Logo Search packages:      
Sourcecode: hamlib version File versions  Download package

AuthorizationDB.h

/*
 * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 *  AuthorizationDB.h -- APIs for managing the authorization policy database
 *  and daemons.
 */

#ifndef _SECURITY_AUTHORIZATIONDB_H_
#define _SECURITY_AUTHORIZATIONDB_H_

#include <Security/Authorization.h>
#include <CoreFoundation/CoreFoundation.h>

#if defined(__cplusplus)
extern "C" {
#endif

/*!
      @header AuthorizationDB
      Version 1.0

      This API allows for any programs to get, modify, delete and add new right definitions to the policy database.  Meta-rights specify whether and what authorization is required to make these modifications.
      
      AuthorizationRightSet(NULL, "com.ifoo.ifax.send", CFSTR(kRuleIsAdmin), CFSTR("You must authenticate to send a fax."), NULL, NULL)

      add a rule for letting admins send faxes using a canned rule, delegating to a pre-specified rule that authorizes everyone who is an admin.
      
      AuthorizationRightSet(NULL, "com.ifoo.ifax.send", [[CFSTR(kRightRule), CFSTR(kRuleIsAdmin)], [CFSTR(kRightComment), CFSTR("authorizes sending of 1 fax message")]], CFSTR("Authorize sending of a fax"), NULL, NULL)

      add identical rule, but specify additional attributes this time.

      Keep in mind while specifying a comment to be specific about what you need to authorize for (1 fax), in terms of a general message for user.  The means of proof required for kRuleIsAdmin (enter username/password for example) should not be included here, since it could be configured differently.

*/

/*!   @define kRightRule
      rule delegation key.  Instead of specifying exact behavior some canned rules
   are shipped that may be switched by configurable security.
*/
#define kAuthorizationRightRule                                   "rule"

/*! @defined kRuleIsAdmin
      canned rule values for use with rule delegation definitions: require user to be an admin.
*/
#define kAuthorizationRuleIsAdmin                           "is-admin"

/*! @defined kRuleAuthenticateAsSessionUser
      canned rule value for use with rule delegation definitions: require user to authenticate as the session owner (logged-in user).
*/
#define kAuthorizationRuleAuthenticateAsSessionUser   "authenticate-session-user"

/*! @defined kRuleAuthenticateAsAdmin
      Canned rule value for use with rule delegation definitions: require user to authenticate as admin.
*/
#define kAuthorizationRuleAuthenticateAsAdmin         "authenticate-admin"

/*! @defined kAuthorizationRuleClassAllow
      Class that allows anything.
*/
#define kAuthorizationRuleClassAllow                  "allow"

/*! @defined kAuthorizationRuleClassDeny
      Class that denies anything. 
*/
#define kAuthorizationRuleClassDeny                   "deny"

/*! @defined kAuthorizationComment
    comments for the administrator on what is being customized here;
   as opposed to (localized) descriptions presented to the user.
*/
#define kAuthorizationComment "comment"



/*!
      @function AuthorizationRightGet 
      
      Retrieves a right definition as a dictionary.  There are no restrictions to keep anyone from retrieving these definitions.  

      @param rightName (input) the rightname (ASCII).  Wildcard rightname definitions are okay.
      @param rightDefinition (output/optional) the dictionary with all keys defining the right.  See documented keys.  Passing in NULL will just check if there is a definition.  The caller is responsible for releasing the returned dictionary.

      @result errAuthorizationSuccess 0 No error.

      errAuthorizationDenied -60005 No definition found.

*/
OSStatus AuthorizationRightGet(const char *rightName,
      CFDictionaryRef *rightDefinition);

/*!
      @function AuthorizationRightSet
      
      Create or update a right entry.  Only normal rights can be registered (wildcard rights are denied); wildcard rights are considered to be put in by an administrator putting together a site configuration.

      @param authRef (input) authRef to authorize modifications.
      @param rightName (input) the rightname (ASCII).  Wildcard rightnames are not okay.
      @param rightDefinition (input) a CFString of the name of a rule to use (delegate) or CFDictionary containing keys defining one.
      @param descriptionKey (input/optional) a CFString to use as a key for looking up localized descriptions.  If no localization is found this will be the description itself.
      @param bundle (input/optional) a bundle to get localizations from if not the main bundle.
      @param localeTableName (input/optional) stringtable name to get localizations from.
      
      @result errAuthorizationSuccess 0 added right definition successfully.

      errAuthorizationDenied -60005 Unable to create or update right definition.

      errAuthorizationCanceled -60006 Authorization was canceled by user.

      errAuthorizationInteractionNotAllowed -60007 Interaction was required but not possible.

*/
OSStatus AuthorizationRightSet(AuthorizationRef authRef,
      const char *rightName,
      CFTypeRef rightDefinition,
      CFStringRef descriptionKey,
      CFBundleRef bundle,
      CFStringRef localeTableName);



/*!
      @function AuthorizationRightRemove

      Request to remove a right from the policy database.

      @param authRef (input) authRef, to be used to authorize this action.
      @param rightName (input) the rightname (ASCII).  Wildcard rightnames are not okay.
      
*/
OSStatus AuthorizationRightRemove(AuthorizationRef authRef,
      const char *rightName);


#if defined(__cplusplus)
}
#endif

#endif /* !_SECURITY_AUTHORIZATIONDB_H_ */


Generated by  Doxygen 1.6.0   Back to index