[apple/security.git] / keychain / escrowrequest / EscrowRequestController.m


#import "utilities/debugging.h"

#import "keychain/ot/OctagonStateMachine.h"
#import "keychain/ot/OTStates.h"
#import "keychain/escrowrequest/EscrowRequestController.h"
#import "keychain/escrowrequest/EscrowRequestServer.h"

#import "keychain/ckks/CKKSLockStateTracker.h"

#import "keychain/ot/ObjCImprovements.h"

#import "keychain/escrowrequest/operations/EscrowRequestInformCloudServicesOperation.h"
#import "keychain/escrowrequest/operations/EscrowRequestPerformEscrowEnrollOperation.h"

#import "keychain/escrowrequest/generated_source/SecEscrowPendingRecord.h"
#import "keychain/escrowrequest/SecEscrowPendingRecord+KeychainSupport.h"

OctagonState* const EscrowRequestStateNothingToDo = (OctagonState*)@"nothing_to_do";
OctagonState* const EscrowRequestStateTriggerCloudServices = (OctagonState*)@"trigger_cloudservices";

OctagonState* const EscrowRequestStateAttemptEscrowUpload = (OctagonState*)@"trigger_escrow_upload";
OctagonState* const EscrowRequestStateWaitForUnlock = (OctagonState*)@"wait_for_unlock";

@interface EscrowRequestController ()
@property dispatch_queue_t queue;
@property CKKSLockStateTracker* lockStateTracker;
@property bool haveRecordedDate;
@end

@implementation EscrowRequestController

- (instancetype)initWithLockStateTracker:(CKKSLockStateTracker*)lockStateTracker
{
    if((self = [super init])) {
        _queue = dispatch_queue_create("EscrowRequestControllerQueue", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL);
        _lockStateTracker = lockStateTracker;

        _stateMachine = [[OctagonStateMachine alloc] initWithName:@"escrowrequest"
                                                           states:[NSSet setWithArray:@[EscrowRequestStateNothingToDo,
                                                                                          EscrowRequestStateTriggerCloudServices,
                                                                                          EscrowRequestStateAttemptEscrowUpload,
                                                                                          EscrowRequestStateWaitForUnlock]]
                                                     initialState:EscrowRequestStateNothingToDo
                                                            queue:_queue
                                                      stateEngine:self
                                                 lockStateTracker:lockStateTracker];

        _forceIgnoreCloudServicesRateLimiting = false;
    }

    return self;
}

- (CKKSResultOperation<OctagonStateTransitionOperationProtocol> * _Nullable)_onqueueNextStateMachineTransition:(nonnull OctagonState *)currentState
                                                                                                         flags:(nonnull OctagonFlags *)flags
                                                                                                  pendingFlags:(nonnull id<OctagonStateOnqueuePendingFlagHandler>)pendingFlagHandler
{
    if([flags _onqueueContains:OctagonFlagEscrowRequestInformCloudServicesOperation]) {
        [flags _onqueueRemoveFlag:OctagonFlagEscrowRequestInformCloudServicesOperation];
        return [[EscrowRequestInformCloudServicesOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
                                                                             errorState:EscrowRequestStateNothingToDo
                                                                       lockStateTracker:self.lockStateTracker];
    }

    if([currentState isEqualToString:EscrowRequestStateTriggerCloudServices]) {
        return [[EscrowRequestInformCloudServicesOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
                                                                             errorState:EscrowRequestStateNothingToDo
                                                                       lockStateTracker:self.lockStateTracker];
    }

    if([currentState isEqualToString:EscrowRequestStateAttemptEscrowUpload]) {
        return [[EscrowRequestPerformEscrowEnrollOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
                                                                             errorState:EscrowRequestStateNothingToDo
                                                                    enforceRateLimiting:true
                                                                       lockStateTracker:self.lockStateTracker];
    }

    if([currentState isEqualToString:EscrowRequestStateWaitForUnlock]) {
        secnotice("escrowrequest", "waiting for unlock before continuing with state machine");
        OctagonStateTransitionOperation* op = [OctagonStateTransitionOperation named:@"wait-for-unlock"
                                                                            entering:EscrowRequestStateNothingToDo];
        [op addNullableDependency:self.lockStateTracker.unlockDependency];
        return op;
    }

    NSError* error = nil;
    NSArray<SecEscrowPendingRecord*>* records = [SecEscrowPendingRecord loadAllFromKeychain:&error];
    if(error) {
        if([self.lockStateTracker isLockedError:error]) {
            return [OctagonStateTransitionOperation named:@"wait-for-unlock"
                                                 entering:EscrowRequestStateWaitForUnlock];
        }
        secnotice("escrowrequest", "failed to fetch records from keychain, nothing to do: %@", error);
        return nil;
    }

    // First, do we need to poke CloudServices?
    for(SecEscrowPendingRecord* record in records) {
        // Completed records don't need anything.
        if(record.hasUploadCompleted && record.uploadCompleted) {
            continue;
        }

        if (!self.haveRecordedDate) {
            NSDate *date = [[CKKSAnalytics logger] datePropertyForKey:ESRPendingSince];
            if (date == NULL) {
                [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:ESRPendingSince];
            }
            self.haveRecordedDate = true;
        }

        uint64_t fiveMinutesAgo = ((uint64_t)[[NSDate date] timeIntervalSince1970] * 1000) - (1000*60*5);

        if(!record.certCached) {
            if(!self.forceIgnoreCloudServicesRateLimiting && (record.hasLastCloudServicesTriggerTime && record.lastCloudServicesTriggerTime >= fiveMinutesAgo)) {
                secnotice("escrowrequest", "Request %@ needs to cache a certificate, but that has been attempted recently. Holding off...", record.uuid);
                continue;
            }

            secnotice("escrowrequest", "Request %@ needs a cached certififcate", record.uuid);

            return [OctagonStateTransitionOperation named:@"escrow-request-cache-cert"
                                                 entering:EscrowRequestStateTriggerCloudServices];
        }

        if(record.hasSerializedPrerecord) {
            if([record escrowAttemptedWithinLastSeconds:5*60]) {
                secnotice("escrowrequest", "Request %@ needs to be stored, but has been attempted recently. Holding off...", record.uuid);
                continue;
            }

            secnotice("escrowrequest", "Request %@ needs to be stored!", record.uuid);

            return [OctagonStateTransitionOperation named:@"escrow-request-attempt-escrow-upload"
                                                 entering:EscrowRequestStateAttemptEscrowUpload];
        }
    }


    return nil;
}

- (void)triggerEscrowUpdateRPC:(nonnull NSString *)reason
                         reply:(nonnull void (^)(NSError * _Nullable))reply
{
    [self.stateMachine startOperation];

    NSError* error = nil;
    NSArray<SecEscrowPendingRecord*>* records = [SecEscrowPendingRecord loadAllFromKeychain:&error];
    if(error && !([error.domain isEqualToString:NSOSStatusErrorDomain] && error.code == errSecItemNotFound)) {
        secnotice("escrowrequest", "failed to fetch records from keychain: %@", error);
        reply(error);
        return;
    }
    error = nil;

    secnotice("escrowrequest", "Investigating a new escrow request");

    BOOL escrowRequestExists = NO;
    for(SecEscrowPendingRecord* existingRecord in records) {
        if(existingRecord.uploadCompleted) {
            continue;
        }

        if (existingRecord.hasAltDSID) {
            continue;
        }

        secnotice("escrowrequest", "Retriggering an existing escrow request: %@", existingRecord);
        existingRecord.hasCertCached = false;
        existingRecord.serializedPrerecord = nil;

        [existingRecord saveToKeychain:&error];
        if(error) {
            secerror("escrowrequest: Unable to save modified request to keychain: %@", error);
            reply(error);
            return;
        }

        secnotice("escrowrequest", "Retriggering an existing escrow request complete");
        escrowRequestExists = YES;
    }

    if(escrowRequestExists == NO){
        secnotice("escrowrequest", "Creating a new escrow request");

        SecEscrowPendingRecord* record = [[SecEscrowPendingRecord alloc] init];
        record.uuid = [[NSUUID UUID] UUIDString];
        record.altDSID = nil;
        record.triggerRequestTime = ((uint64_t)[[NSDate date] timeIntervalSince1970] * 1000);
        secnotice("escrowrequest", "beginning a new escrow request (%@)", record.uuid);

        [record saveToKeychain:&error];

        if(error) {
            secerror("escrowrequest: unable to save escrow update request: %@", error);
            reply(error);
            return;
        }
    }

    [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:ESRPendingSince];
    self.haveRecordedDate = true;

    [self.stateMachine handleFlag:OctagonFlagEscrowRequestInformCloudServicesOperation];

    reply(nil);
}

- (void)storePrerecordsInEscrowRPC:(void (^)(uint64_t count, NSError* _Nullable error))reply
{
    EscrowRequestPerformEscrowEnrollOperation* op = [[EscrowRequestPerformEscrowEnrollOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
                                                                                                                  errorState:EscrowRequestStateNothingToDo
                                                                                                         enforceRateLimiting:false
                                                                                                            lockStateTracker:self.lockStateTracker];
    [self.stateMachine startOperation];
    [self.stateMachine doSimpleStateMachineRPC:@"trigger-escrow-store"
                                            op:op
                                  sourceStates:[NSSet setWithObject:EscrowRequestStateNothingToDo]
                                         reply:^(NSError * _Nullable error) {
                                             secnotice("escrowrequest", "Uploaded %d records with error %@", (int)op.numberOfRecordsUploaded, error);
                                             reply(op.numberOfRecordsUploaded, error);
                                         }];
}

@end
Commit	Line	Data
b54c578e A	1
	2	#import "utilities/debugging.h"
	3
	4	#import "keychain/ot/OctagonStateMachine.h"
	5	#import "keychain/ot/OTStates.h"
	6	#import "keychain/escrowrequest/EscrowRequestController.h"
	7	#import "keychain/escrowrequest/EscrowRequestServer.h"
	8
	9	#import "keychain/ckks/CKKSLockStateTracker.h"
	10
	11	#import "keychain/ot/ObjCImprovements.h"
	12
	13	#import "keychain/escrowrequest/operations/EscrowRequestInformCloudServicesOperation.h"
	14	#import "keychain/escrowrequest/operations/EscrowRequestPerformEscrowEnrollOperation.h"
	15
	16	#import "keychain/escrowrequest/generated_source/SecEscrowPendingRecord.h"
	17	#import "keychain/escrowrequest/SecEscrowPendingRecord+KeychainSupport.h"
	18
	19	OctagonState* const EscrowRequestStateNothingToDo = (OctagonState*)@"nothing_to_do";
	20	OctagonState* const EscrowRequestStateTriggerCloudServices = (OctagonState*)@"trigger_cloudservices";
	21
	22	OctagonState* const EscrowRequestStateAttemptEscrowUpload = (OctagonState*)@"trigger_escrow_upload";
	23	OctagonState* const EscrowRequestStateWaitForUnlock = (OctagonState*)@"wait_for_unlock";
	24
	25	@interface EscrowRequestController ()
	26	@property dispatch_queue_t queue;
	27	@property CKKSLockStateTracker* lockStateTracker;
	28	@property bool haveRecordedDate;
	29	@end
	30
	31	@implementation EscrowRequestController
	32
	33	- (instancetype)initWithLockStateTracker:(CKKSLockStateTracker*)lockStateTracker
	34	{
	35	if((self = [super init])) {
	36	_queue = dispatch_queue_create("EscrowRequestControllerQueue", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL);
	37	_lockStateTracker = lockStateTracker;
	38
	39	_stateMachine = [[OctagonStateMachine alloc] initWithName:@"escrowrequest"
	40	states:[NSSet setWithArray:@[EscrowRequestStateNothingToDo,
	41	EscrowRequestStateTriggerCloudServices,
	42	EscrowRequestStateAttemptEscrowUpload,
	43	EscrowRequestStateWaitForUnlock]]
	44	initialState:EscrowRequestStateNothingToDo
	45	queue:_queue
	46	stateEngine:self
	47	lockStateTracker:lockStateTracker];
	48
	49	_forceIgnoreCloudServicesRateLimiting = false;
	50	}
	51
	52	return self;
	53	}
	54
	55	- (CKKSResultOperation<OctagonStateTransitionOperationProtocol> * _Nullable)_onqueueNextStateMachineTransition:(nonnull OctagonState *)currentState
	56	flags:(nonnull OctagonFlags *)flags
	57	pendingFlags:(nonnull id<OctagonStateOnqueuePendingFlagHandler>)pendingFlagHandler
	58	{
	59	if([flags _onqueueContains:OctagonFlagEscrowRequestInformCloudServicesOperation]) {
	60	[flags _onqueueRemoveFlag:OctagonFlagEscrowRequestInformCloudServicesOperation];
	61	return [[EscrowRequestInformCloudServicesOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
	62	errorState:EscrowRequestStateNothingToDo
	63	lockStateTracker:self.lockStateTracker];
	64	}
65
66	if([currentState isEqualToString:EscrowRequestStateTriggerCloudServices]) {
67	return [[EscrowRequestInformCloudServicesOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
68	errorState:EscrowRequestStateNothingToDo
69	lockStateTracker:self.lockStateTracker];
70	}
71
72	if([currentState isEqualToString:EscrowRequestStateAttemptEscrowUpload]) {
73	return [[EscrowRequestPerformEscrowEnrollOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
74	errorState:EscrowRequestStateNothingToDo
75	enforceRateLimiting:true
76	lockStateTracker:self.lockStateTracker];
77	}
78
79	if([currentState isEqualToString:EscrowRequestStateWaitForUnlock]) {
80	secnotice("escrowrequest", "waiting for unlock before continuing with state machine");
81	OctagonStateTransitionOperation* op = [OctagonStateTransitionOperation named:@"wait-for-unlock"
82	entering:EscrowRequestStateNothingToDo];
83	[op addNullableDependency:self.lockStateTracker.unlockDependency];
84	return op;
85	}
86
87	NSError* error = nil;
88	NSArray<SecEscrowPendingRecord> records = [SecEscrowPendingRecord loadAllFromKeychain:&error];
89	if(error) {
90	if([self.lockStateTracker isLockedError:error]) {
91	return [OctagonStateTransitionOperation named:@"wait-for-unlock"
92	entering:EscrowRequestStateWaitForUnlock];
93	}
94	secnotice("escrowrequest", "failed to fetch records from keychain, nothing to do: %@", error);
95	return nil;
96	}
97
98	// First, do we need to poke CloudServices?
99	for(SecEscrowPendingRecord* record in records) {
100	// Completed records don't need anything.
101	if(record.hasUploadCompleted && record.uploadCompleted) {
102	continue;
103	}
104
105	if (!self.haveRecordedDate) {
106	NSDate *date = [[CKKSAnalytics logger] datePropertyForKey:ESRPendingSince];
107	if (date == NULL) {
108	[[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:ESRPendingSince];
109	}
110	self.haveRecordedDate = true;
111	}
112
113	uint64_t fiveMinutesAgo = ((uint64_t)[[NSDate date] timeIntervalSince1970] * 1000) - (1000605);
114
115	if(!record.certCached) {
116	if(!self.forceIgnoreCloudServicesRateLimiting && (record.hasLastCloudServicesTriggerTime && record.lastCloudServicesTriggerTime >= fiveMinutesAgo)) {
117	secnotice("escrowrequest", "Request %@ needs to cache a certificate, but that has been attempted recently. Holding off...", record.uuid);
118	continue;
119	}
120
121	secnotice("escrowrequest", "Request %@ needs a cached certififcate", record.uuid);
122
123	return [OctagonStateTransitionOperation named:@"escrow-request-cache-cert"
124	entering:EscrowRequestStateTriggerCloudServices];
125	}
126
127	if(record.hasSerializedPrerecord) {
128	if([record escrowAttemptedWithinLastSeconds:5*60]) {
129	secnotice("escrowrequest", "Request %@ needs to be stored, but has been attempted recently. Holding off...", record.uuid);
130	continue;
131	}
132
133	secnotice("escrowrequest", "Request %@ needs to be stored!", record.uuid);
134
135	return [OctagonStateTransitionOperation named:@"escrow-request-attempt-escrow-upload"
136	entering:EscrowRequestStateAttemptEscrowUpload];
137	}
138	}
139
140
141	return nil;
142	}
143
144	- (void)triggerEscrowUpdateRPC:(nonnull NSString *)reason
145	reply:(nonnull void (^)(NSError * _Nullable))reply
146	{
147	[self.stateMachine startOperation];
148
149	NSError* error = nil;
150	NSArray<SecEscrowPendingRecord> records = [SecEscrowPendingRecord loadAllFromKeychain:&error];
151	if(error && !([error.domain isEqualToString:NSOSStatusErrorDomain] && error.code == errSecItemNotFound)) {
152	secnotice("escrowrequest", "failed to fetch records from keychain: %@", error);
153	reply(error);
154	return;
155	}
156	error = nil;
157
158	secnotice("escrowrequest", "Investigating a new escrow request");
159
160	BOOL escrowRequestExists = NO;
161	for(SecEscrowPendingRecord* existingRecord in records) {
162	if(existingRecord.uploadCompleted) {
163	continue;
164	}
165
166	if (existingRecord.hasAltDSID) {
167	continue;
168	}
169
170	secnotice("escrowrequest", "Retriggering an existing escrow request: %@", existingRecord);
171	existingRecord.hasCertCached = false;
172	existingRecord.serializedPrerecord = nil;
173
174	[existingRecord saveToKeychain:&error];
175	if(error) {
176	secerror("escrowrequest: Unable to save modified request to keychain: %@", error);
177	reply(error);
178	return;
179	}
180
181	secnotice("escrowrequest", "Retriggering an existing escrow request complete");
182	escrowRequestExists = YES;
183	}
184
185	if(escrowRequestExists == NO){
186	secnotice("escrowrequest", "Creating a new escrow request");
187
188	SecEscrowPendingRecord* record = [[SecEscrowPendingRecord alloc] init];
189	record.uuid = [[NSUUID UUID] UUIDString];
190	record.altDSID = nil;
191	record.triggerRequestTime = ((uint64_t)[[NSDate date] timeIntervalSince1970] * 1000);
192	secnotice("escrowrequest", "beginning a new escrow request (%@)", record.uuid);
193
194	[record saveToKeychain:&error];
195
196	if(error) {
197	secerror("escrowrequest: unable to save escrow update request: %@", error);
198	reply(error);
199	return;
200	}
201	}
202
203	[[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:ESRPendingSince];
204	self.haveRecordedDate = true;
205
206	[self.stateMachine handleFlag:OctagonFlagEscrowRequestInformCloudServicesOperation];
207
208	reply(nil);
209	}
210
211	- (void)storePrerecordsInEscrowRPC:(void (^)(uint64_t count, NSError* _Nullable error))reply
212	{
213	EscrowRequestPerformEscrowEnrollOperation* op = [[EscrowRequestPerformEscrowEnrollOperation alloc] initWithIntendedState:EscrowRequestStateNothingToDo
214	errorState:EscrowRequestStateNothingToDo
215	enforceRateLimiting:false
216	lockStateTracker:self.lockStateTracker];
217	[self.stateMachine startOperation];
218	[self.stateMachine doSimpleStateMachineRPC:@"trigger-escrow-store"
219	op:op
220	sourceStates:[NSSet setWithObject:EscrowRequestStateNothingToDo]
221	reply:^(NSError * _Nullable error) {
222	secnotice("escrowrequest", "Uploaded %d records with error %@", (int)op.numberOfRecordsUploaded, error);
223	reply(op.numberOfRecordsUploaded, error);
224	}];
225	}
226
227	@end