1/* 2 * Copyright (c) 2003-2007,2009-2010 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * AuthorizationRule.h 24 * Security 25 * 26 */ 27 28#ifndef _H_AUTHORIZATIONRULE 29#define _H_AUTHORIZATIONRULE 1 30 31#include <CoreFoundation/CoreFoundation.h> 32#include <security_cdsa_utilities/AuthorizationData.h> 33#include "authority.h" 34 35namespace Authorization 36{ 37 38class Rule; 39 40class RuleImpl : public RefCount 41{ 42public: 43 RuleImpl(); 44 RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules); 45 46 OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, 47 AuthorizationFlags flags, CFAbsoluteTime now, 48 const CredentialSet *inCredentials, CredentialSet &credentials, 49 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; 50 51 string name() const { return mRightName; } 52 bool extractPassword() const { return mExtractPassword; } 53 54private: 55// internal machinery 56 57 // evaluate credential for right 58 OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, 59 const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const; 60 // evaluate user credential (authentication) for right 61 OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const; 62 63 OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule, 64 AuthItemSet &environmentToClient, AuthorizationFlags flags, 65 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, 66 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; 67 68 void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const; 69 70 // perform authorization based on running specified mechanisms (see evaluateMechanism) 71 OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; 72 73 OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule, 74 AuthItemSet &environmentToClient, AuthorizationFlags flags, 75 CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, 76 AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; 77 78 OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const; 79 80 // find username hint based on session owner 81 OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const; 82 83 CredentialSet makeCredentials(const AuthorizationToken &auth) const; 84 85 map<string,string> localizedPrompts() const { return mLocalizedPrompts; } 86 map<string,string> localizedButtons() const { return mLocalizedButtons; } 87 88 89// parsed attributes 90private: 91 enum Type 92 { 93 kDeny, 94 kAllow, 95 kUser, 96 kRuleDelegation, 97 kKofN, 98 kEvaluateMechanisms, 99 } mType; 100 101 string mRightName; 102 string mGroupName; 103 CFTimeInterval mMaxCredentialAge; 104 bool mShared; 105 bool mAllowRoot; 106 vector<string> mEvalDef; 107 bool mSessionOwner; 108 vector<Rule> mRuleDef; 109 uint32_t mKofN; 110 mutable uint32_t mTries; 111 bool mExtractPassword; 112 bool mAuthenticateUser; 113 map<string,string> mLocalizedPrompts; 114 map<string,string> mLocalizedButtons; 115 116private: 117 118 class Attribute 119 { 120 public: 121 static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue); 122 static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue); 123 static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue); 124 static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required); 125 static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey); 126 }; 127 128 129// keys 130 static CFStringRef kUserGroupID; 131 static CFStringRef kTimeoutID; 132 static CFStringRef kSharedID; 133 static CFStringRef kAllowRootID; 134 static CFStringRef kMechanismsID; 135 static CFStringRef kSessionOwnerID; 136 static CFStringRef kKofNID; 137 static CFStringRef kPromptID; 138 static CFStringRef kButtonID; 139 static CFStringRef kTriesID; 140 static CFStringRef kExtractPasswordID; 141 142 static CFStringRef kRuleClassID; 143 static CFStringRef kRuleAllowID; 144 static CFStringRef kRuleDenyID; 145 static CFStringRef kRuleUserID; 146 static CFStringRef kRuleDelegateID; 147 static CFStringRef kRuleMechanismsID; 148 static CFStringRef kRuleAuthenticateUserID; 149}; 150 151class Rule : public RefPointer<RuleImpl> 152{ 153public: 154 Rule(); 155 Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules); 156}; 157 158}; /* namespace Authorization */ 159 160#endif /* ! _H_AUTHORIZATIONRULE */ 161