-
Notifications
You must be signed in to change notification settings - Fork 3
/
listing1.html
executable file
·1013 lines (851 loc) · 39.4 KB
/
listing1.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<!-- BEGIN META TAG INFO -->
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="home" href="http://developer.apple.com/">
<link rel="find" href="http://developer.apple.com/search/">
<link rel="stylesheet" type="text/css" href="../../documentation/css/adcstyle.css" title="fonts">
<script language="JavaScript" src="../../documentation/js/adc.js" type="text/javascript"></script>
<!-- END META TAG INFO -->
<!-- BEGIN TITLE -->
<title>NullAuthPlugin - /NullAuthPlugin.c</title>
<!-- END TITLE -->
<script language="JavaScript">
function JumpToNewPage() {
window.location=document.scpopupmenu.gotop.value;
return true;
}
</script>
</head>
<!-- BEGIN BODY OPEN -->
<body>
<!--END BODY OPEN -->
<!-- START CENTER OPEN -->
<center>
<!-- END CENTER OPEN -->
<!-- BEGIN LOGO AND SEARCH -->
<!--#include virtual="/includes/adcnavbar"-->
<!-- END LOGO AND SEARCH -->
<!-- START BREADCRUMB -->
<div id="breadcrumb">
<table width="680" border="0" cellpadding="0" cellspacing="0">
<tr>
<td scope="row"><img width="340" height="10" src="images/1dot.gif" alt=""></td>
<td><img width="340" height="10" src="images/1dot.gif" alt=""></td>
</tr>
<tr valign="middle">
<td align="left" colspan="2">
<a href="http://developer.apple.com/">ADC Home</a> > <a href="../../referencelibrary/index.html">Reference Library</a> > <a href="../../samplecode/index.html">Sample Code</a> > <a href="../../samplecode/Security/index.html">Security</a> > <a href="../../samplecode/Security/idxAuthorization-date.html">Authorization</a> > <A HREF="javascript:location.replace('index.html');">NullAuthPlugin</A> >
</td>
</tr>
<tr>
<td colspan="2" scope="row"><img width="680" height="35" src="images/1dot.gif" alt=""></td>
</tr>
</table>
</div>
<!-- END BREADCRUMB -->
<!-- START MAIN CONTENT -->
<!-- START TITLE GRAPHIC AND INTRO-->
<table width="680" border="0" cellpadding="0" cellspacing="0">
<tr align="left" valign="top">
<td><h1><div id="pagehead">NullAuthPlugin</div></h1></td>
</tr>
</table>
<!-- END TITLE GRAPHIC AND INTRO -->
<!-- START WIDE COLUMN -->
<table width="680" border="0" cellpadding="0" cellspacing="0">
<tr align="left" valign="top">
<td id="scdetails">
<h2>/NullAuthPlugin.c</h2>
<form name="scpopupmenu" onSubmit="return false;" method=post>
<p><strong>View Source Code:</strong>
<select name="gotop" onChange="JumpToNewPage();" style="width:340px"><option selected value="ingnore">Select File</option>
<option value="listing1.html">/NullAuthPlugin.c</option>
<option value="listing2.html">/Read Me About NullAuthPlugin.txt</option></select>
</p>
</form>
<p><strong><a href="NullAuthPlugin.zip">Download Sample</a></strong> (“NullAuthPlugin.zip”, 34.8K)<BR>
<strong><a href="NullAuthPlugin.dmg">Download Sample</a></strong> (“NullAuthPlugin.dmg”, 92.9K)</p>
<!--
<p><strong><a href="#">Download Sample</a></strong> (“filename.sit”, 500K)</p>
-->
</td>
</tr>
<tr>
<td scope="row"><img width="680" height="10" src="images/1dot.gif" alt=""><br>
<img height="1" width="680" src="images/1dot_919699.gif" alt=""><br>
<img width="680" height="20" src="images/1dot.gif" alt=""></td>
</tr>
<tr>
<td scope="row">
<!--googleon: index -->
<pre class="sourcecodebox">/*
File: NullAuth.c
Contains: An empty authorization plug-in, for logging and testing.
Written by: DTS
Copyright: Copyright (c) 2007 Apple Inc. All Rights Reserved.
Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple Inc.
("Apple") in consideration of your agreement to the following
terms, and your use, installation, modification or
redistribution of this Apple software constitutes acceptance of
these terms. If you do not agree with these terms, please do
not use, install, modify or redistribute this Apple software.
In consideration of your agreement to abide by the following
terms, and subject to these terms, Apple grants you a personal,
non-exclusive license, under Apple's copyrights in this
original Apple software (the "Apple Software"), to use,
reproduce, modify and redistribute the Apple Software, with or
without modifications, in source and/or binary forms; provided
that if you redistribute the Apple Software in its entirety and
without modifications, you must retain this notice and the
following text and disclaimers in all such redistributions of
the Apple Software. Neither the name, trademarks, service marks
or logos of Apple Inc. may be used to endorse or promote
products derived from the Apple Software without specific prior
written permission from Apple. Except as expressly stated in
this notice, no other rights or licenses, express or implied,
are granted by Apple herein, including but not limited to any
patent rights that may be infringed by your derivative works or
by other works in which the Apple Software may be incorporated.
The Apple Software is provided by Apple on an "AS IS" basis.
APPLE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, REGARDING
THE APPLE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN
COMBINATION WITH YOUR PRODUCTS.
IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ARISING IN ANY WAY
OUT OF THE USE, REPRODUCTION, MODIFICATION AND/OR DISTRIBUTION
OF THE APPLE SOFTWARE, HOWEVER CAUSED AND WHETHER UNDER THEORY
OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR
OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
*/
/////////////////////////////////////////////////////////////////////
#include <CoreServices/CoreServices.h>
#include <DirectoryService/DirectoryService.h>
#include <Security/AuthorizationPlugin.h>
#include <Security/AuthSession.h>
#include <Security/AuthorizationTags.h>
#include <syslog.h>
#include <unistd.h>
/////////////////////////////////////////////////////////////////////
// During development, you can define DEBUGLOG to call printf, and GCC
// will type check your arguments for you (GCC is smart enough to
// interpret printf format strings, but not smart enough to know
// that syslog format strings are virtually identical).
//
// In the standard configuration, all of my debug output goes to syslog.
// To see this output:
//
// 1. Edit /etc/syslog.conf and change "kern.debug" to "*.debug".
// This sends all debugging output to the syslog.
//
// 2. Send syslogd a SIGHUP.
//
// $ sudo kill -HUP `cat /var/run/syslog.pid`
//
// 3. Read the system log.
//
// $ tail -f /var/log/system.log
#if 1
#define DEBUGLOG(...) syslog(LOG_DEBUG, __VA_ARGS__);
#else
#warning Don't forget to reenable syslog.
#define DEBUGLOG(...) printf(__VA_ARGS__);
#endif
/////////////////////////////////////////////////////////////////////
#pragma mark ***** Core Data Structures
typedef struct PluginRecord PluginRecord; // forward decl
#pragma mark * Mechanism
// MechanismRecord is the per-mechanism data structure. One of these
// is created for each mechanism that's instantiated, and holds all
// of the data needed to run that mechanism. In this trivial example,
// that data set is very small.
//
// Mechanisms are single threaded; the code does not have to guard
// against multiple threads running inside the mechanism simultaneously.
enum {
kMechanismMagic = 'Mchn'
};
struct MechanismRecord {
OSType fMagic; // must be kMechanismMagic
AuthorizationEngineRef fEngine;
const PluginRecord * fPlugin;
Boolean fWaitForDebugger;
};
typedef struct MechanismRecord MechanismRecord;
static Boolean MechanismValid(const MechanismRecord *mechanism)
{
return (mechanism != NULL)
&& (mechanism->fMagic == kMechanismMagic)
&& (mechanism->fEngine != NULL)
&& (mechanism->fPlugin != NULL);
}
#pragma mark * Plugin
// PluginRecord is the per-plugin data structure. As the system only
// instantiates a plugin once per plugin host, this information could
// just as easily be kept in global variables. However, just to keep
// things tidy, I pushed it all into a single record.
//
// As a plugin may host multiple mechanism, and there's no guarantee
// that these mechanisms won't be running on different threads, data
// in this record should be protected from multiple concurrent access.
// In my case, however, all of the data is read-only, so I don't need
// to do anything special.
enum {
kPluginMagic = 'PlgN'
};
struct PluginRecord {
OSType fMagic; // must be kPluginMagic
const AuthorizationCallbacks * fCallbacks;
};
static Boolean PluginValid(const PluginRecord *plugin)
{
return (plugin != NULL)
&& (plugin->fMagic == kPluginMagic)
&& (plugin->fCallbacks != NULL)
&& (plugin->fCallbacks->version >= kAuthorizationCallbacksVersion);
}
/////////////////////////////////////////////////////////////////////
#pragma mark ***** Mechanism Printing Stuff
// The code in this section is used to pretty print the state of the
// authorization system when the mechanism is invoked. This is a lot
// of code, but it's not very relevant to the authorization plugin
// mechanism itself (except insofar as it allows you to see what
// data is being passed around in the context and hints).
// As there is no way to enumerate all of the entries in the context/hints,
// I just hard-code a big table of likely entries. The KeyInfo structure
// is used to hold information about each entry. As the entries in the
// context/hints are not typed, I store both the name and the type.
// As I have no idea which keys pertain to which context and which pertain
// to hints, I try each key in both. Besides, the push_hints_to_context
// mechanism implies that they share the same namespace.
enum KeyType {
kUnknown,
kString, // without null terminator
kString0, // with null terminator
kPID, // pid_t
kUID, // uid_t
kGID, // gid_t
kOSType,
kUInt32,
kSInt32,
kPlist,
kPlistOrString // wacky special case for AuthenticationAuthority
};
typedef enum KeyType KeyType;
struct KeyInfo {
const char * fKey;
KeyType fType;
};
typedef struct KeyInfo KeyInfo;
static const KeyInfo kStateKeys[] = {
// IMPORTANT:
// Only the keys documented in public header files are considered to be
// part of the defined API for an authorization plug-in. The keys that
// are defined as literal strings are present for debugging and exploration
// purposes only. Do not use these strings in a 'shrink wrap' authorization
// plug-in without first discussing the issue with Apple. You can either
// open a Developer Tech Support incident:
//
// <http://developer.apple.com/technicalsupport/index.html>
//
// or ask your question on the Apple-CDSA mailing list:
//
// <http://www.lists.apple.com/apple-cdsa>
// hint keys documented in <Security/AuthorizationTags.h>
{ kAuthorizationEnvironmentUsername, kString0 },
{ kAuthorizationEnvironmentPassword, kString0 },
{ kAuthorizationEnvironmentIcon, kUnknown },
{ kAuthorizationEnvironmentPrompt, kUnknown },
// context keys from a typical system (found using debugger)
{ "uid", kUID },
{ "gid", kGID },
{ "home", kString0 },
{ "longname", kString0 },
{ "shell", kString0 },
// hint keys from a typical system (found using debugger)
{ "authorize-right", kString },
{ "authorize-rule", kString },
{ "client-path", kString },
{ "client-pid", kPID },
{ "client-type", kOSType },
{ "client-uid", kUID },
{ "creator-pid", kPID },
{ "tries", kUInt32 },
// other keys found by grovelling through source code
{ "suggested-user", kUnknown },
{ "require-user-in-group", kUnknown },
{ "reason", kUnknown },
{ "token-name", kUnknown },
{ "afp_dir", kString0 },
{ "kerberos-principal", kUnknown },
{ "mountpoint", kString0 },
{ "new-password", kUnknown },
{ "show-add-to-keychain", kUnknown },
{ "add-to-keychain", kUnknown },
{ "Home_Dir_Mount_Result", kSInt32 },
{ "homeDirType", kSInt32 },
// The getuserinfo authentication mechanism copies all of the user's
// Open Directory attributes to the hints (?, or context?). So we
// look for the standard OD user attributes.
//
// AFAIK all of these are of type kString (because getuserinfo
// only copies across string values), but I've only set the type
// to string for those that I've seen in the wild. The remainder
// stay as type kUnknown until I see a concrete example.
{ kDS1AttrAdminLimits, kUnknown },
{ kDS1AttrAdminStatus, kUnknown },
{ kDS1AttrAlternateDatastoreLocation, kUnknown },
{ kDS1AttrAuthenticationHint, kUnknown },
{ kDS1AttrChange, kUnknown },
{ kDS1AttrComment, kUnknown },
{ kDS1AttrDistinguishedName, kString },
{ kDS1AttrExpire, kUnknown },
{ kDS1AttrFirstName, kUnknown },
{ kDS1AttrGeneratedUID, kString },
{ kDS1AttrHomeDirectorySoftQuota, kUnknown },
{ kDS1AttrHomeDirectoryQuota, kUnknown },
{ kDS1AttrHomeLocOwner, kUnknown },
{ kDS1AttrInternetAlias, kUnknown },
{ kDS1AttrLastName, kString },
{ kDS1AttrMailAttribute, kUnknown },
{ kDS1AttrMiddleName, kUnknown },
{ kDS1AttrNFSHomeDirectory, kString },
{ kDS1AttrOriginalNFSHomeDirectory, kUnknown },
{ kDS1AttrPassword, kString },
{ kDS1AttrPasswordPlus, kString },
{ kDS1AttrPicture, kUnknown },
{ kDS1AttrPrimaryGroupID, kString },
{ kDS1AttrRealUserID, kString },
{ kDS1AttrUniqueID, kString },
{ kDS1AttrUserShell, kString },
{ kDSNAttrAddressLine1, kUnknown },
{ kDS1StandardAttrHomeLocOwner, kUnknown },
{ kDSNAttrAddressLine2, kUnknown },
{ kDSNAttrAddressLine3, kUnknown },
{ kDSNAttrAreaCode, kUnknown },
{ kDSNAttrAuthenticationAuthority, kPlistOrString },
{ kDSNAttrBuilding, kUnknown },
{ kDSNAttrCity, kUnknown },
{ kDSNAttrCountry, kUnknown },
{ kDSNAttrDepartment, kUnknown },
{ kDSNAttrEMailAddress, kUnknown },
{ kDSNAttrFaxNumber, kUnknown },
{ kDSNAttrGroupMembers, kUnknown },
{ kDSNAttrGroupMembership, kUnknown },
{ kDSNAttrHomeDirectory, kString },
{ kDSNAttrIMHandle, kUnknown },
{ kDSNAttrJobTitle, kUnknown },
{ kDSNAttrMobileNumber, kUnknown },
{ kDSNAttrNamePrefix, kUnknown },
{ kDSNAttrNameSuffix, kUnknown },
{ kDSNAttrNestedGroups, kUnknown },
{ kDSNAttrNetGroups, kUnknown },
{ kDSNAttrNickName, kUnknown },
{ kDSNAttrOrganizationName, kUnknown },
{ kDSNAttrOriginalHomeDirectory, kUnknown },
{ kDSNAttrPagerNumber, kUnknown },
{ kDSNAttrPhoneNumber, kUnknown },
{ kDSNAttrPostalAddress, kUnknown },
{ kDSNAttrPostalCode, kUnknown },
{ kDSNAttrState, kUnknown },
{ kDSNAttrStreet, kUnknown }
};
static void PrintHexData(const char *scope, const char *key, const void *buf, size_t bufSize)
// Prints the specified buffer as hex.
{
size_t outputSize;
char * output;
const unsigned char * bufBase;
size_t bufIndex;
char tmp[16];
assert(scope != NULL);
assert(key != NULL);
assert( (bufSize == 0) || (buf != NULL) );
// Allocate the correct size buffer.
outputSize = bufSize * 3 + 1;
output = (char *) malloc(outputSize);
assert(output != NULL);
if (output != NULL) {
// Fill the buffer with the hex.
*output = 0;
bufBase = (const unsigned char *) buf;
for (bufIndex = 0; bufIndex < bufSize; bufIndex++) {
snprintf(tmp, sizeof(tmp), "%02x ", bufBase[bufIndex]);
strlcat(output, tmp, outputSize);
}
assert(outputSize == (strlen(output) + 1));
// Print it.
DEBUGLOG("%s key='%s' value=%s", scope, key, output);
}
free(output);
}
static void PrintPlist(const char *scope, const char *key, const void *buf, size_t bufSize)
{
CFDataRef data;
CFPropertyListRef propList;
CFDataRef textData;
CFMutableDataRef mutableTextData;
char * dataBuf;
CFIndex dataSize;
CFIndex i;
assert(scope != NULL);
assert(key != NULL);
assert( (bufSize == 0) || (buf != NULL) );
data = NULL;
propList = NULL;
textData = NULL;
mutableTextData = NULL;
dataBuf = NULL;
// Create a CFData from the buffer, then a CFPropertyList from the data,
// then a text form of the CFPropertyList, then a mutable version of that
// ('cause I want to strip newline characters). *phew*
data = CFDataCreate(NULL, buf, bufSize);
if (data != NULL) {
propList = CFPropertyListCreateFromXMLData(NULL, data, kCFPropertyListImmutable, NULL);
if (propList != NULL) {
textData = CFPropertyListCreateXMLData(NULL, propList);
if (textData != NULL) {
mutableTextData = CFDataCreateMutableCopy(NULL, 0, textData);
if (mutableTextData != NULL) {
dataBuf = (char *) CFDataGetMutableBytePtr(mutableTextData);
dataSize = CFDataGetLength(mutableTextData);
for (i = 0; i < dataSize; i++) {
if ( (dataBuf[i] == '\r') || (dataBuf[i] == '\n') ) {
dataBuf[i] = ' ';
}
}
}
}
}
}
// If the above mess worked, print the text, otherwise just dump hex.
if (dataBuf != NULL) {
DEBUGLOG("%s key='%s', value='%.*s'", scope, key, (int) dataSize, (const char *) dataBuf);
} else {
PrintHexData(scope, key, buf, bufSize);
DEBUGLOG("%s key='%s', value='%.*s'", scope, key, (int) bufSize, (const char *) buf);
}
// Clean up.
if (mutableTextData != NULL) {
CFRelease(mutableTextData);
}
if (textData != NULL) {
CFRelease(textData);
}
if (propList != NULL) {
CFRelease(propList);
}
if (data != NULL) {
CFRelease(data);
}
}
static void PrintPlistOrString(const char *scope, const char *key, const void *buf, size_t bufSize)
// Sniffs the buffer and prints it as either a binary plist or a string.
// The AuthenticationAuthority context value is one of these formats
// depending on whether the mechanism runs before or after
// "builtin:getuserinfo", so I have to handle both.
{
static const char kPlistMagic[] = "bplist00";
assert(scope != NULL);
assert(key != NULL);
assert( (bufSize == 0) || (buf != NULL) );
// See whether the first eight bytes of the buffer are kPlistMagic.
if ( (bufSize >= strlen(kPlistMagic)) && (memcmp(buf, kPlistMagic, strlen(kPlistMagic)) == 0) ) {
// If so, go the plist route.
PrintPlist(scope, key, buf, bufSize);
} else {
// If it doesn't look like a plist, print it as a string.
DEBUGLOG("%s key='%s', value='%.*s'", scope, key, (int) bufSize, (const char *) buf);
}
}
static void PrintTypedData(const char *scope, const char *key, KeyType type, const void *buf, size_t bufSize)
// Given a typed data buffer, pretty print the contents.
{
assert(scope != NULL);
assert(key != NULL);
assert( (bufSize == 0) || (buf != NULL) );
switch (type) {
default:
assert(false);
// fall through
case kUnknown:
PrintHexData(scope, key, buf, bufSize);
break;
case kString:
if ( (bufSize > 0) && (((const char *) buf)[bufSize - 1] == 0)) {
PrintHexData(scope, key, buf, bufSize); // not expecting a null terminator here
} else {
DEBUGLOG("%s key='%s', value='%.*s'", scope, key, (int) bufSize, (const char *) buf);
}
break;
case kString0:
if ( (bufSize > 0) && (((const char *) buf)[bufSize - 1] == 0)) {
// By default we log your password as "********". If you want the real
// password to show up in the log, change the following to 1.
#define kIDontCareIfMyPasswordIsLogged 0
if ( (strcmp(key, "password") == 0) && ! kIDontCareIfMyPasswordIsLogged ) {
DEBUGLOG("%s key='%s', value='********'", scope, key);
} else {
DEBUGLOG("%s key='%s', value='%s'", scope, key, (const char *) buf);
}
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kPID:
if (bufSize == sizeof(pid_t)) {
DEBUGLOG("%s key='%s', value=%ld", scope, key, (long) *(pid_t *) buf);
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kUID:
if (bufSize == sizeof(uid_t)) {
DEBUGLOG("%s key='%s', value=%ld", scope, key, (long) *(uid_t *) buf);
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kGID:
if (bufSize == sizeof(gid_t)) {
DEBUGLOG("%s key='%s', value=%ld", scope, key, (long) *(gid_t *) buf);
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kOSType:
if (bufSize == sizeof(OSType)) {
OSType tmp;
// Should convert MacRoman to UTF-8 for each character, but that's
// quite hard.
tmp = *(OSType *) buf;
DEBUGLOG("%s key='%s', value='%c%c%c%c'", scope, key, (UInt8) (tmp >> 24), (UInt8) (tmp >> 16), (UInt8) (tmp >> 8), (UInt8) tmp);
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kUInt32:
if (bufSize == sizeof(UInt32)) {
DEBUGLOG("%s key='%s', value=%lu", scope, key, (unsigned long) *(UInt32 *) buf);
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kSInt32:
if (bufSize == sizeof(SInt32)) {
DEBUGLOG("%s key='%s', value=%ld", scope, key, (long) *(SInt32 *) buf);
} else {
PrintHexData(scope, key, buf, bufSize);
}
break;
case kPlist:
PrintPlist(scope, key, buf, bufSize);
break;
case kPlistOrString:
PrintPlistOrString(scope, key, buf, bufSize);
break;
}
}
static void PrintKeyedAuthState(MechanismRecord *mechanism, const char *key, KeyType type)
// For a given key, get both the content and hint value and, if successful, print them.
{
OSStatus err;
const AuthorizationValue * value;
AuthorizationContextFlags flags;
assert(MechanismValid(mechanism));
assert(key != NULL);
err = mechanism->fPlugin->fCallbacks->GetContextValue(mechanism->fEngine, key, &flags, &value);
if (err == noErr) {
PrintTypedData("GetContextValue", key, type, value->data, (size_t) value->length);
}
err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, key, &value);
if (err == noErr) {
PrintTypedData("GetHintValue", key, type, value->data, (size_t) value->length);
}
}
static void PrintAuthState(MechanismRecord *mechanism)
// Dump the state of the authorization. I try to print as much information
// as possible, but I'm open to suggestions for what also might be useful.
{
OSStatus err;
SecuritySessionId actualSessionID;
SessionAttributeBits sessionAttr;
AuthorizationSessionId sessionID;
const AuthorizationValueVector * arguments;
UInt32 argIndex;
int keyIndex;
assert(MechanismValid(mechanism));
// Process information -- This lets you see whether the plugin is running
// privileged (in "authorizationhost", with EUID 0) or GUI-capable
// (in SecurityAgent, with EUID of "securityagent" (92)).
DEBUGLOG("NullAuth:PrintAuthState: pid=%ld, ppid=%ld, euid=%ld, ruid=%ld", (long) getpid(), (long) getppid(), (long) geteuid(), (long) getuid() );
// SessionGetInfo
err = SessionGetInfo(callerSecuritySession, &actualSessionID, &sessionAttr);
if (err == noErr) {
DEBUGLOG("NullAuth:PrintAuthState: SessionGetInfo err=%ld, actualSessionID=%lu, sessionAttr=0x%lx", (long) err, (unsigned long) actualSessionID, (unsigned long) sessionAttr);
} else {
DEBUGLOG("NullAuth:PrintAuthState: SessionGetInfo err=%ld", (long) err);
}
// Session ID
err = mechanism->fPlugin->fCallbacks->GetSessionId(mechanism->fEngine, &sessionID);
if (err == noErr) {
DEBUGLOG("NullAuth:PrintAuthState: GetSessionId err=%ld, sessionID=%p", (long) err, sessionID);
} else {
DEBUGLOG("NullAuth:PrintAuthState: GetSessionId err=%ld", (long) err);
}
// Arguments -- I have yet to find a way to actually pass arguments to my mechanism.
// In fact, looking at the source it seems that GetArguments isn't actually
// implemented (it always returns errAuthorizationInternal). Still, I try to dump them
// anyway, just in case they get implemented in the future.
err = mechanism->fPlugin->fCallbacks->GetArguments(mechanism->fEngine, &arguments);
if (err == noErr) {
DEBUGLOG("NullAuth:PrintAuthState: GetArguments err=%ld, count=%lu", (long) err, (unsigned long) arguments->count);
for (argIndex = 0; argIndex < arguments->count; argIndex++) {
DEBUGLOG(
"NullAuth:PrintAuthState: arg[%lu]='%.*s'",
(unsigned long) argIndex,
(int) arguments->values[argIndex].length,
(char *) arguments->values[argIndex].data
);
}
} else {
DEBUGLOG("NullAuth:PrintAuthState: GetArguments err=%ld", (long) err);
}
// Context and Hints -- This is where things get complex. See my notes
// at the start of this section.
for (keyIndex = 0; keyIndex < (sizeof(kStateKeys) / sizeof(kStateKeys[0])); keyIndex++) {
PrintKeyedAuthState(mechanism, kStateKeys[keyIndex].fKey, kStateKeys[keyIndex].fType);
}
}
/////////////////////////////////////////////////////////////////////
#pragma mark ***** Mechanism Entry Points
static OSStatus MechanismCreate(
AuthorizationPluginRef inPlugin,
AuthorizationEngineRef inEngine,
AuthorizationMechanismId mechanismId,
AuthorizationMechanismRef * outMechanism
)
// Called by the plugin host to create a mechanism, that is, a specific
// instance of authentication.
//
// inPlugin is the plugin reference, that is, the value returned by
// AuthorizationPluginCreate.
//
// inEngine is a reference to the engine that's running the plugin.
// We need to keep it around because it's a parameter to all the
// callbacks.
//
// mechanismId is the name of the mechanism. When you configure your
// mechanism in "/etc/authorization", you supply a string of the
// form:
//
// plugin:mechanism[,privileged]
//
// where:
//
// o plugin is the name of this bundle (without the extension)
// o mechanism is the string that's passed to mechanismId
// o privileged, if present, causes this mechanism to be
// instantiated in the privileged (rather than the GUI-capable)
// plug-in host
//
// You can use the mechanismId to support multiple types of
// operation within the same plugin code. For example, your plugin
// might have two cooperating mechanisms, one that needs to use the
// GUI and one that needs to run privileged. This allows you to put
// both mechanisms in the same plugin.
//
// outMechanism is a pointer to a place where you return a reference to
// the newly created mechanism.
{
OSStatus err;
PluginRecord * plugin;
MechanismRecord * mechanism;
DEBUGLOG("NullAuth:MechanismCreate: inPlugin=%p, inEngine=%p, mechanismId='%s'", inPlugin, inEngine, mechanismId);
plugin = (PluginRecord *) inPlugin;
assert(PluginValid(plugin));
assert(inEngine != NULL);
assert(mechanismId != NULL);
assert(outMechanism != NULL);
// Normally one would test mechanismId to distinguish various mechanisms
// supported by the same plugin. In this case, the only thing we care about
// is if the mechanismId is "WaitForDebugger", in which case we set the
// fWaitForDebugger flag, which changes the behaviour of MechanismInvoke.
// All other mechanism IDs are considered equal.
// Allocate the space for the MechanismRecord.
err = noErr;
mechanism = (MechanismRecord *) malloc(sizeof(mechanism));
if (mechanism == NULL) {
err = memFullErr;
}
// Fill it in.
if (err == noErr) {
mechanism->fMagic = kMechanismMagic;
mechanism->fEngine = inEngine;
mechanism->fPlugin = plugin;
mechanism->fWaitForDebugger = (strcmp(mechanismId, "WaitForDebugger") == 0);
}
*outMechanism = mechanism;
assert( (err == noErr) == (*outMechanism != NULL) );
DEBUGLOG("NullAuth:MechanismCreate: err=%ld, *outMechanism=%p", (long) err, *outMechanism);
return err;
}
static OSStatus MechanismInvoke(AuthorizationMechanismRef inMechanism)
// Called by the system to start authentication using this mechanism.
// In a real plugin, this is where the real work is done.
{
OSStatus err;
MechanismRecord * mechanism;
DEBUGLOG("NullAuth:MechanismInvoke: inMechanism=%p", inMechanism);
mechanism = (MechanismRecord *) inMechanism;
assert(MechanismValid(mechanism));
// For exploratory purposes, either dump out the authorization state or wait for the
// debugger.
if (mechanism->fWaitForDebugger) {
DEBUGLOG("NullAuth:MechanismInvoke: process %ld waiting for debugger", (long) getpid());
pause();
DEBUGLOG("NullAuth:MechanismInvoke: process %ld continuing", (long) getpid());
} else {
PrintAuthState(mechanism);
}
// Tell the system that, as far as we're concerned, authorization was
// a success. This allows you to insert this mechanism anywhere in the
// authorization chain, to dump the state without affecting the
// authorization result.
err = mechanism->fPlugin->fCallbacks->SetResult(mechanism->fEngine, kAuthorizationResultAllow);
DEBUGLOG("NullAuth:MechanismInvoke: err=%ld", (long) err);
return err;
}
static OSStatus MechanismDeactivate(AuthorizationMechanismRef inMechanism)
// Called by the system to deactivate the mechanism, in the traditional
// GUI sense of deactivating a window. After your plugin has deactivated
// it's UI, it should call the DidDeactivate callback.
//
// In our case, we have no UI, so we just call DidDeactivate immediately.
{
OSStatus err;
MechanismRecord * mechanism;
DEBUGLOG("NullAuth:MechanismDeactivate: inMechanism=%p", inMechanism);
mechanism = (MechanismRecord *) inMechanism;
assert(MechanismValid(mechanism));
err = mechanism->fPlugin->fCallbacks->DidDeactivate(mechanism->fEngine);
DEBUGLOG("NullAuth:MechanismDeactivate: err=%ld", (long) err);
return err;
}
static OSStatus MechanismDestroy(AuthorizationMechanismRef inMechanism)
// Called by the system when it's done with the mechanism.
{
MechanismRecord * mechanism;
DEBUGLOG("NullAuth:MechanismDestroy: inMechanism=%p", inMechanism);
mechanism = (MechanismRecord *) inMechanism;
assert(MechanismValid(mechanism));
free(mechanism);
return noErr;
}
/////////////////////////////////////////////////////////////////////
#pragma mark ***** Plugin Entry Points
static OSStatus PluginDestroy(AuthorizationPluginRef inPlugin)
// Called by the system when it's done with the plugin.
// All of the mechanisms should have been destroyed by this time.
{
PluginRecord * plugin;
plugin = (PluginRecord *) inPlugin;
assert(PluginValid(plugin));
free(plugin);
return noErr;
}
// gPluginInterface is the plugin's dispatch table, a pointer to
// which you return from AuthorizationPluginCreate. This is what
// allows the system to call the various entry points in the plugin.
static AuthorizationPluginInterface gPluginInterface = {
kAuthorizationPluginInterfaceVersion,
&PluginDestroy,
&MechanismCreate,
&MechanismInvoke,
&MechanismDeactivate,
&MechanismDestroy
};
extern OSStatus AuthorizationPluginCreate(
const AuthorizationCallbacks * callbacks,
AuthorizationPluginRef * outPlugin,
const AuthorizationPluginInterface ** outPluginInterface
)
// The primary entry point of the plugin. Called by the system
// to instantiate the plugin.
//
// callbacks is a pointer to a bunch of callbacks that allow
// your plugin to ask the system to do operations on your behalf.
//
// outPlugin is a pointer to a place where you can return a
// reference to the newly created plugin.
//
// outPluginInterface is a pointer to a place where you can return
// a pointer to your plugin dispatch table.
{
OSStatus err;
PluginRecord * plugin;
DEBUGLOG("NullAuth:AuthorizationPluginCreate: callbacks=%p", callbacks);
assert(callbacks != NULL);
assert(callbacks->version >= kAuthorizationCallbacksVersion);
assert(outPlugin != NULL);
assert(outPluginInterface != NULL);
// Create the plugin.
err = noErr;
plugin = (PluginRecord *) malloc(sizeof(*plugin));
if (plugin == NULL) {
err = memFullErr;
}
// Fill it in.
if (err == noErr) {
plugin->fMagic = kPluginMagic;
plugin->fCallbacks = callbacks;
}
*outPlugin = plugin;
*outPluginInterface = &gPluginInterface;
assert( (err == noErr) == (*outPlugin != NULL) );
DEBUGLOG("NullAuth:AuthorizationPluginCreate: err=%ld, *outPlugin=%p, *outPluginInterface=%p", (long) err, *outPlugin, *outPluginInterface);
return err;
}
</pre>
<!--googleoff: index -->
</td>
</tr>
</table>
<!-- END WIDE COLUMN -->
<!-- END MAIN CONTENT -->
<table width="680" border="0" cellpadding="0" cellspacing="0">
<tr>
<td><div style="width: 100%; height: 1px; background-color: #919699; margin-top: 5px; margin-bottom: 15px"></div></td>
</tr>
<tr>
<td align="center"><br/>
<table border="0" cellpadding="0" cellspacing="0" class="graybox">
<tr>
<th>Did this document help you?</th>
</tr>
<tr>
<td>
<div style="margin-bottom: 8px"><a href="http://developer.apple.com/feedback/?v=1&url=/samplecode/NullAuthPlugin/listing1.html%3Fid%3DDTS10003789-2.0&media=dvd" target=_new>Yes</a>: Tell us what works for you.</div>
<div style="margin-bottom: 8px"><a href="http://developer.apple.com/feedback/?v=2&url=/samplecode/NullAuthPlugin/listing1.html%3Fid%3DDTS10003789-2.0&media=dvd" target=_new>It’s good, but:</a> Report typos, inaccuracies, and so forth.</div>
<div><a href="http://developer.apple.com/feedback/?v=3&url=/samplecode/NullAuthPlugin/listing1.html%3Fid%3DDTS10003789-2.0&media=dvd" target=_new>It wasn’t helpful</a>: Tell us what would have helped.</div>
</td>
</tr>
</table>
</td>