1/*
2 *  Copyright (c) 2003-2007,2009-2010 Apple Inc. All Rights Reserved.
3 *
4 *  @APPLE_LICENSE_HEADER_START@
5 *
6 *  This file contains Original Code and/or Modifications of Original Code
7 *  as defined in and that are subject to the Apple Public Source License
8 *  Version 2.0 (the 'License'). You may not use this file except in
9 *  compliance with the License. Please obtain a copy of the License at
10 *  http://www.opensource.apple.com/apsl/ and read it before using this
11 *  file.
12 *
13 *  The Original Code and all software distributed under the License are
14 *  distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 *  EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 *  INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 *  FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 *  Please see the License for the specific language governing rights and
19 *  limitations under the License.
20 *
21 *  @APPLE_LICENSE_HEADER_END@
22 *
23 *  AuthorizationRule.h
24 *  Security
25 *
26 */
27
28#ifndef _H_AUTHORIZATIONRULE
29#define _H_AUTHORIZATIONRULE  1
30
31#include <CoreFoundation/CoreFoundation.h>
32#include <security_cdsa_utilities/AuthorizationData.h>
33#include "authority.h"
34
35namespace Authorization
36{
37
38class Rule;
39
40class RuleImpl : public RefCount
41{
42public:
43	RuleImpl();
44	RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
45
46	OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
47		AuthorizationFlags flags, CFAbsoluteTime now,
48		const CredentialSet *inCredentials, CredentialSet &credentials,
49		AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
50
51	string name() const { return mRightName; }
52	bool extractPassword() const { return mExtractPassword; }
53
54private:
55// internal machinery
56
57	// evaluate credential for right
58	OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
59                                        const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
60	// evaluate user credential (authentication) for right
61	OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
62
63	OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
64    AuthItemSet &environmentToClient, AuthorizationFlags flags,
65	CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
66	AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
67
68	void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
69
70	// perform authorization based on running specified mechanisms (see evaluateMechanism)
71	OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
72
73	OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
74		AuthItemSet &environmentToClient, AuthorizationFlags flags,
75		CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
76		AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
77
78	OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const;
79
80	// find username hint based on session owner
81	OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const;
82
83	CredentialSet makeCredentials(const AuthorizationToken &auth) const;
84
85	map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
86	map<string,string> localizedButtons() const { return mLocalizedButtons; }
87
88
89// parsed attributes
90private:
91	enum Type
92	{
93		kDeny,
94		kAllow,
95		kUser,
96		kRuleDelegation,
97		kKofN,
98		kEvaluateMechanisms,
99	} mType;
100
101	string mRightName;
102	string mGroupName;
103	CFTimeInterval mMaxCredentialAge;
104	bool mShared;
105	bool mAllowRoot;
106	vector<string> mEvalDef;
107	bool mSessionOwner;
108	vector<Rule> mRuleDef;
109	uint32_t mKofN;
110	mutable uint32_t mTries;
111	bool mExtractPassword;
112	bool mAuthenticateUser;
113	map<string,string> mLocalizedPrompts;
114	map<string,string> mLocalizedButtons;
115
116private:
117
118	class Attribute
119	{
120	public:
121		static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
122		static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
123		static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue);
124		static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
125		static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey);
126	};
127
128
129// keys
130	static CFStringRef kUserGroupID;
131	static CFStringRef kTimeoutID;
132	static CFStringRef kSharedID;
133	static CFStringRef kAllowRootID;
134	static CFStringRef kMechanismsID;
135	static CFStringRef kSessionOwnerID;
136	static CFStringRef kKofNID;
137	static CFStringRef kPromptID;
138	static CFStringRef kButtonID;
139    static CFStringRef kTriesID;
140	static CFStringRef kExtractPasswordID;
141
142	static CFStringRef kRuleClassID;
143	static CFStringRef kRuleAllowID;
144	static CFStringRef kRuleDenyID;
145	static CFStringRef kRuleUserID;
146	static CFStringRef kRuleDelegateID;
147	static CFStringRef kRuleMechanismsID;
148	static CFStringRef kRuleAuthenticateUserID;
149};
150
151class Rule : public RefPointer<RuleImpl>
152{
153public:
154	Rule();
155	Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
156};
157
158}; /* namespace Authorization */
159
160#endif /* ! _H_AUTHORIZATIONRULE */
161