey;
69		AclEntryInput mInput;
70		AutoCredentials mCreds;
71		MakerType mMakerType;
72	};
73
74public:
75	// make default forms
76    Access(const string &description);
77    Access(const string &description, const ACL::ApplicationList &trusted);
78    Access(const string &description, const ACL::ApplicationList &trusted,
79		const AclAuthorizationSet &limitedRights, const AclAuthorizationSet &freeRights);
80
81	// make a completely open Access (anyone can do anything)
82	Access();
83
84	// retrieve from an existing AclBearer
85	Access(AclBearer &source);
86
87	// make from CSSM layer information (presumably retrieved by caller)
88	Access(const CSSM_ACL_OWNER_PROTOTYPE &owner,
89		uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls);
90    virtual ~Access();
91
92public:
93	CFArrayRef copySecACLs() const;
94	CFArrayRef copySecACLs(CSSM_ACL_AUTHORIZATION_TAG action) const;
95
96	void add(ACL *newAcl);
97	void addOwner(ACL *newOwnerAcl);
98
99	void setAccess(AclBearer &target, bool update = false);
100	void setAccess(AclBearer &target, Maker &maker);
101
102	template <class Container>
103	void findAclsForRight(AclAuthorization right, Container &cont)
104	{
105		cont.clear();
106		for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); it++)
107			if (it->second->authorizes(right))
108				cont.push_back(it->second);
109	}
110
111	std::string promptDescription() const;	// from any one of the ACLs contained
112
113	void addApplicationToRight(AclAuthorization right, TrustedApplication *app);
114
115	void copyOwnerAndAcl(CSSM_ACL_OWNER_PROTOTYPE * &owner,
116		uint32 &aclCount, CSSM_ACL_ENTRY_INFO * &acls);
117
118protected:
119    void makeStandard(const string &description, const ACL::ApplicationList &trusted,
120		const AclAuthorizationSet &limitedRights = AclAuthorizationSet(),
121		const AclAuthorizationSet &freeRights = AclAuthorizationSet());
122    void compile(const CSSM_ACL_OWNER_PROTOTYPE &owner,
123        uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls);
124
125	void editAccess(AclBearer &target, bool update, const AccessCredentials *cred);
126
127private:
128	static const CSSM_ACL_HANDLE ownerHandle = ACL::ownerHandle;
129	typedef map<CSSM_ACL_HANDLE, SecPointer<ACL> > Map;
130
131	Map mAcls;			// set of ACL entries
132	Mutex mMutex;
133};
134
135
136} // end namespace KeychainCore
137} // end namespace Security
138
139#endif // !_SECURITY_ACCESS_H_
140