#ifndef _H_AUTHORITY
#define _H_AUTHORITY
#include <security_utilities/osxcode.h>
#include <security_utilities/ccaudit.h>
#include "database.h"
#include "credential.h"
#include <security_cdsa_utilities/AuthorizationData.h>
using Authorization::AuthItemSet;
using Authorization::Credential;
using Authorization::CredentialSet;
using Security::CommonCriteria::AuditToken;
class Process;
class Session;
class AuthorizationToken : public PerSession {
public:
AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false);
~AuthorizationToken();
Session &session() const;
const AuthorizationBlob &handle() const { return mHandle; }
const CredentialSet &baseCreds() const { return mBaseCreds; }
CredentialSet effectiveCreds() const;
typedef CredentialSet::iterator iterator;
iterator begin() { return mBaseCreds.begin(); }
iterator end() { return mBaseCreds.end(); }
void mergeCredentials(const CredentialSet &more);
void addProcess(Process &proc);
bool endProcess(Process &proc);
bool mayExternalize(Process &proc) const;
bool mayInternalize(Process &proc, bool countIt = true);
uid_t creatorUid() const { return mCreatorUid; }
gid_t creatorGid() const { return mCreatorGid; }
SecStaticCodeRef creatorCode() const { return mCreatorCode; }
std::string creatorPath() const;
pid_t creatorPid() const { return mCreatorPid; }
bool creatorSandboxed() const { return mCreatorSandboxed; }
const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
AuthItemSet infoSet(AuthorizationString tag = NULL);
void setInfoSet(AuthItemSet &newInfoSet, bool savePassword);
void setCredentialInfo(const Credential &inCred, bool savePassword);
void clearInfoSet();
void scrubInfoSet(bool savePassword);
bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; }
public:
static AuthorizationToken &find(const AuthorizationBlob &blob);
class Deleter {
public:
Deleter(const AuthorizationBlob &blob);
void remove();
operator AuthorizationToken &() const { return *mAuth; }
private:
RefPointer<AuthorizationToken> mAuth;
StLock<Mutex> lock;
};
private:
mutable Mutex mLock; AuthorizationBlob mHandle; CredentialSet mBaseCreds;
unsigned int mTransferCount;
typedef set<Process *> ProcessSet;
ProcessSet mUsingProcesses;
uid_t mCreatorUid; gid_t mCreatorGid; CFCopyRef<SecStaticCodeRef> mCreatorCode; pid_t mCreatorPid; bool mCreatorSandboxed;
AuditToken mCreatorAuditToken;
AuthItemSet mInfoSet;
bool mOperatesAsLeastPrivileged;
AuthItemSet mSavedPassword;
private:
typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
static AuthMap &authMap; static Mutex authMapLock; };
#endif //_H_AUTHORITY