OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef CHROME_BROWSER_MAC_KEYCHAIN_REAUTHORIZE_H_ | |
6 #define CHROME_BROWSER_MAC_KEYCHAIN_REAUTHORIZE_H_ | |
7 | |
8 #ifdef __OBJC__ | |
9 @class NSString; | |
10 #else | |
11 class NSString; | |
12 #endif | |
13 | |
14 namespace chrome { | |
15 | |
16 // Reauthorizes all Keychain items that can be found in a standard Keychain | |
17 // search, as long as they are accessible and can be decrypted. This operates | |
18 // by scanning the requirement strings for each application in each ACL in | |
19 // each accessible Keychain item. If any requirement string matches a list of | |
20 // strings to perform reauthorization for, the matching application in the ACL | |
21 // will be replaced with this application, using this application's designated | |
22 // requirement as the requirement string. Keychain items that are reauthorized | |
23 // are made effective by deleting the original item and storing the new one | |
24 // with its revised access policy in the Keychain. This circuitous method is | |
25 // used because applications don't generally have permission to modify access | |
26 // control policies on existing Keychain items (even when they are able to | |
27 // decrypt those items), but any application can remove a Keychain item. | |
28 void KeychainReauthorize(); | |
29 | |
30 // Calls KeychainReauthorize, but only if it's determined that it's necessary. | |
31 // pref_key is looked up in the system's standard user defaults (preferences) | |
32 // and if its integer value is less than max_tries, KeychainReauthorize is | |
33 // attempted. Before the attempt, the preference is incremented, allowing a | |
34 // finite number of incomplete attempts at performing the KeychainReauthorize | |
35 // operation. When the step completes successfully, the preference is set to | |
36 // max_tries to prevent further attempts, and the preference name with the | |
37 // word "Success" appended is also stored with a boolean value of YES, | |
38 // disambiguating between the cases where the step completed successfully and | |
39 // the step completed unsuccessfully while reaching the maximum number of | |
40 // tries. | |
41 // | |
42 // The system's standard user defaults for the application are used | |
43 // (~/Library/Preferences/com.google.Chrome.plist, | |
44 // com.google.Chrome.canary.plist, etc.) instead of Chrome preferences because | |
45 // Keychain access is tied more closely to the bundle identifier and signed | |
46 // product than it is to any specific profile (--user-data-dir). | |
47 void KeychainReauthorizeIfNeeded(NSString* pref_key, int max_tries); | |
48 | |
49 } // namespace chrome | |
50 | |
51 #endif // CHROME_BROWSER_MAC_KEYCHAIN_REAUTHORIZE_H_ | |
OLD | NEW |