SecurityAgentClient.h [plain text]
#ifndef _H_SECURITYAGENTCLIENT
#define _H_SECURITYAGENTCLIENT
#if defined(__cplusplus)
#include <string>
#include <Security/mach++.h>
#include <Security/osxsigning.h>
#include <Security/cssmacl.h>
#include <Security/cssm.h>
#include <Security/Authorization.h>
#include <Security/AuthorizationPlugin.h>
#include <Security/AuthorizationWalkers.h>
namespace Security {
using MachPlusPlus::Port;
using MachPlusPlus::Bootstrap;
using CodeSigning::OSXCode;
namespace SecurityAgent {
#endif //C++ only
static const unsigned int maxPassphraseLength = 1024;
static const unsigned int maxUsernameLength = 80;
enum Reason {
noReason = 0, unknownReason,
newDatabase = 11, changePassphrase,
invalidPassphrase = 21,
passphraseIsNull = 31, passphraseTooSimple, passphraseRepeated, passphraseUnacceptable,
userNotInGroup = 41, unacceptableUser,
tooManyTries = 61, noLongerNeeded, keychainAddFailed, generalErrorCancel };
#if defined(__cplusplus)
class Client {
public:
Client();
Client(uid_t clientUID, Bootstrap clientBootstrap);
virtual ~Client();
virtual void activate(const char *bootstrapName = NULL);
virtual void terminate();
bool isActive() const { return mActive; }
bool keepAlive() const { return mKeepAlive; }
void keepAlive(bool ka) { mKeepAlive = ka; }
void finishStagedQuery();
void cancelStagedQuery(Reason reason);
public:
struct KeychainBox {
bool show; bool setting; };
public:
void queryUnlockDatabase(const OSXCode *requestor, pid_t requestPid,
const char *database, char passphrase[maxPassphraseLength]);
void retryUnlockDatabase(Reason reason, char passphrase[maxPassphraseLength]);
void queryNewPassphrase(const OSXCode *requestor, pid_t requestPid,
const char *database, Reason reason, char passphrase[maxPassphraseLength]);
void retryNewPassphrase(Reason reason, char passphrase[maxPassphraseLength]);
struct KeychainChoice {
bool allowAccess; bool continueGrantingToCaller; char passphrase[maxPassphraseLength]; };
void queryKeychainAccess(const OSXCode *requestor, pid_t requestPid,
const char *database, const char *itemName, AclAuthorization action,
bool needPassphrase, KeychainChoice &choice);
void queryOldGenericPassphrase(const OSXCode *requestor, pid_t requestPid,
const char *prompt,
KeychainBox &addToKeychain, char passphrase[maxPassphraseLength]);
void retryOldGenericPassphrase(Reason reason,
bool &addToKeychain, char passphrase[maxPassphraseLength]);
void queryNewGenericPassphrase(const OSXCode *requestor, pid_t requestPid,
const char *prompt, Reason reason,
KeychainBox &addToKeychain, char passphrase[maxPassphraseLength]);
void retryNewGenericPassphrase(Reason reason,
bool &addToKeychain, char passphrase[maxPassphraseLength]);
bool authorizationAuthenticate(const OSXCode *requestor, pid_t requestPid,
const char *neededGroup, const char *candidateUser,
char username[maxUsernameLength], char passphrase[maxPassphraseLength]);
bool retryAuthorizationAuthenticate(Reason reason,
char username[maxUsernameLength], char passphrase[maxPassphraseLength]);
bool invokeMechanism(const string &inPluginId, const string &inMechanismId, const AuthorizationValueVector *inArguments, const AuthorizationItemSet *inHints, const AuthorizationItemSet *inContext, AuthorizationResult *outResult, AuthorizationItemSet *&outHintsPtr, AuthorizationItemSet *&outContextPtr);
void terminateAgent();
void cancel();
private:
OSStatus status;
private:
Port mServerPort;
Port mClientPort;
bool mActive;
uid_t desktopUid;
gid_t desktopGid;
bool mUsePBS;
Bootstrap mClientBootstrap;
mach_port_t pbsBootstrap;
bool mKeepAlive;
enum Stage {
mainStage, unlockStage, newPassphraseStage, newGenericPassphraseStage, oldGenericPassphraseStage, authorizeStage, invokeMechanismStage } stage;
Port mStagePort;
void setClientGroupID(const char *grpName = NULL);
void locateDesktop();
void establishServer(const char *name);
void check(kern_return_t error);
void unstage();
private:
static const int cancelMessagePseudoID = 1200;
};
};
}
#endif //C++ only
#endif //_H_SECURITYAGENTCLIENT