authority.cpp   [plain text]

/*
 * Copyright (c) 2000-2012 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// authority - authorization manager
//
#include "authority.h"
#include "server.h"
#include "connection.h"
#include "session.h"
#include "process.h"

#include <security_cdsa_utilities/AuthorizationWalkers.h>

#include <security_utilities/ccaudit.h>		// AuditToken

#include <sandbox.h>

using Authorization::AuthItemSet;
using Authorization::AuthItemRef;
using Authorization::AuthValue;
using Authorization::AuthValueOverlay;

//
// The global dictionary of extant AuthorizationTokens
//
//AuthorizationToken::AuthMap AuthorizationToken::authMap; // set of extant authorizations
//@@@ Workaround ONLY! Don't destruct this map on termination
AuthorizationToken::AuthMap &AuthorizationToken::authMap = *new AuthMap; // set of extant authorizations
Mutex AuthorizationToken::authMapLock; // lock for mAuthorizations (only)



//
// Create an authorization token.
//
AuthorizationToken::AuthorizationToken(Session &ssn, const CredentialSet &base, 
const audit_token_t &auditToken, bool operateAsLeastPrivileged)
	: mBaseCreds(base), mTransferCount(INT_MAX), 
	mCreatorPid(Server::process().pid()), 
	mCreatorAuditToken(auditToken),
	mOperatesAsLeastPrivileged(operateAsLeastPrivileged)
{
	mCreatorUid = mCreatorAuditToken.euid();
	mCreatorGid = mCreatorAuditToken.egid();

	if (sandbox_check(mCreatorPid, "authorization-right-obtain", SANDBOX_CHECK_NO_REPORT) != 0)
		mCreatorSandboxed = true;
	else
		mCreatorSandboxed = false;
	
	{
		Process &thisProcess = Server::process();
		StLock<Mutex> _(thisProcess);
		if (SecCodeRef code = thisProcess.currentGuest())
			MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref()));
	}
		
	// link to session
	referent(ssn);
	
    // generate our (random) handle
    Server::active().random(mHandle);
    
    // register handle in the global map
    StLock<Mutex> _(authMapLock);
    authMap[mHandle] = this;
	
    // all ready
	secdebug("SSauth", "Authorization %p created using %d credentials; owner=%p",
		this, int(mBaseCreds.size()), mCreatorCode.get());
}

AuthorizationToken::~AuthorizationToken()
{
	// we better be clean
	assert(mUsingProcesses.empty());
    
	secdebug("SSauth", "Authorization %p destroyed", this);
}


Session &AuthorizationToken::session() const
{
	return referent<Session>();
}


std::string AuthorizationToken::creatorPath() const
{
	if (mCreatorCode) {
		StLock<Mutex> _(mLock);
		CFRef<CFURLRef> path;
		if (SecCodeCopyPath(mCreatorCode, kSecCSDefaultFlags, &path.aref()) == noErr)
			return cfString(path);
	}
	return "unknown";
}


//
// Locate an authorization given its blob.
//
AuthorizationToken &AuthorizationToken::find(const AuthorizationBlob &blob)
{
    StLock<Mutex> _(authMapLock);
	AuthMap::iterator it = authMap.find(blob);
	if (it == authMap.end())
		Authorization::Error::throwMe(errAuthorizationInvalidRef);
	return *it->second;
}


//
// Handle atomic deletion of AuthorizationToken objects
//
AuthorizationToken::Deleter::Deleter(const AuthorizationBlob &blob)
    : lock(authMapLock)
{
    AuthMap::iterator it = authMap.find(blob);
    if (it == authMap.end())
        Authorization::Error::throwMe(errAuthorizationInvalidRef);
    mAuth = it->second;
}

void AuthorizationToken::Deleter::remove()
{
    if (mAuth) {
        authMap.erase(mAuth->handle());
        mAuth = NULL;
    }
}


//
// Given a set of credentials, add it to our private credentials and return the result
//
// must hold Session::mCredsLock
CredentialSet AuthorizationToken::effectiveCreds() const
{
    secdebug("SSauth", "Authorization %p grabbing session %p creds %p",
		this, &session(), &session().authCredentials());
    CredentialSet result = session().authCredentials();
	for (CredentialSet::const_iterator it = mBaseCreds.begin(); it != mBaseCreds.end(); it++)
		if (!(*it)->isShared())
			result.insert(*it);
	return result;
}


//
// Add more credential dependencies to an authorization
//
// must hold Session::mCredsLock
void AuthorizationToken::mergeCredentials(const CredentialSet &add)
{
    secdebug("SSauth", "Authorization %p merge creds %p", this, &add);
	for (CredentialSet::const_iterator it = add.begin(); it != add.end(); it++) {
        mBaseCreds.erase(*it);
        mBaseCreds.insert(*it);
    }
    secdebug("SSauth", "Authorization %p merged %d new credentials for %d total",
		this, int(add.size()), int(mBaseCreds.size()));
}


//
// Register a new process that uses this authorization token.
// This is an idempotent operation.
//
void AuthorizationToken::addProcess(Process &proc)
{
	StLock<Mutex> _(mLock);
	mUsingProcesses.insert(&proc);
	secdebug("SSauth", "Authorization %p added process %p(%d)", this, &proc, proc.pid());
}


//
// Completely unregister client process.
// It does not matter how often it was registered with addProcess before.
// This returns true if no more processes use this token. Presumably you
// would then want to clean up, though that's up to you.
//
bool AuthorizationToken::endProcess(Process &proc)
{
	StLock<Mutex> _(mLock);
	assert(mUsingProcesses.find(&proc) != mUsingProcesses.end());
	mUsingProcesses.erase(&proc);
	secdebug("SSauth", "Authorization %p removed process %p(%d)%s",
		this, &proc, proc.pid(), mUsingProcesses.empty() ? " FINAL" : "");
	return mUsingProcesses.empty();
}


//
// Check whether internalization/externalization is allowed
//
bool AuthorizationToken::mayExternalize(Process &) const
{
	return mTransferCount > 0;
}

bool AuthorizationToken::mayInternalize(Process &, bool countIt)
{
	StLock<Mutex> _(mLock);
	if (mTransferCount > 0) {
		if (countIt) {
			mTransferCount--;
			secdebug("SSauth", "Authorization %p decrement intcount to %d", this, mTransferCount);
		}
		return true;
	}
	return false;
}

AuthItemSet
AuthorizationToken::infoSet(AuthorizationString tag)
{
    StLock<Mutex> _(mLock); // consider a separate lock
 	
	AuthItemSet tempSet;
 	
	if (tag)
	{
		AuthItemSet::iterator found = find_if(mInfoSet.begin(), mInfoSet.end(), 
					Authorization::FindAuthItemByRightName(tag));
		if (found != mInfoSet.end())
			tempSet.insert(AuthItemRef(*found));

	}
	else
		tempSet = mInfoSet;

	secdebug("SSauth", "Authorization %p returning copy of context %s%s.", this, tag ? "for tag " : "", tag ? "" : tag);
	
	return tempSet;
}

void
AuthorizationToken::setInfoSet(AuthItemSet &newInfoSet, bool savePassword)
{
	StLock<Mutex> _(mLock); // consider a separate lock
    secdebug("SSauth", "Authorization %p setting new context", this);
	
	AuthItemSet::const_iterator end = mInfoSet.end();
	for (AuthItemSet::const_iterator it = mInfoSet.begin(); it != end; ++it) {
		const AuthItemRef &item = *it;
		if (0 == strcmp(item->name(), "password")) {
			mSavedPassword.clear();
			mSavedPassword.insert(item);
		}
	}
	
	if (true == savePassword)
		newInfoSet.insert(mSavedPassword.begin(), mSavedPassword.end());

    mInfoSet = newInfoSet;
}

// This is destructive (non-merging)
void
AuthorizationToken::setCredentialInfo(const Credential &inCred, bool savePassword)
{
    AuthItemSet dstInfoSet;

    uid_t uid = inCred->uid();
    AuthItemRef uidHint("uid", AuthValueOverlay(sizeof(uid), &uid));
    dstInfoSet.insert(uidHint);
 
    AuthItemRef userHint("username", AuthValueOverlay(inCred->name()), 0);
    dstInfoSet.insert(userHint);
 
	setInfoSet(dstInfoSet, savePassword);
}

void
AuthorizationToken::clearInfoSet()
{
    AuthItemSet dstInfoSet;
    secdebug("SSauth", "Authorization %p clearing context", this);
    setInfoSet(dstInfoSet, false);
}

void
AuthorizationToken::scrubInfoSet(bool savePassword)
{
	AuthItemSet srcInfoSet = infoSet(), dstInfoSet;
	AuthItemSet::const_iterator end = srcInfoSet.end();
	for (AuthItemSet::const_iterator it = srcInfoSet.begin(); it != end; ++it)
	{
		const AuthItemRef &item = *it;
		if (item->flags() == kAuthorizationContextFlagExtractable)
			dstInfoSet.insert(item);
	}
    secdebug("SSauth", "Authorization %p scrubbing context", this);
    setInfoSet(dstInfoSet, savePassword);
}