1/*
2 * Copyright (c) 2000-2007,2010-2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25//
26// authority - authorization manager
27//
28#ifndef _H_AUTHORITY
29#define _H_AUTHORITY
30
31#include <security_utilities/osxcode.h>
32#include <security_utilities/ccaudit.h>
33#include "database.h"
34#include "credential.h"
35#include <security_cdsa_utilities/AuthorizationData.h>
36
37using Authorization::AuthItemSet;
38using Authorization::Credential;
39using Authorization::CredentialSet;
40using Security::CommonCriteria::AuditToken;
41
42class Process;
43class Session;
44
45class AuthorizationToken : public PerSession {
46public:
47	AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false);
48	~AuthorizationToken();
49
50    Session &session() const;
51
52	const AuthorizationBlob &handle() const		{ return mHandle; }
53	const CredentialSet &baseCreds() const		{ return mBaseCreds; }
54	CredentialSet effectiveCreds() const;
55
56	typedef CredentialSet::iterator iterator;
57	iterator begin()		{ return mBaseCreds.begin(); }
58	iterator end()			{ return mBaseCreds.end(); }
59
60	// add more credential dependencies
61	void mergeCredentials(const CredentialSet &more);
62
63	// maintain process-owning links
64	void addProcess(Process &proc);
65	bool endProcess(Process &proc);
66
67	// access control for external representations
68	bool mayExternalize(Process &proc) const;
69	bool mayInternalize(Process &proc, bool countIt = true);
70
71	uid_t creatorUid() const	{ return mCreatorUid; }
72	gid_t creatorGid() const	{ return mCreatorGid; }
73    SecStaticCodeRef creatorCode() const { return mCreatorCode; }
74	std::string creatorPath() const;
75	pid_t creatorPid() const	{ return mCreatorPid; }
76	bool creatorSandboxed() const { return mCreatorSandboxed; }
77
78	const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
79
80	AuthItemSet infoSet(AuthorizationString tag = NULL);
81    void setInfoSet(AuthItemSet &newInfoSet, bool savePassword);
82    void setCredentialInfo(const Credential &inCred, bool savePassword);
83    void clearInfoSet();
84	void scrubInfoSet(bool savePassword);
85	bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; }
86
87public:
88	static AuthorizationToken &find(const AuthorizationBlob &blob);
89
90    class Deleter {
91    public:
92        Deleter(const AuthorizationBlob &blob);
93
94        void remove();
95        operator AuthorizationToken &() const	{ return *mAuth; }
96
97    private:
98        RefPointer<AuthorizationToken> mAuth;
99        StLock<Mutex> lock;
100    };
101
102private:
103	mutable Mutex mLock;			// object lock
104	AuthorizationBlob mHandle;		// official randomized blob marker
105	CredentialSet mBaseCreds;		// credentials we're based on
106
107	unsigned int mTransferCount;	// number of internalizations remaining
108
109	typedef set<Process *> ProcessSet;
110	ProcessSet mUsingProcesses;		// set of process objects using this token
111
112	uid_t mCreatorUid;				// Uid of process that created this authorization
113	gid_t mCreatorGid;				// Gid of process that created this authorization
114	CFCopyRef<SecStaticCodeRef> mCreatorCode; // code reference to creator
115	pid_t mCreatorPid;				// Pid of processs that created this authorization
116	bool mCreatorSandboxed;         // A record of whether or not the creator was Sandboxed
117
118	AuditToken mCreatorAuditToken;	// Audit token of the process that created this authorization
119
120    AuthItemSet mInfoSet;			// Side band info gathered from evaluations in this session
121
122	bool mOperatesAsLeastPrivileged;
123
124	AuthItemSet mSavedPassword;
125
126private:
127	typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
128	static AuthMap &authMap;			// set of extant authorizations
129    static Mutex authMapLock;		// lock for mAuthorizations (only)
130};
131
132#endif //_H_AUTHORITY
133