aclUtils.cpp   [plain text]

/*
 * Copyright (c) 2004-2006 Apple Computer, Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * aclUtils.cpp - ACL utility functions, copied from the SecurityTool project. 
 */
 
#include "aclUtils.h"
#include <Security/SecTrustedApplicationPriv.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>

/* Read a line from stdin into buffer as a null terminated string.  If buffer is
   non NULL use at most buffer_size bytes and return a pointer to buffer.  Otherwise
   return a newly malloced buffer.
   if EOF is read this function returns NULL.  */
char *
readline(char *buffer, int buffer_size)
{
	int ix = 0, bytes_malloced = 0;

	if (!buffer)
	{
		bytes_malloced = 64;
		buffer = (char *)malloc(bytes_malloced);
		buffer_size = bytes_malloced;
	}

	for (;;++ix)
	{
		int ch;

		if (ix == buffer_size - 1)
		{
			if (!bytes_malloced)
				break;
			bytes_malloced += bytes_malloced;
			buffer = (char *)realloc(buffer, bytes_malloced);
			buffer_size = bytes_malloced;
		}

		ch = getchar();
		if (ch == EOF)
		{
			if (bytes_malloced)
				free(buffer);
			return NULL;
		}
		if (ch == '\n')
			break;
		buffer[ix] = ch;
	}

	/* 0 terminate buffer. */
	buffer[ix] = '\0';

	return buffer;
}

void
print_buffer_hex(FILE *stream, UInt32 length, const void *data)
{
	unsigned i;
	const unsigned char *cp = (const unsigned char *)data;
	
	printf("\n   ");
	for(i=0; i<length; i++) {
		fprintf(stream, "%02X ", cp[i]);
		if((i % 24) == 23) {
			printf("\n   ");
		}
	}
}

void
print_buffer_ascii(FILE *stream, UInt32 length, const void *data)
{
	uint8 *p = (uint8 *) data;
	while (length--)
	{
		int ch = *p++;
		if (ch >= ' ' && ch <= '~' && ch != '\\')
		{
			fputc(ch, stream);
		}
		else
		{
			fputc('\\', stream);
			fputc('0' + ((ch >> 6) & 7), stream);
			fputc('0' + ((ch >> 3) & 7), stream);
			fputc('0' + ((ch >> 0) & 7), stream);
		}
	}
}

void
print_buffer(FILE *stream, UInt32 length, const void *data)
{
	uint8 *p = (uint8 *) data;
	Boolean ascii = TRUE;		// unless we determine otherwise
	UInt32 ix;
	for (ix = 0; ix < length; ++ix) {
		int ch = *p++;
		if ((ch < ' ') || (ch > '~')) {
			if((ch == 0) && (ix == (length - 1))) {
				/* ignore trailing null */
				length--;
				break;
			}
			ascii = FALSE;
			break;
		}
	}

	if (ascii) {
		fputc('"', stream);
		print_buffer_ascii(stream, length, data);
		fputc('"', stream);
	}
	else {
		print_buffer_hex(stream, length, data);
	}
}

void
print_cfdata(FILE *stream, CFDataRef data)
{
	if (data)
		return print_buffer(stream, CFDataGetLength(data), CFDataGetBytePtr(data));
	else
		fprintf(stream, "<NULL>");
}

void
print_cfstring(FILE *stream, CFStringRef string)
{
	if (!string)
		fprintf(stream, "<NULL>");
	else
	{
		const char *utf8 = CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
		if (utf8)
			fprintf(stream, "%s", utf8);
		else
		{
			CFRange rangeToProcess = CFRangeMake(0, CFStringGetLength(string));
			while (rangeToProcess.length > 0)
			{
				UInt8 localBuffer[256];
				CFIndex usedBufferLength;
				CFIndex numChars = CFStringGetBytes(string, rangeToProcess,
					kCFStringEncodingUTF8, '?', FALSE, localBuffer,
					sizeof(localBuffer), &usedBufferLength);
				if (numChars == 0)
					break;   // Failed to convert anything...

				fprintf(stream, "%.*s", (int)usedBufferLength, localBuffer);
				rangeToProcess.location += numChars;
				rangeToProcess.length -= numChars;
			}
		}
	}
}


int
print_access(FILE *stream, SecAccessRef access, Boolean interactive)
{
	CFArrayRef aclList = NULL;
	CFIndex aclix, aclCount;
	int result = 0;
	OSStatus status;

	status = SecAccessCopyACLList(access, &aclList);
	if (status)
	{
		cssmPerror("SecAccessCopyACLList", status);
		result = 1;
		goto loser;
	}

	aclCount = CFArrayGetCount(aclList);
	fprintf(stream, "access: %lu entries\n", aclCount);
	for (aclix = 0; aclix < aclCount; ++aclix)
	{
		CFArrayRef applicationList = NULL;
		CFStringRef description = NULL;
		CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector = {};
		CFIndex appix, appCount;

		SecACLRef acl = (SecACLRef)CFArrayGetValueAtIndex(aclList, aclix);
		CSSM_ACL_AUTHORIZATION_TAG tags[64]; // Pick some upper limit
		uint32 tagix, tagCount = sizeof(tags) / sizeof(*tags);
		status = SecACLGetAuthorizations(acl, tags, &tagCount);
		if (status)
		{
			cssmPerror("SecACLGetAuthorizations", status);
			result = 1;
			goto loser;
		}

		fprintf(stream, "    entry %lu:\n        authorizations (%lu):", aclix, (unsigned long)tagCount);
		for (tagix = 0; tagix < tagCount; ++tagix)
		{
			CSSM_ACL_AUTHORIZATION_TAG tag = tags[tagix];
			switch (tag)
			{
			case CSSM_ACL_AUTHORIZATION_ANY:
				fputs(" any", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_LOGIN:
				fputs(" login", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_GENKEY:
				fputs(" genkey", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DELETE:
				fputs(" delete", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED:
				fputs(" export_wrapped", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR:
				fputs(" export_clear", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED:
				fputs(" import_wrapped", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR:
				fputs(" import_clear", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_SIGN:
				fputs(" sign", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_ENCRYPT:
				fputs(" encrypt", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DECRYPT:
				fputs(" decrypt", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_MAC:
				fputs(" mac", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DERIVE:
				fputs(" derive", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DBS_CREATE:
				fputs(" dbs_create", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DBS_DELETE:
				fputs(" dbs_delete", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DB_READ:
				fputs(" db_read", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DB_INSERT:
				fputs(" db_insert", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DB_MODIFY:
				fputs(" db_modify", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_DB_DELETE:
				fputs(" db_delete", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_CHANGE_ACL:
				fputs(" change_acl", stream);
				break;
			case CSSM_ACL_AUTHORIZATION_CHANGE_OWNER:
				fputs(" change_owner", stream);
				break;
			default:
				fprintf(stream, " tag=%lu", (unsigned long)tag);
				break;
			}
		}
		fputc('\n', stream);

		status = SecACLCopySimpleContents(acl, &applicationList, &description, &promptSelector);
		if (status)
		{
			cssmPerror("SecACLCopySimpleContents", status);
			continue;
		}

		if (promptSelector.flags & CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE)
			fputs("        require-password\n", stream);
		else
			fputs("        don't-require-password\n", stream);

		fputs("        description: ", stream);
		print_cfstring(stream, description);
		fputc('\n', stream);

		if (applicationList)
		{
			appCount = CFArrayGetCount(applicationList);
			fprintf(stream, "        applications (%lu):\n", appCount);
		}
		else
		{
			appCount = 0;
			fprintf(stream, "        applications: <null>\n");
		}

		for (appix = 0; appix < appCount; ++appix)
		{
			const UInt8* bytes;
			SecTrustedApplicationRef app = (SecTrustedApplicationRef)CFArrayGetValueAtIndex(applicationList, appix);
			CFDataRef data = NULL;
			fprintf(stream, "            %lu: ", appix);
			status = SecTrustedApplicationCopyData(app, &data);
			if (status)
			{
				cssmPerror("SecTrustedApplicationCopyData", status);
				continue;
			}

			bytes = CFDataGetBytePtr(data);
			if (bytes && bytes[0] == 0x2f) {
				fprintf(stream, "%s", (const char *)bytes);
				if ((status = SecTrustedApplicationValidateWithPath(app, (const char *)bytes)) == noErr) {
					fprintf(stream, " (OK)");
				} else {
					fprintf(stream, " (status %ld)", status);
				}
				fprintf(stream, "\n");
			} else {
				print_cfdata(stream, data);
				fputc('\n', stream);
			}
			if (data)
				CFRelease(data);
		}


		if (interactive)
		{
			char buffer[10] = {};
			if(applicationList != NULL) {
				fprintf(stderr, "NULL out this application list? ");
				if (readline(buffer, sizeof(buffer)) && buffer[0] == 'y')
				{
					/* 
					 * This makes the ops in this entry wide-open, no dialog or confirmation 
					 * other than requiring the keychain be open.
					 */
					fprintf(stderr, "setting app list to NULL\n");
					status = SecACLSetSimpleContents(acl, NULL, description, &promptSelector);
					if (status)
					{
						cssmPerror("SecACLSetSimpleContents", status);
						continue;
					}
				}
				else {
					fprintf(stderr, "Set this application list to empty array? ");
					if (readline(buffer, sizeof(buffer)) && buffer[0] == 'y')
					{
						/* 
						 * This means "always get confirmation, from all apps".
						 */
						fprintf(stderr, "setting app list to empty array\n");
						status = SecACLSetSimpleContents(acl, 
							CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks), 
							description, &promptSelector);
						if (status)
						{
							cssmPerror("SecACLSetSimpleContents", status);
							continue;
						}
					}
				}
			}
			else {
				fprintf(stderr, "Remove this acl? ");
				if (readline(buffer, sizeof(buffer)) && buffer[0] == 'y')
				{
					/* 
					 * This make ths ops in this entry completely inaccessible. 
					 */
					fprintf(stderr, "removing acl\n");
					status = SecACLRemove(acl);
					if (status)
					{
						cssmPerror("SecACLRemove", status);
						continue;
					}
				}
			}
		}
		if (description)
			CFRelease(description);
		if (applicationList)
			CFRelease(applicationList);

	}

loser:
	if (aclList)
		CFRelease(aclList);

	return result;
}

/* Simluate what StickyRecord is trying to do.... */

/* 
 * Given an Access object:
 *  -- extract the ACL for the specified CSSM_ACL_AUTHORIZATION_TAG. We expect there
 *     to exactly one of these - if the form of a default ACL changes we'll have to 
 *	   revisit this.
 *  -- set the ACL's app list to the provided CFArray, which may be NULL (meaning 
 *     "any app can access this, no problem"), an empty array (meaning "always
 *     prompt"), or an actual app list. 
 *  -- set or clear the PROMPT_REQUIRE_PASSPHRASE bit per the requirePassphrase
 *     argument
 */
static OSStatus srUpdateAcl(
	SecAccessRef accessRef,
	CSSM_ACL_AUTHORIZATION_TAG whichAcl,	// e.g. CSSM_ACL_AUTHORIZATION_DECRYPT
	CFArrayRef appArray,
	bool requirePassphrase)
{
	OSStatus ortn;
	CFArrayRef aclList = NULL;
	
	ortn = SecAccessCopySelectedACLList(accessRef, whichAcl, &aclList);
	if(ortn) {
		cssmPerror("SecAccessCopySelectedACLList", ortn);
		return ortn;
	}
	
	if(CFArrayGetCount(aclList) != 1) {
		printf("StickyRecord::updateAcl - unexpected ACL list count (%d)",
			(int)CFArrayGetCount(aclList));
		return internalComponentErr;
	}
	SecACLRef acl = (SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
	
	CFArrayRef applicationList = NULL;
	CFStringRef description = NULL;
	CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector = {};
	ortn = SecACLCopySimpleContents(acl, &applicationList, &description, &promptSelector);
	if(ortn) {
		cssmPerror("SecACLCopySimpleContents", ortn);
		return ortn;
	}
	if(applicationList != NULL) {
		CFRelease(applicationList);
	}
	if(requirePassphrase) {
		promptSelector.flags |= CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
	}
	else {
		promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
	}
	/* update */
	ortn = SecACLSetSimpleContents(acl, appArray, description, &promptSelector);
	
	/* we got this from SecACLCopySimpleContents - release it regardless */
	if(description != NULL) {
		CFRelease(description);
	}
	if(ortn) {
		cssmPerror("SecACLSetSimpleContents", ortn);
	}
	if(aclList != NULL) {
		CFRelease(aclList);
	}
	return ortn;
}

OSStatus stickyRecordUpdateAcl(
	SecAccessRef accessRef)
{
	OSStatus ortn;
	
	printf("...updating ACL to simulate a StickyRecord\n");
	
	/* First: decrypt. Wide open (NULL app list), !REQUIRE_PASSPHRASE. */
	ortn = srUpdateAcl(accessRef, CSSM_ACL_AUTHORIZATION_DECRYPT, NULL, false);
	if(ortn) {
		return ortn;
	}
	
	/* encrypt: always ask (empty app list, require passphrase */
	CFArrayRef nullArray = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
	return srUpdateAcl(accessRef, CSSM_ACL_AUTHORIZATION_ENCRYPT, nullArray, true);
	
}