AuthorizationRule.h [plain text]
#ifndef _H_AUTHORIZATIONRULE
#define _H_AUTHORIZATIONRULE 1
#include <CoreFoundation/CoreFoundation.h>
#include <security_cdsa_utilities/AuthorizationData.h>
#include "authority.h"
#include "agentclient.h"
namespace Authorization
{
class Rule;
class RuleImpl : public RefCount
{
public:
RuleImpl();
RuleImpl(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
AuthorizationFlags flags, CFAbsoluteTime now,
const CredentialSet *inCredentials, CredentialSet &credentials,
AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
string name() const { return mRightName; }
bool extractPassword() const { return mExtractPassword; }
private:
OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
AuthItemSet &environmentToClient, AuthorizationFlags flags,
CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
AuthItemSet &environmentToClient, AuthorizationFlags flags,
CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const;
OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const;
OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const;
CredentialSet makeCredentials(const AuthorizationToken &auth) const;
map<string,string> localizedPrompts() const { return mLocalizedPrompts; }
map<string,string> localizedButtons() const { return mLocalizedButtons; }
private:
enum Type
{
kDeny,
kAllow,
kUser,
kRuleDelegation,
kKofN,
kEvaluateMechanisms,
} mType;
string mRightName;
string mGroupName;
CFTimeInterval mMaxCredentialAge;
bool mShared;
bool mAllowRoot;
vector<string> mEvalDef;
bool mSessionOwner;
vector<Rule> mRuleDef;
uint32_t mKofN;
mutable uint32_t mTries;
bool mExtractPassword;
bool mAuthenticateUser;
map<string,string> mLocalizedPrompts;
map<string,string> mLocalizedButtons;
private:
class Attribute
{
public:
static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue);
static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
static bool getLocalizedText(CFDictionaryRef config, map<string,string> &localizedPrompts, CFStringRef dictKey, const char *descriptionKey);
};
static CFStringRef kUserGroupID;
static CFStringRef kTimeoutID;
static CFStringRef kSharedID;
static CFStringRef kAllowRootID;
static CFStringRef kMechanismsID;
static CFStringRef kSessionOwnerID;
static CFStringRef kKofNID;
static CFStringRef kPromptID;
static CFStringRef kButtonID;
static CFStringRef kTriesID;
static CFStringRef kExtractPasswordID;
static CFStringRef kRuleClassID;
static CFStringRef kRuleAllowID;
static CFStringRef kRuleDenyID;
static CFStringRef kRuleUserID;
static CFStringRef kRuleDelegateID;
static CFStringRef kRuleMechanismsID;
static CFStringRef kRuleAuthenticateUserID;
};
class Rule : public RefPointer<RuleImpl>
{
public:
Rule();
Rule(const string &inRightName, CFDictionaryRef cfRight, CFDictionaryRef cfRules);
};
};
#endif