SecurityAgentClient.h [plain text]
#ifndef _H_SECURITYAGENTCLIENT
#define _H_SECURITYAGENTCLIENT
#if defined(__cplusplus)
#include <string>
#include <Security/mach++.h>
#include <Security/osxsigning.h>
#include <Security/cssmacl.h>
#include <Security/cssm.h>
#include <Security/Authorization.h>
#include <Security/AuthorizationPlugin.h>
#include <Security/AuthorizationWalkers.h>
#include <Security/AuthorizationData.h>
using Authorization::AuthItemSet;
using Authorization::AuthValueVector;
namespace Security {
using MachPlusPlus::Port;
using MachPlusPlus::Bootstrap;
using CodeSigning::OSXCode;
namespace SecurityAgent {
#endif //C++ only
static const unsigned int maxPassphraseLength = 1024;
static const unsigned int maxUsernameLength = 80;
#define kMaximumAuthorizationTries 3
enum Reason {
noReason = 0, unknownReason,
newDatabase = 11, changePassphrase,
invalidPassphrase = 21,
passphraseIsNull = 31, passphraseTooSimple, passphraseRepeated, passphraseUnacceptable, oldPassphraseWrong,
userNotInGroup = 41, unacceptableUser,
tooManyTries = 61, noLongerNeeded, keychainAddFailed, generalErrorCancel };
#define AGENT_HINT_SUGGESTED_USER "suggestedUser"
#define AGENT_HINT_REQUIRE_USER_IN_GROUP "requireUserInGroup"
#define AGENT_HINT_CUSTOM_PROMPT "prompt"
#define AGENT_HINT_AUTHORIZE_RIGHT "authorizeRight"
#define AGENT_HINT_CLIENT_PID "clientPid"
#define AGENT_HINT_CLIENT_UID "clientUid"
#define AGENT_HINT_CREATOR_PID "creatorPid"
#define AGENT_HINT_CLIENT_TYPE "clientType"
#define AGENT_HINT_CLIENT_PATH "clientPath"
#define AGENT_HINT_TRIES "tries"
#define AGENT_HINT_RETRY_REASON "reason"
#define AGENT_HINT_AUTHORIZE_RULE "authorizeRule"
#define AGENT_HINT_ATTR_NAME "loginKCCreate:attributeName"
#define AGENT_HINT_LOGIN_KC_NAME "loginKCCreate:pathName"
#define AGENT_HINT_LOGIN_KC_EXISTS_IN_KC_FOLDER "loginKCCreate:exists"
#define AGENT_HINT_LOGIN_KC_USER_NAME "loginKCCreate:userName"
#define AGENT_HINT_LOGIN_KC_CUST_STR1 "loginKCCreate:customStr1"
#define AGENT_HINT_LOGIN_KC_CUST_STR2 "loginKCCreate:customStr2"
#define AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR "loginKCCreate:moreThanOneKeychainExists"
#define LOGIN_KC_CREATION_RIGHT "system.keychain.create.loginkc"
#if defined(__cplusplus)
class Client {
public:
Client();
Client(uid_t clientUID, Bootstrap clientBootstrap, const char *agentName);
virtual ~Client();
virtual void activate();
virtual void terminate();
bool isActive() const { return mActive; }
bool keepAlive() const { return mKeepAlive; }
void keepAlive(bool ka) { mKeepAlive = ka; }
void finishStagedQuery();
void cancelStagedQuery(Reason reason);
public:
struct KeychainBox {
bool show; bool setting; };
public:
void queryUnlockDatabase(const OSXCode *requestor, pid_t requestPid,
const char *database, char passphrase[maxPassphraseLength]);
void retryUnlockDatabase(Reason reason, char passphrase[maxPassphraseLength]);
void queryNewPassphrase(const OSXCode *requestor, pid_t requestPid,
const char *database, Reason reason, char passphrase[maxPassphraseLength], char oldPassphrase[maxPassphraseLength]);
void retryNewPassphrase(Reason reason, char passphrase[maxPassphraseLength], char oldPassphrase[maxPassphraseLength]);
struct KeychainChoice {
bool allowAccess; bool continueGrantingToCaller; char passphrase[maxPassphraseLength]; };
void queryKeychainAccess(const OSXCode *requestor, pid_t requestPid,
const char *database, const char *itemName, AclAuthorization action,
bool needPassphrase, KeychainChoice &choice);
void retryQueryKeychainAccess (Reason reason, KeychainChoice &choice);
void queryCodeIdentity(const OSXCode *requestor, pid_t requestPid,
const char *aclPath, KeychainChoice &choice);
void queryOldGenericPassphrase(const OSXCode *requestor, pid_t requestPid,
const char *prompt,
KeychainBox &addToKeychain, char passphrase[maxPassphraseLength]);
void retryOldGenericPassphrase(Reason reason,
bool &addToKeychain, char passphrase[maxPassphraseLength]);
void queryNewGenericPassphrase(const OSXCode *requestor, pid_t requestPid,
const char *prompt, Reason reason,
KeychainBox &addToKeychain, char passphrase[maxPassphraseLength]);
void retryNewGenericPassphrase(Reason reason,
bool &addToKeychain, char passphrase[maxPassphraseLength]);
bool authorizationAuthenticate(const OSXCode *requestor, pid_t requestPid,
const char *neededGroup, const char *candidateUser,
char username[maxUsernameLength], char passphrase[maxPassphraseLength]);
bool retryAuthorizationAuthenticate(Reason reason,
char username[maxUsernameLength], char passphrase[maxPassphraseLength]);
bool invokeMechanism(const string &inPluginId, const string &inMechanismId, const AuthValueVector &inArguments, AuthItemSet &inHints, AuthItemSet &inContext, AuthorizationResult *outResult);
void terminateAgent();
void cancel();
private:
OSStatus status;
private:
Port mServerPort;
Port mClientPort;
bool mActive;
uid_t desktopUid;
Bootstrap mClientBootstrap;
bool mKeepAlive;
enum Stage {
mainStage, unlockStage, newPassphraseStage, newGenericPassphraseStage, oldGenericPassphraseStage, authorizeStage, queryKeychainAccessStage,
invokeMechanismStage } stage;
Port mStagePort;
string mAgentName;
void locateDesktop();
void establishServer();
void check(kern_return_t error);
void unstage();
private:
static const int cancelMessagePseudoID = 1200;
};
};
}
#endif //C++ only
#endif //_H_SECURITYAGENTCLIENT