AuthorizationEngine.h [plain text]
#ifndef _H_AUTHORIZATIONENGINE
#define _H_AUTHORIZATIONENGINE 1
#include <Security/Authorization.h>
#include <Security/AuthorizationPlugin.h>
#include "AuthorizationData.h"
#include <Security/refcount.h>
#include <Security/threading.h>
#include <Security/osxsigning.h>
#include "agentquery.h"
#include <CoreFoundation/CFDate.h>
#include <CoreFoundation/CFDictionary.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <map>
#include <set>
#include <string>
class AuthorizationToken;
namespace Authorization
{
class Error : public CssmCommonError {
protected:
Error(int err);
public:
const int error;
virtual CSSM_RETURN cssmError() const throw();
virtual OSStatus osStatus() const throw();
virtual const char *what () const throw();
static void throwMe(int err = -1) __attribute((noreturn));
};
class CredentialImpl : public RefCount
{
public:
CredentialImpl(const string &username, const uid_t uid, gid_t gid, bool shared);
CredentialImpl(const string &username, const string &password, bool shared);
~CredentialImpl();
bool operator < (const CredentialImpl &other) const;
bool isShared() const;
void merge(const CredentialImpl &other);
CFAbsoluteTime creationTime() const;
bool isValid() const;
void invalidate();
inline const string& username() const { return mUsername; }
inline const uid_t uid() const { return mUid; }
inline const gid_t gid() const { return mGid; }
private:
string mUsername;
bool mShared;
uid_t mUid;
gid_t mGid;
CFAbsoluteTime mCreationTime;
bool mValid;
};
class Credential : public RefPointer<CredentialImpl>
{
public:
Credential();
Credential(CredentialImpl *impl);
Credential(const string &username, const uid_t uid, gid_t gid, bool shared);
Credential(const string &username, const string &password, bool shared);
~Credential();
bool operator < (const Credential &other) const;
};
typedef set<Credential> CredentialSet;
class Rule
{
public:
Rule();
Rule(CFTypeRef cfRule);
Rule(const Rule &other);
Rule &operator = (const Rule &other);
~Rule();
OSStatus evaluate(const Right &inRight, const AuthorizationEnvironment *environment,
AuthorizationFlags flags, CFAbsoluteTime now,
const CredentialSet *inCredentials, CredentialSet &credentials,
AuthorizationToken &auth);
private:
OSStatus evaluate(const Right &inRight, const AuthorizationEnvironment *environment,
CFAbsoluteTime now, const Credential &credential, bool ignoreShared);
OSStatus obtainCredential(QueryAuthorizeByGroup &client, const Right &inRight,
const AuthorizationEnvironment *environment, const char *usernameHint,
Credential &outCredential, SecurityAgent::Reason reason);
OSStatus evaluateMechanism(const AuthorizationEnvironment *environment, AuthorizationToken &auth, CredentialSet &outCredentials);
enum Type
{
kDeny,
kAllow,
kUserInGroup,
kEvalMech
} mType;
string mGroupName;
CFTimeInterval mMaxCredentialAge;
bool mShared;
bool mAllowRoot;
string mEvalDef;
static CFStringRef kUserInGroupID;
static CFStringRef kTimeoutID;
static CFStringRef kSharedID;
static CFStringRef kAllowRootID;
static CFStringRef kDenyID;
static CFStringRef kAllowID;
static CFStringRef kEvalMechID;
};
class Engine
{
public:
Engine(const char *configFile);
~Engine();
OSStatus authorize(const RightSet &inRights, const AuthorizationEnvironment *environment,
AuthorizationFlags flags, const CredentialSet *inCredentials, CredentialSet *outCredentials,
MutableRightSet *outRights, AuthorizationToken &auth);
private:
void updateRules(CFAbsoluteTime now);
void readRules();
void parseRules(CFDictionaryRef rules);
static void parseRuleCallback(const void *key, const void *value, void *context);
void parseRule(CFStringRef right, CFTypeRef rule);
Rule getRule(const Right &inRight) const;
char *mRulesFileName;
CFAbsoluteTime mLastChecked;
struct timespec mRulesFileMtimespec;
typedef map<string, Rule> RuleMap;
RuleMap mRules;
mutable Mutex mLock;
};
};
#endif