//// LAContext.h// LocalAuthentication//// Copyright (c) 2014 Apple.

1. //
2. //  LAContext.h
3. //  LocalAuthentication
4. //
5. //  Copyright (c) 2014 Apple. All rights reserved.
6. //
7.  
8. #import <Foundation/Foundation.h>
9. #import <LocalAuthentication/LAPublicDefines.h>
10.  
11. NS_ASSUME_NONNULL_BEGIN
12.  
13. typedef NS_ENUM(NSInteger, LAPolicy)
14. {
15.     /// Device owner was authenticated using a biometric method (Touch ID).
16.     ///
17.     /// @discussion Touch ID authentication is required. If Touch ID is not available or not enrolled,
18.     ///             policy evaluation will fail. If Touch ID is locked out, passcode is required as
19.     ///             the first step to unlock the Touch ID.
20.     ///
21.     ///             Touch ID authentication dialog contains a cancel button and a fallback button with
22.     ///             default title "Enter Password" which can be customized using localizedFallbackTitle
23.     ///             property. Fallback button is initially hidden and shows up after first unsuccessful
24.     ///             Touch ID attempt. Tapping cancel button or fallback button causes evaluatePolicy call
25.     ///             to fail, returning a distinct error code.
26.     ///
27.     ///             Biometric authentication will get locked after 5 unsuccessful attempts. After that,
28.     ///             users have to unlock it by entering passcode.
29.     LAPolicyDeviceOwnerAuthenticationWithBiometrics NS_ENUM_AVAILABLE(NA, 8_0) = kLAPolicyDeviceOwnerAuthenticationWithBiometrics,
30.  
31.     /// Device owner was authenticated by Touch ID or device passcode.
32.     ///
33.     /// @discussion Touch ID or passcode authentication is required. If Touch ID is available, enrolled and
34.     ///             not locked out, user is asked for it first, otherwise they are asked to enter device
35.     ///             passcode. If passcode is not enabled, policy evaluation will fail.
36.     ///
37.     ///             Touch ID authentication dialog behaves similarly as the one used by
38.     ///             LAPolicyDeviceOwnerAuthenticationWithBiometrics. However, instead of "Enter Password"
39.     ///             button there is "Enter Passcode" button which, when tapped, switches the authentication
40.     ///             method and allows users to enter device passcode.
41.     ///
42.     ///             Passcode authentication will get locked after 6 unsuccessful attempts with progressively
43.     ///             increased backoff delay.
44.     LAPolicyDeviceOwnerAuthentication NS_ENUM_AVAILABLE(10_11, 9_0) = kLAPolicyDeviceOwnerAuthentication
45.  
46. } NS_ENUM_AVAILABLE(10_10, 8_0);
47.  
48. /// The maximum value for LAContext touchIDAuthenticationAllowableReuseDuration property.
49. extern const NSTimeInterval LATouchIDAuthenticationMaximumAllowableReuseDuration NS_AVAILABLE_IOS(9_0);
50.  
51. /// Class that represents an authentication context.
52. ///
53. /// @discussion This context can be used for evaluating policies.
54. ///
55. /// @see LAPolicy
56. NS_CLASS_AVAILABLE(10_10, 8_0)
57. @interface LAContext : NSObject
58.  
59. /// Determines if a particular policy can be evaluated.
60. ///
61. /// @discussion Policies can have certain requirements which, when not satisfied, would always cause
62. ///             the policy evaluation to fail. Examples can be a passcode set or a fingerprint
63. ///             enrolled with Touch ID. This method allows easy checking for such conditions.
64. ///
65. ///             Applications should consume the returned value immediately and avoid relying on it
66. ///             for an extensive period of time. At least, it is guaranteed to stay valid until the
67. ///             application enters background.
68. ///
69. /// @warning    Do not call this method in the reply block of evaluatePolicy:reply: because it could
70. ///             lead to a deadlock.
71. ///
72. /// @param policy Policy for which the preflight check should be run.
73. ///
74. /// @param error Optional output parameter which is set to nil if the policy can be evaluated, or it
75. ///              contains error information if policy evaluation is not possible.
76. ///
77. /// @return YES if the policy can be evaluated, NO otherwise.
78. - (BOOL)canEvaluatePolicy:(LAPolicy)policy error:(NSError * __autoreleasing *)error __attribute__((swift_error(none)));
79.  
80. /// Evaluates the specified policy.
81. ///
82. /// @discussion Policy evaluation may involve prompting user for various kinds of interaction
83. ///             or authentication. Actual behavior is dependent on evaluated policy, device type,
84. ///             and can be affected by installed configuration profiles.
85. ///
86. ///             Be sure to keep a strong reference to the context while the evaluation is in progress.
87. ///             Otherwise, an evaluation would be canceled when the context is being deallocated.
88. ///
89. ///             The method does not block. Instead, the caller must provide a reply block to be
90. ///             called asynchronously when evaluation finishes. The block is executed on a private
91. ///             queue internal to the framework in an unspecified threading context. Other than that,
92. ///             no guarantee is made about which queue, thread, or run-loop the block is executed on.
93. ///
94. ///             Implications of successful policy evaluation are policy specific. In general, this
95. ///             operation is not idempotent. Policy evaluation may fail for various reasons, including
96. ///             user cancel, system cancel and others, see LAError codes.
97. ///
98. /// @param policy Policy to be evaluated.
99. ///
100. /// @param reply Reply block that is executed when policy evaluation finishes.
101. ///
102. /// @param localizedReason Application reason for authentication. This string must be provided in correct
103. ///                        localization and should be short and clear. It will be eventually displayed in
104. ///                        the authentication dialog subtitle. A name of the calling application will be
105. ///                        already displayed in title, so it should not be duplicated here.
106. ///
107. /// @param success Reply parameter that is YES if the policy has been evaluated successfully or NO if
108. ///                the evaluation failed.
109. ///
110. /// @param error Reply parameter that is nil if the policy has been evaluated successfully, or it contains
111. ///              error information about the evaluation failure.
112. ///
113. /// @warning localizedReason parameter is mandatory and the call will throw NSInvalidArgumentException if
114. ///          nil or empty string is specified.
115. ///
116. /// @see LAError
117. ///
118. /// Typical error codes returned by this call are:
119. /// @li          LAErrorUserFallback if user tapped the fallback button
120. /// @li          LAErrorUserCancel if user has tapped the Cancel button
121. /// @li          LAErrorSystemCancel if some system event interrupted the evaluation (e.g. Home button pressed).
122. - (void)evaluatePolicy:(LAPolicy)policy
123.        localizedReason:(NSString *)localizedReason
124.                  reply:(void(^)(BOOL success, NSError * __nullable error))reply;
125.  
126. /// Invalidates the context.
127. ///
128. /// @discussion The context is invalidated automatically when it is (auto)released. This method
129. ///             allows invalidating it manually while it is still in scope.
130. ///
131. ///             Invalidation terminates any existing policy evaluation and the respective call will
132. ///             fail with LAErrorAppCancel. After the context has been invalidated, it can not be
133. ///             used for policy evaluation and an attempt to do so will fail with LAErrorInvalidContext.
134. ///
135. ///             Invalidating a context that has been already invalidated has no effect.
136. - (void)invalidate NS_AVAILABLE(10_11, 9_0);
137.  
138. typedef NS_ENUM(NSInteger, LACredentialType)
139. {
140.     /// Password provided by application
141.     ///
142.     /// @discussion If not set, LocalAuthentication will ask for the password when necessary. It will use
143.     ///             its own user interface depending on the evaluated policy or ACL.
144.     ///             Applications can provide the password using the setCredential method. In such case,
145.     ///             LocalAuthentication will not show password entry user interface.
146.     ///             When entered from the LocalAuthentication user interface, the password is stored as
147.     ///             UTF-8 encoded string.
148.     LACredentialTypeApplicationPassword = 0,
149. } NS_ENUM_AVAILABLE(10_11, 9_0);
150.  
151. /// Sets a credential to this context.
152. ///
153. /// @discussion Some policies allow to bind application-provided credential with them.
154. ///             This method allows credential to be passed to the right context.
155. ///
156. /// @param credential Credential to be used with subsequent calls. Setting this parameter to nil will remove
157. ///                   any existing credential of the specified type.
158. ///
159. /// @param type Type of the provided credential.
160. ///
161. /// @return YES if the credential was set successfully, NO otherwise.
162. ///
163. - (BOOL)setCredential:(nullable NSData *)credential
164.                 type:(LACredentialType)type NS_AVAILABLE(10_11, 9_0);
165.  
166. /// Reveals if credential was set with this context.
167. ///
168. /// @param type Type of credential we are asking for.
169. ///
170. /// @return YES on success, NO otherwise.
171. ///
172. - (BOOL)isCredentialSet:(LACredentialType)type NS_AVAILABLE(10_11, 9_0);
173.  
174. typedef NS_ENUM(NSInteger, LAAccessControlOperation)
175. {
176.     /// Access control will be used for item creation.
177.     LAAccessControlOperationCreateItem,
178.  
179.     /// Access control will be used for accessing existing item.
180.     LAAccessControlOperationUseItem,
181.  
182.     /// Access control will be used for key creation.
183.     LAAccessControlOperationCreateKey,
184.  
185.     /// Access control will be used for accessing existing key.
186.     LAAccessControlOperationUseKeySign
187. } NS_ENUM_AVAILABLE(10_11, 9_0);
188.  
189. /// Evaluates access control object for the specified operation.
190. ///
191. /// @discussion Access control evaluation may involve prompting user for various kinds of interaction
192. ///             or authentication. Actual behavior is dependent on evaluated access control, device type,
193. ///             and can be affected by installed configuration profiles.
194. ///
195. ///             Be sure to keep a strong reference to the context while the evaluation is in progress.
196. ///             Otherwise, an evaluation would be canceled when the context is being deallocated.
197. ///
198. ///             The method does not block. Instead, the caller must provide a reply block to be
199. ///             called asynchronously when evaluation finishes. The block is executed on a private
200. ///             queue internal to the framework in an unspecified threading context. Other than that,
201. ///             no guarantee is made about which queue, thread, or run-loop the block is executed on.
202. ///
203. ///             After successful access control evaluation, the LAContext can be used with keychain operations,
204. ///             so that they do not require user to authenticate.
205. ///
206. ///             Access control evaluation may fail for various reasons, including user cancel, system cancel
207. ///             and others, see LAError codes.
208. ///
209. /// @param accessControl Access control object that is typically created by SecAccessControlCreateWithFlags.
210. ///
211. /// @param operation Type of operation the access control will be used with.
212. ///
213. /// @param localizedReason Application reason for authentication. This string must be provided in correct
214. ///                        localization and should be short and clear. It will be eventually displayed in
215. ///                        the authentication dialog subtitle. A name of the calling application will be
216. ///                        already displayed in title, so it should not be duplicated here.
217. ///
218. /// @param reply Reply block that is executed when access control evaluation finishes.
219. ///
220. /// @param success Reply parameter that is YES if the access control has been evaluated successfully or NO
221. ///                if the evaluation failed.
222. ///
223. /// @param error Reply parameter that is nil if the access control has been evaluated successfully, or it
224. ///              contains error information about the evaluation failure.
225. ///
226. /// @warning localizedReason parameter is mandatory and the call will throw NSInvalidArgumentException if
227. ///          nil or empty string is specified.
228. - (void)evaluateAccessControl:(SecAccessControlRef)accessControl
229.                     operation:(LAAccessControlOperation)operation
230.               localizedReason:(NSString *)localizedReason
231.                         reply:(void(^)(BOOL success, NSError * __nullable error))reply
232.                         NS_AVAILABLE(10_11, 9_0);
233.  
234. /// Fallback button title.
235. /// @discussion Allows fallback button title customization. A default title "Enter Password" is used when
236. ///             this property is left nil. If set to empty string, the button will be hidden.
237. @property (nonatomic, nullable, copy) NSString *localizedFallbackTitle;
238.  
239. /// Allows setting the limit for the number of failures during biometric authentication.
240. ///
241. /// @discussion When the specified limit is exceeded, evaluation of LAPolicyDeviceOwnerAuthenticationWithBiometrics
242. ///             evaluation will fail with LAErrorAuthenticationFailed. By default this property is nil and
243. ///             the biometric authentication fails after 3 wrong attempts.
244. ///
245. /// @warning Please note that setting this property with high values does not prevent biometry lockout after 5
246. ///          wrong attempts.
247. @property (nonatomic, nullable) NSNumber *maxBiometryFailures NS_DEPRECATED_IOS(8_3, 9_0);
248.  
249. /// Contains policy domain state.
250. ///
251. /// @discussion  This property is set only when evaluatePolicy is called and succesful Touch ID authentication
252. ///              was performed, or when canEvaluatePolicy succeeds for a biometric policy.
253. ///              It stays nil for all other cases.
254. ///              If finger database was modified (fingers were removed or added), evaluatedPolicyDomainState
255. ///              data will change. Nature of such database changes cannot be determined
256. ///              but comparing data of evaluatedPolicyDomainState after different evaluatePolicy
257. ///              will reveal the fact database was changed between calls.
258. @property (nonatomic, nullable, readonly) NSData *evaluatedPolicyDomainState NS_AVAILABLE(10_11, 9_0);
259.  
260. /// Time interval for accepting a successful Touch ID unlock from the past.
261. ///
262. /// @discussion This property can be set with a time interval in seconds. If the device was successfully unlocked by
263. ///             Touch ID within this time interval, then Touch ID authentication on this context will succeed
264. ///             automatically and the reply block will be called without prompting user for Touch ID.
265. ///
266. ///             The default value is 0, meaning that no previous TouchID authentication can be reused.
267. ///
268. ///             The maximum supported interval is 5 minutes and setting the value beyond 5 minutes does not increase
269. ///             the accepted interval.
270. ///
271. /// @see LATouchIDAuthenticationMaximumAllowableReuseDuration
272. @property (nonatomic) NSTimeInterval touchIDAuthenticationAllowableReuseDuration NS_AVAILABLE_IOS(9_0);
273.  
274. @end
275.  
276. NS_ASSUME_NONNULL_END