[apple/security.git] / OSX / sec / securityd / SecDbQuery.h

/*
 * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*!
 @header SecDbQuery.h - The thing that does the stuff with the gibli.
 */

#ifndef _SECURITYD_SECDBQUERY_H_
#define _SECURITYD_SECDBQUERY_H_

#include <securityd/SecKeybagSupport.h>
#include <securityd/SecDbItem.h>

__BEGIN_DECLS

typedef struct Pair *SecDbPairRef;
typedef struct Query *SecDbQueryRef;

/* Return types. */
typedef uint32_t ReturnTypeMask;
enum
{
    kSecReturnDataMask = 1 << 0,
    kSecReturnAttributesMask = 1 << 1,
    kSecReturnRefMask = 1 << 2,
    kSecReturnPersistentRefMask = 1 << 3,
};

/* Constant indicating there is no limit to the number of results to return. */
enum
{
    kSecMatchUnlimited = kCFNotFound
};

typedef struct Pair
{
    const void *key;
    const void *value;
} Pair;

/* Nothing in this struct is retained since all the
 values below are extracted from the dictionary passed in by the
 caller. */
typedef struct Query
{
    /* Class of this query. */
    const SecDbClass *q_class;

    /* Dictionary with all attributes and values in clear (to be encrypted). */
    CFMutableDictionaryRef q_item;

    /* q_pairs is an array of Pair structs.  Elements with indices
     [0, q_attr_end) contain attribute key value pairs.  Elements with
     indices [q_match_begin, q_match_end) contain match key value pairs.
     Thus q_attr_end is the number of attrs in q_pairs and
     q_match_begin - q_match_end is the number of matches in q_pairs.  */
    CFIndex q_match_begin;
    CFIndex q_match_end;
    CFIndex q_attr_end;

    CFErrorRef q_error;
    ReturnTypeMask q_return_type;

    CFDataRef q_data;
    CFTypeRef q_ref;
    sqlite_int64 q_row_id;

    CFArrayRef q_use_item_list;
    CFBooleanRef q_use_tomb;

    /* Value of kSecMatchLimit key if present. */
    CFIndex q_limit;

    /* True if query contained a kSecAttrSynchronizable attribute,
     * regardless of its actual value. If this is false, then we
     * will add an explicit sync=0 to the query. */
    bool q_sync;

    // Set to true if we modified any item as part of executing this query
    bool q_changed;

    // Set to true if we modified any synchronizable item as part of executing this query
    bool q_sync_changed;
    
    /* Keybag handle to use for this item. */
    keybag_handle_t q_keybag;

    /* musr view to use when modifying the database */
    CFDataRef q_musrView;

    /* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */
    SecAccessControlRef q_access_control;
    CFDataRef q_use_cred_handle;
    
    // Flag indicating that ui-protected items should be simply skipped
    // instead of reporting them to the client as an error.
    bool q_skip_acl_items;

    // Set to true if any UUIDs generated by this query should be generated from the SHA2 digest of the item in question
    bool q_uuid_from_primary_key;

    // Set this to a callback that, on an add query, will get passed along with the CKKS subsystem and called when the item makes it off-device (or doesn't)
    __unsafe_unretained SecBoolCFErrorCallback q_add_sync_callback;

    // SHA1 digest of DER encoded primary key
    CFDataRef q_primary_key_digest;

    CFArrayRef q_match_issuer;

    /* Caller acces groups for AKS */
    CFArrayRef q_caller_access_groups;
    bool q_system_keychain;
    int32_t q_sync_bubble;
    bool q_spindump_on_failure;

    //policy for filtering certs and identities
    SecPolicyRef q_match_policy;
    //date for filtering certs and identities
    CFDateRef q_match_valid_on_date;
    //trusted only certs and identities
    CFBooleanRef q_match_trusted_only;
    //token persistent reference for filtering items is represented by token ID (in attrs) and token object ID
    CFDataRef q_token_object_id;

    CFIndex q_pairs_count;
    Pair q_pairs[];
} Query;

Query *query_create(const SecDbClass *qclass, CFDataRef musr, CFDictionaryRef query, CFErrorRef *error);
bool query_destroy(Query *q, CFErrorRef *error);
bool query_error(Query *q, CFErrorRef *error);
Query *query_create_with_limit(CFDictionaryRef query, CFDataRef musr, CFIndex limit, CFErrorRef *error);
void query_add_attribute(const void *key, const void *value, Query *q);
void query_add_or_attribute(const void *key, const void *value, Query *q);
void query_add_not_attribute(const void *key, const void *value, Query *q);
void query_add_attribute_with_desc(const SecDbAttr *desc, const void *value, Query *q);
void query_ensure_access_control(Query *q, CFStringRef agrp);
void query_pre_add(Query *q, bool force_date);
bool query_notify_and_destroy(Query *q, bool ok, CFErrorRef *error);
CFIndex query_match_count(const Query *q);
CFIndex query_attr_count(const Query *q);
Pair query_attr_at(const Query *q, CFIndex ix);
bool query_update_parse(Query *q, CFDictionaryRef update, CFErrorRef *error);
const SecDbClass *kc_class_with_name(CFStringRef name);
void query_set_caller_access_groups(Query *q, CFArrayRef caller_access_groups);
void query_set_policy(Query *q, SecPolicyRef policy);
void query_set_valid_on_date(Query *q, CFDateRef policy);
void query_set_trusted_only(Query *q, CFBooleanRef trusted_only);

CFDataRef
SecMUSRCopySystemKeychainUUID(void);

CFDataRef
SecMUSRGetSystemKeychainUUID(void);

CFDataRef
SecMUSRGetSingleUserKeychainUUID(void);

bool
SecMUSRIsSingleUserView(CFDataRef uuid);

CFDataRef
SecMUSRGetAllViews(void);

bool
SecMUSRIsViewAllViews(CFDataRef musr);

#if TARGET_OS_IPHONE
CFDataRef
SecMUSRCreateActiveUserUUID(uid_t uid);

CFDataRef
SecMUSRCreateSyncBubbleUserUUID(uid_t uid);

CFDataRef
SecMUSRCreateBothUserAndSystemUUID(uid_t uid);

bool
SecMUSRGetBothUserAndSystemUUID(CFDataRef musr, uid_t *uid);

#endif


__END_DECLS

#endif /* _SECURITYD_SECDBQUERY_H_ */
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*!
	25	@header SecDbQuery.h - The thing that does the stuff with the gibli.
	26	*/
	27
	28	#ifndef _SECURITYD_SECDBQUERY_H_
	29	#define _SECURITYD_SECDBQUERY_H_
	30
	31	#include <securityd/SecKeybagSupport.h>
	32	#include <securityd/SecDbItem.h>
	33
	34	__BEGIN_DECLS
	35
	36	typedef struct Pair *SecDbPairRef;
	37	typedef struct Query *SecDbQueryRef;
	38
	39	/* Return types. */
	40	typedef uint32_t ReturnTypeMask;
	41	enum
	42	{
	43	kSecReturnDataMask = 1 << 0,
	44	kSecReturnAttributesMask = 1 << 1,
	45	kSecReturnRefMask = 1 << 2,
	46	kSecReturnPersistentRefMask = 1 << 3,
	47	};
	48
	49	/* Constant indicating there is no limit to the number of results to return. */
	50	enum
	51	{
	52	kSecMatchUnlimited = kCFNotFound
	53	};
	54
	55	typedef struct Pair
	56	{
	57	const void *key;
	58	const void *value;
	59	} Pair;
	60
	61	/* Nothing in this struct is retained since all the
	62	values below are extracted from the dictionary passed in by the
	63	caller. */
	64	typedef struct Query
65	{
66	/* Class of this query. */
67	const SecDbClass *q_class;
68
69	/* Dictionary with all attributes and values in clear (to be encrypted). */
70	CFMutableDictionaryRef q_item;
71
72	/* q_pairs is an array of Pair structs. Elements with indices
73	[0, q_attr_end) contain attribute key value pairs. Elements with
74	indices [q_match_begin, q_match_end) contain match key value pairs.
75	Thus q_attr_end is the number of attrs in q_pairs and
76	q_match_begin - q_match_end is the number of matches in q_pairs. */
77	CFIndex q_match_begin;
78	CFIndex q_match_end;
79	CFIndex q_attr_end;
80
81	CFErrorRef q_error;
82	ReturnTypeMask q_return_type;
83
84	CFDataRef q_data;
85	CFTypeRef q_ref;
86	sqlite_int64 q_row_id;
87
88	CFArrayRef q_use_item_list;
89	CFBooleanRef q_use_tomb;
d8f41ccd A	90
	91	/* Value of kSecMatchLimit key if present. */
	92	CFIndex q_limit;
	93
	94	/* True if query contained a kSecAttrSynchronizable attribute,
	95	* regardless of its actual value. If this is false, then we
	96	* will add an explicit sync=0 to the query. */
	97	bool q_sync;
	98
	99	// Set to true if we modified any item as part of executing this query
	100	bool q_changed;
	101
	102	// Set to true if we modified any synchronizable item as part of executing this query
	103	bool q_sync_changed;
	104
d8f41ccd A	105	/* Keybag handle to use for this item. */
d8f41ccd A	106	keybag_handle_t q_keybag;
e3d460c9 A	107
	108	/* musr view to use when modifying the database */
	109	CFDataRef q_musrView;
	110
5c19dc3a	111	/* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */
d8f41ccd	112	SecAccessControlRef q_access_control;
b04fe171	113	CFDataRef q_use_cred_handle;
d8f41ccd	114
5c19dc3a A	115	// Flag indicating that ui-protected items should be simply skipped
	116	// instead of reporting them to the client as an error.
	117	bool q_skip_acl_items;
d8f41ccd	118
866f8763 A	119	// Set to true if any UUIDs generated by this query should be generated from the SHA2 digest of the item in question
	120	bool q_uuid_from_primary_key;
	121
	122	// Set this to a callback that, on an add query, will get passed along with the CKKS subsystem and called when the item makes it off-device (or doesn't)
	123	__unsafe_unretained SecBoolCFErrorCallback q_add_sync_callback;
	124
d8f41ccd A	125	// SHA1 digest of DER encoded primary key
	126	CFDataRef q_primary_key_digest;
	127
	128	CFArrayRef q_match_issuer;
	129
	130	/* Caller acces groups for AKS */
	131	CFArrayRef q_caller_access_groups;
e3d460c9 A	132	bool q_system_keychain;
e3d460c9 A	133	int32_t q_sync_bubble;
fa7225c8	134	bool q_spindump_on_failure;
e3d460c9	135
fa7225c8 A	136	//policy for filtering certs and identities
	137	SecPolicyRef q_match_policy;
	138	//date for filtering certs and identities
	139	CFDateRef q_match_valid_on_date;
	140	//trusted only certs and identities
	141	CFBooleanRef q_match_trusted_only;
866f8763 A	142	//token persistent reference for filtering items is represented by token ID (in attrs) and token object ID
866f8763 A	143	CFDataRef q_token_object_id;
d8f41ccd	144
914fc88e	145	CFIndex q_pairs_count;
d8f41ccd A	146	Pair q_pairs[];
	147	} Query;
	148
e3d460c9	149	Query query_create(const SecDbClass qclass, CFDataRef musr, CFDictionaryRef query, CFErrorRef *error);
d8f41ccd A	150	bool query_destroy(Query q, CFErrorRef error);
d8f41ccd A	151	bool query_error(Query q, CFErrorRef error);
e3d460c9	152	Query query_create_with_limit(CFDictionaryRef query, CFDataRef musr, CFIndex limit, CFErrorRef error);
d8f41ccd	153	void query_add_attribute(const void key, const void value, Query *q);
5c19dc3a A	154	void query_add_or_attribute(const void key, const void value, Query *q);
	155	void query_add_not_attribute(const void key, const void value, Query *q);
	156	void query_add_attribute_with_desc(const SecDbAttr desc, const void value, Query *q);
d8f41ccd A	157	void query_ensure_access_control(Query *q, CFStringRef agrp);
	158	void query_pre_add(Query *q, bool force_date);
	159	bool query_notify_and_destroy(Query q, bool ok, CFErrorRef error);
	160	CFIndex query_match_count(const Query *q);
	161	CFIndex query_attr_count(const Query *q);
	162	Pair query_attr_at(const Query *q, CFIndex ix);
	163	bool query_update_parse(Query q, CFDictionaryRef update, CFErrorRef error);
d8f41ccd A	164	const SecDbClass *kc_class_with_name(CFStringRef name);
d8f41ccd A	165	void query_set_caller_access_groups(Query *q, CFArrayRef caller_access_groups);
fa7225c8 A	166	void query_set_policy(Query *q, SecPolicyRef policy);
	167	void query_set_valid_on_date(Query *q, CFDateRef policy);
	168	void query_set_trusted_only(Query *q, CFBooleanRef trusted_only);
d8f41ccd	169
e3d460c9 A	170	CFDataRef
	171	SecMUSRCopySystemKeychainUUID(void);
	172
	173	CFDataRef
	174	SecMUSRGetSystemKeychainUUID(void);
	175
	176	CFDataRef
	177	SecMUSRGetSingleUserKeychainUUID(void);
	178
	179	bool
	180	SecMUSRIsSingleUserView(CFDataRef uuid);
	181
	182	CFDataRef
	183	SecMUSRGetAllViews(void);
	184
	185	bool
	186	SecMUSRIsViewAllViews(CFDataRef musr);
	187
	188	#if TARGET_OS_IPHONE
	189	CFDataRef
	190	SecMUSRCreateActiveUserUUID(uid_t uid);
	191
	192	CFDataRef
	193	SecMUSRCreateSyncBubbleUserUUID(uid_t uid);
	194
	195	CFDataRef
	196	SecMUSRCreateBothUserAndSystemUUID(uid_t uid);
	197
	198	bool
	199	SecMUSRGetBothUserAndSystemUUID(CFDataRef musr, uid_t *uid);
	200
	201	#endif
	202
d8f41ccd A	203
	204	__END_DECLS
	205
	206	#endif /* _SECURITYD_SECDBQUERY_H_ */