[apple/security.git] / keychain / ckks / CKKSFetchAllRecordZoneChangesOperation.m

/*
 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#import <Foundation/Foundation.h>

#if OCTAGON

#import "keychain/ckks/CloudKitDependencies.h"
#import "keychain/ckks/CKKS.h"
#import "keychain/ckks/CKKSKeychainView.h"
#import "keychain/ckks/CKKSZoneStateEntry.h"
#import "keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h"
#import "keychain/ckks/CKKSMirrorEntry.h"
#import "keychain/ckks/CKKSManifest.h"
#import "keychain/ckks/CKKSManifestLeafRecord.h"
#include <securityd/SecItemServer.h>


@interface CKKSFetchAllRecordZoneChangesOperation()
@property CKDatabaseOperation<CKKSFetchRecordZoneChangesOperation>* fetchRecordZoneChangesOperation;
@property CKOperationGroup* ckoperationGroup;
@end

@implementation CKKSFetchAllRecordZoneChangesOperation

// Sets up an operation to fetch all changes from the server, and collect them until we know if the fetch completes.
// As a bonus, you can depend on this operation without worry about NSOperation completion block dependency issues.

- (instancetype)init {
    return nil;
}

- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks ckoperationGroup:(CKOperationGroup*)ckoperationGroup {

    if(self = [super init]) {
        _ckks = ckks;
        _ckoperationGroup = ckoperationGroup;
        self.zoneID = ckks.zoneID;

        self.resync = false;

        self.modifications = [[NSMutableDictionary alloc] init];
        self.deletions = [[NSMutableDictionary alloc] init];

        // Can't fetch unless the zone is created.
        [self addNullableDependency:ckks.viewSetupOperation];
    }
    return self;
}

- (void)_onqueueRecordsChanged:(NSArray*)records
{
    for (CKRecord* record in records) {
        [self.ckks _onqueueCKRecordChanged:record resync:self.resync];
    }
}

- (void)_updateLatestTrustedManifest
{
    CKKSKeychainView* ckks = self.ckks;
    NSError* error = nil;
    NSArray* pendingManifests = [CKKSPendingManifest all:&error];
    NSUInteger greatestKnownManifestGeneration = [CKKSManifest greatestKnownGenerationCount];
    for (CKKSPendingManifest* manifest in pendingManifests) {
        if (manifest.generationCount >= greatestKnownManifestGeneration) {
            [manifest commitToDatabaseWithError:&error];
        }
        else {
            // if this is an older generation, just get rid of it
            [manifest deleteFromDatabase:&error];
        }
    }

    if (![ckks _onQueueUpdateLatestManifestWithError:&error]) {
        self.error = error;
        ckkserror("ckksfetch", ckks, "failed to get latest manifest");
    }
}

- (void)_onqueueProcessRecordDeletions
{
    CKKSKeychainView* ckks = self.ckks;
    [self.deletions enumerateKeysAndObjectsUsingBlock:^(CKRecordID * _Nonnull recordID, NSString * _Nonnull recordType, BOOL * _Nonnull stop) {
        ckksinfo("ckksfetch", ckks, "Processing record deletion(%@): %@", recordType, recordID);

        // <rdar://problem/32475600> CKKS: Check Current Item pointers in the Manifest
        // TODO: check that these deletions match a manifest upload
        // Delegate these back up into the CKKS object for processing
        [ckks _onqueueCKRecordDeleted:recordID recordType:recordType resync:self.resync];
    }];
}

- (void)_onqueueScanForExtraneousLocalItems
{
    // TODO: must scan through all CKMirrorEntries and determine if any exist that CloudKit didn't tell us about
    CKKSKeychainView* ckks = self.ckks;
    NSError* error = nil;
    if(self.resync) {
        ckksnotice("ckksresync", ckks, "Comparing local UUIDs against the CloudKit list");
        NSMutableArray<NSString*>* uuids = [[CKKSMirrorEntry allUUIDs: &error] mutableCopy];

        for(NSString* uuid in uuids) {
            if([self.modifications objectForKey: [[CKRecordID alloc] initWithRecordName: uuid zoneID: ckks.zoneID]]) {
                ckksdebug("ckksresync", ckks, "UUID %@ is still in CloudKit; carry on.", uuid);
            } else {
                CKKSMirrorEntry* ckme = [CKKSMirrorEntry tryFromDatabase: uuid zoneID:ckks.zoneID error: &error];
                if(error != nil) {
                    ckkserror("ckksresync", ckks, "Couldn't read an item from the database, but it used to be there: %@ %@", uuid, error);
                    self.error = error;
                    continue;
                }

                ckkserror("ckksresync", ckks, "BUG: Local item %@ not found in CloudKit, deleting", uuid);
                [ckks _onqueueCKRecordDeleted:ckme.item.storedCKRecord.recordID recordType:ckme.item.storedCKRecord.recordType resync:self.resync];
            }
        }
    }
}

- (void)groupStart {
    __weak __typeof(self) weakSelf = self;


    CKKSKeychainView* ckks = self.ckks;
    if(!ckks) {
        ckkserror("ckksresync", ckks, "no CKKS object");
        return;
    }

    [ckks dispatchSync: ^bool{
        ckks.lastRecordZoneChangesOperation = self;

        NSError* error = nil;
        NSQualityOfService qos = NSQualityOfServiceUtility;

        CKFetchRecordZoneChangesOptions* options = [[CKFetchRecordZoneChangesOptions alloc] init];
        if(self.resync) {
            ckksnotice("ckksresync", ckks, "Beginning resync fetch!");

            options.previousServerChangeToken = nil;

            // currently, resyncs are user initiated (or the key hierarchy is upset, which is implicitly user initiated)
            qos = NSQualityOfServiceUserInitiated;
        } else {
            // This is the normal case: fetch only the delta since the last fetch
            CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: ckks.zoneName];
            if(error || !ckse) {
                ckkserror("ckksfetch", ckks, "couldn't fetch zone status for %@: %@", ckks.zoneName, error);
                self.error = error;
                return false;
            }

            ckksnotice("ckksfetch", ckks, "Beginning fetch(%@) starting at change token %@", ckks.zoneName, ckse.changeToken);

            options.previousServerChangeToken = ckse.changeToken;

            if(ckse.changeToken == nil) {
                // First sync is special.
                qos = NSQualityOfServiceUserInitiated;
            }
        }

        self.fetchRecordZoneChangesOperation = [[ckks.fetchRecordZoneChangesOperationClass alloc] initWithRecordZoneIDs: @[ckks.zoneID] optionsByRecordZoneID:@{ckks.zoneID: options}];

        self.fetchRecordZoneChangesOperation.fetchAllChanges = YES;
        self.fetchRecordZoneChangesOperation.qualityOfService = qos;
        self.fetchRecordZoneChangesOperation.group = self.ckoperationGroup;
        ckksnotice("ckksfetch", ckks, "Operation group is %@", self.ckoperationGroup);

        self.fetchRecordZoneChangesOperation.recordChangedBlock = ^(CKRecord *record) {
            __strong __typeof(weakSelf) strongSelf = weakSelf;
            __strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
            if(!strongSelf) {
                ckkserror("ckksfetch", strongCKKS, "received callback for released object");
                return;
            }

            ckksinfo("ckksfetch", strongCKKS, "CloudKit notification: record changed(%@): %@", [record recordType], record);

            // Add this to the modifications, and remove it from the deletions
            [strongSelf.modifications setObject: record forKey: record.recordID];
            [strongSelf.deletions removeObjectForKey: record.recordID];
        };

        self.fetchRecordZoneChangesOperation.recordWithIDWasDeletedBlock = ^(CKRecordID *recordID, NSString *recordType) {
            __strong __typeof(weakSelf) strongSelf = weakSelf;
            __strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
            if(!strongSelf) {
                ckkserror("ckksfetch", strongCKKS, "received callback for released object");
                return;
            }

            ckksinfo("ckksfetch", strongCKKS, "CloudKit notification: deleted record(%@): %@", recordType, recordID);

            // Add to the deletions, and remove any pending modifications
            [strongSelf.modifications removeObjectForKey: recordID];
            [strongSelf.deletions setObject: recordType forKey: recordID];
        };

        // This class only supports fetching from a single zone, so we can ignore recordZoneID
        self.fetchRecordZoneChangesOperation.recordZoneChangeTokensUpdatedBlock = ^(CKRecordZoneID *recordZoneID, CKServerChangeToken *serverChangeToken, NSData *clientChangeTokenData) {
            __strong __typeof(weakSelf) strongSelf = weakSelf;
            __strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
            if(!strongSelf) {
                ckkserror("ckksfetch", strongCKKS, "received callback for released object");
                return;
            }

            ckksinfo("ckksfetch", strongCKKS, "Received a new server change token: %@ %@", serverChangeToken, clientChangeTokenData);
            strongSelf.serverChangeToken = serverChangeToken;
        };

        // Completion blocks don't count for dependencies. Use this intermediate operation hack instead.
        NSBlockOperation* recordZoneChangesCompletedOperation = [[NSBlockOperation alloc] init];
        recordZoneChangesCompletedOperation.name = @"record-zone-changes-completed";

        self.fetchRecordZoneChangesOperation.recordZoneFetchCompletionBlock = ^(CKRecordZoneID *recordZoneID, CKServerChangeToken *serverChangeToken, NSData *clientChangeTokenData, BOOL moreComing, NSError * recordZoneError) {
            __strong __typeof(weakSelf) strongSelf = weakSelf;
            __strong __typeof(strongSelf.ckks) blockCKKS = strongSelf.ckks;

            if(!strongSelf) {
                ckkserror("ckksfetch", blockCKKS, "received callback for released object");
                return;
            }

            if(!blockCKKS) {
                ckkserror("ckksfetch", blockCKKS, "no CKKS object");
                return;
            }

            ckksnotice("ckksfetch", blockCKKS, "Record zone fetch complete: changeToken=%@ clientChangeTokenData=%@ changed=%lu deleted=%lu error=%@", serverChangeToken, clientChangeTokenData,
                (unsigned long)strongSelf.deletions.count,
                (unsigned long)strongSelf.deletions.count,
                recordZoneError);

            // Completion! Mark these down.
            if(recordZoneError) {
                strongSelf.error = recordZoneError;
            }
            strongSelf.serverChangeToken = serverChangeToken;

            if(recordZoneError != nil) {
                // An error occurred. All our fetches are useless. Skip to the end.
            } else {
                // Commit these changes!
                __block NSError* error = nil;

                NSMutableDictionary<NSString*, NSMutableArray*>* changedRecordsDict = [[NSMutableDictionary alloc] init];

                [blockCKKS dispatchSyncWithAccountQueue:^bool{
                    // let's process records in a specific order by type
                    // 1. Manifest leaf records, without which the manifest master records are meaningless
                    // 2. Manifest master records, which will be used to validate incoming items
                    // 3. Intermediate key records
                    // 4. Current key records
                    // 5. Item records

                    [strongSelf.modifications enumerateKeysAndObjectsUsingBlock:^(CKRecordID* _Nonnull recordID, CKRecord* _Nonnull record, BOOL* stop) {
                        ckksinfo("ckksfetch", blockCKKS, "Sorting record modification %@: %@", recordID, record);
                        NSMutableArray* changedRecordsByType = changedRecordsDict[record.recordType];
                        if(!changedRecordsByType) {
                            changedRecordsByType = [[NSMutableArray alloc] init];
                            changedRecordsDict[record.recordType] = changedRecordsByType;
                        };

                        [changedRecordsByType addObject:record];
                    }];

                    if ([CKKSManifest shouldSyncManifests]) {
                        if (!strongSelf.resync) {
                            [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordManifestLeafType]];
                            [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordManifestType]];
                        }

                        [strongSelf _updateLatestTrustedManifest];
                    }

                    [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordIntermediateKeyType]];
                    [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordCurrentKeyType]];
                    [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordItemType]];
                    [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordCurrentItemType]];
                    [strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordDeviceStateType]];

                    [strongSelf _onqueueProcessRecordDeletions];
                    [strongSelf _onqueueScanForExtraneousLocalItems];

                    CKKSZoneStateEntry* state = [CKKSZoneStateEntry state: blockCKKS.zoneName];
                    state.lastFetchTime = [NSDate date]; // The last fetch happened right now!
                    if(strongSelf.serverChangeToken) {
                        ckksdebug("ckksfetch", blockCKKS, "Zone change fetch complete: saving new server change token: %@", strongSelf.serverChangeToken);
                        state.changeToken = strongSelf.serverChangeToken;
                    }
                    [state saveToDatabase:&error];
                    if(error) {
                        ckkserror("ckksfetch", blockCKKS, "Couldn't save new server change token: %@", error);
                        strongSelf.error = error;
                    }

                    if(error) {
                        ckkserror("ckksfetch", blockCKKS, "horrible error occurred: %@", error);
                        strongSelf.error = error;
                        return false;
                    }

                    return true;
                }];
            }
        };

        // Called with overall operation success. As I understand it, this block will be called for every operation.
        // In the case of, e.g., network failure, the recordZoneFetchCompletionBlock will not be called, but this one will.
        self.fetchRecordZoneChangesOperation.fetchRecordZoneChangesCompletionBlock = ^(NSError * _Nullable operationError) {
            __strong __typeof(weakSelf) strongSelf = weakSelf;
            __strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
            if(!strongSelf) {
                ckkserror("ckksfetch", strongCKKS, "received callback for released object");
                return;
            }

            ckksnotice("ckksfetch", strongCKKS, "Record zone changes fetch complete: error=%@", operationError);
            if(operationError) {
                strongSelf.error = operationError;
            }

            // Trigger the fake 'we're done' operation.
            [strongSelf runBeforeGroupFinished: recordZoneChangesCompletedOperation];
        };

        [self dependOnBeforeGroupFinished: recordZoneChangesCompletedOperation];
        [self dependOnBeforeGroupFinished: self.fetchRecordZoneChangesOperation];
        [ckks.database addOperation: self.fetchRecordZoneChangesOperation];
        return true;
    }];
}

- (void)cancel {
    [self.fetchRecordZoneChangesOperation cancel];
    [super cancel];
}

@end

#endif
Commit	Line	Data
866f8763 A	1	/*
	2	* Copyright (c) 2017 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#import <Foundation/Foundation.h>
	25
	26	#if OCTAGON
	27
	28	#import "keychain/ckks/CloudKitDependencies.h"
	29	#import "keychain/ckks/CKKS.h"
	30	#import "keychain/ckks/CKKSKeychainView.h"
	31	#import "keychain/ckks/CKKSZoneStateEntry.h"
	32	#import "keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h"
	33	#import "keychain/ckks/CKKSMirrorEntry.h"
	34	#import "keychain/ckks/CKKSManifest.h"
	35	#import "keychain/ckks/CKKSManifestLeafRecord.h"
	36	#include <securityd/SecItemServer.h>
	37
	38
	39	@interface CKKSFetchAllRecordZoneChangesOperation()
	40	@property CKDatabaseOperation<CKKSFetchRecordZoneChangesOperation>* fetchRecordZoneChangesOperation;
	41	@property CKOperationGroup* ckoperationGroup;
	42	@end
	43
	44	@implementation CKKSFetchAllRecordZoneChangesOperation
	45
	46	// Sets up an operation to fetch all changes from the server, and collect them until we know if the fetch completes.
	47	// As a bonus, you can depend on this operation without worry about NSOperation completion block dependency issues.
	48
	49	- (instancetype)init {
	50	return nil;
	51	}
	52
	53	- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView)ckks ckoperationGroup:(CKOperationGroup)ckoperationGroup {
	54
	55	if(self = [super init]) {
	56	_ckks = ckks;
	57	_ckoperationGroup = ckoperationGroup;
	58	self.zoneID = ckks.zoneID;
	59
	60	self.resync = false;
	61
	62	self.modifications = [[NSMutableDictionary alloc] init];
	63	self.deletions = [[NSMutableDictionary alloc] init];
	64
65	// Can't fetch unless the zone is created.
66	[self addNullableDependency:ckks.viewSetupOperation];
67	}
68	return self;
69	}
70
71	- (void)_onqueueRecordsChanged:(NSArray*)records
72	{
73	for (CKRecord* record in records) {
74	[self.ckks _onqueueCKRecordChanged:record resync:self.resync];
75	}
76	}
77
78	- (void)_updateLatestTrustedManifest
79	{
80	CKKSKeychainView* ckks = self.ckks;
81	NSError* error = nil;
82	NSArray* pendingManifests = [CKKSPendingManifest all:&error];
83	NSUInteger greatestKnownManifestGeneration = [CKKSManifest greatestKnownGenerationCount];
84	for (CKKSPendingManifest* manifest in pendingManifests) {
85	if (manifest.generationCount >= greatestKnownManifestGeneration) {
86	[manifest commitToDatabaseWithError:&error];
87	}
88	else {
89	// if this is an older generation, just get rid of it
90	[manifest deleteFromDatabase:&error];
91	}
92	}
93
94	if (![ckks _onQueueUpdateLatestManifestWithError:&error]) {
95	self.error = error;
96	ckkserror("ckksfetch", ckks, "failed to get latest manifest");
97	}
98	}
99
100	- (void)_onqueueProcessRecordDeletions
101	{
102	CKKSKeychainView* ckks = self.ckks;
103	[self.deletions enumerateKeysAndObjectsUsingBlock:^(CKRecordID * _Nonnull recordID, NSString * _Nonnull recordType, BOOL * _Nonnull stop) {
104	ckksinfo("ckksfetch", ckks, "Processing record deletion(%@): %@", recordType, recordID);
105
106	// <rdar://problem/32475600> CKKS: Check Current Item pointers in the Manifest
107	// TODO: check that these deletions match a manifest upload
108	// Delegate these back up into the CKKS object for processing
109	[ckks _onqueueCKRecordDeleted:recordID recordType:recordType resync:self.resync];
110	}];
111	}
112
113	- (void)_onqueueScanForExtraneousLocalItems
114	{
115	// TODO: must scan through all CKMirrorEntries and determine if any exist that CloudKit didn't tell us about
116	CKKSKeychainView* ckks = self.ckks;
117	NSError* error = nil;
118	if(self.resync) {
119	ckksnotice("ckksresync", ckks, "Comparing local UUIDs against the CloudKit list");
120	NSMutableArray<NSString> uuids = [[CKKSMirrorEntry allUUIDs: &error] mutableCopy];
121
122	for(NSString* uuid in uuids) {
123	if([self.modifications objectForKey: [[CKRecordID alloc] initWithRecordName: uuid zoneID: ckks.zoneID]]) {
124	ckksdebug("ckksresync", ckks, "UUID %@ is still in CloudKit; carry on.", uuid);
125	} else {
126	CKKSMirrorEntry* ckme = [CKKSMirrorEntry tryFromDatabase: uuid zoneID:ckks.zoneID error: &error];
127	if(error != nil) {
128	ckkserror("ckksresync", ckks, "Couldn't read an item from the database, but it used to be there: %@ %@", uuid, error);
129	self.error = error;
130	continue;
131	}
132
133	ckkserror("ckksresync", ckks, "BUG: Local item %@ not found in CloudKit, deleting", uuid);
134	[ckks _onqueueCKRecordDeleted:ckme.item.storedCKRecord.recordID recordType:ckme.item.storedCKRecord.recordType resync:self.resync];
135	}
136	}
137	}
138	}
139
140	- (void)groupStart {
141	__weak __typeof(self) weakSelf = self;
142
143
144	CKKSKeychainView* ckks = self.ckks;
145	if(!ckks) {
146	ckkserror("ckksresync", ckks, "no CKKS object");
147	return;
148	}
149
150	[ckks dispatchSync: ^bool{
151	ckks.lastRecordZoneChangesOperation = self;
152
153	NSError* error = nil;
154	NSQualityOfService qos = NSQualityOfServiceUtility;
155
156	CKFetchRecordZoneChangesOptions* options = [[CKFetchRecordZoneChangesOptions alloc] init];
157	if(self.resync) {
158	ckksnotice("ckksresync", ckks, "Beginning resync fetch!");
159
160	options.previousServerChangeToken = nil;
161
162	// currently, resyncs are user initiated (or the key hierarchy is upset, which is implicitly user initiated)
163	qos = NSQualityOfServiceUserInitiated;
164	} else {
165	// This is the normal case: fetch only the delta since the last fetch
166	CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: ckks.zoneName];
167	if(error \|\| !ckse) {
168	ckkserror("ckksfetch", ckks, "couldn't fetch zone status for %@: %@", ckks.zoneName, error);
169	self.error = error;
170	return false;
171	}
172
173	ckksnotice("ckksfetch", ckks, "Beginning fetch(%@) starting at change token %@", ckks.zoneName, ckse.changeToken);
174
175	options.previousServerChangeToken = ckse.changeToken;
176
177	if(ckse.changeToken == nil) {
178	// First sync is special.
179	qos = NSQualityOfServiceUserInitiated;
180	}
181	}
182
183	self.fetchRecordZoneChangesOperation = [[ckks.fetchRecordZoneChangesOperationClass alloc] initWithRecordZoneIDs: @[ckks.zoneID] optionsByRecordZoneID:@{ckks.zoneID: options}];
184
185	self.fetchRecordZoneChangesOperation.fetchAllChanges = YES;
186	self.fetchRecordZoneChangesOperation.qualityOfService = qos;
187	self.fetchRecordZoneChangesOperation.group = self.ckoperationGroup;
188	ckksnotice("ckksfetch", ckks, "Operation group is %@", self.ckoperationGroup);
189
190	self.fetchRecordZoneChangesOperation.recordChangedBlock = ^(CKRecord *record) {
191	__strong __typeof(weakSelf) strongSelf = weakSelf;
192	__strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
193	if(!strongSelf) {
194	ckkserror("ckksfetch", strongCKKS, "received callback for released object");
195	return;
196	}
197
198	ckksinfo("ckksfetch", strongCKKS, "CloudKit notification: record changed(%@): %@", [record recordType], record);
199
200	// Add this to the modifications, and remove it from the deletions
201	[strongSelf.modifications setObject: record forKey: record.recordID];
202	[strongSelf.deletions removeObjectForKey: record.recordID];
203	};
204
205	self.fetchRecordZoneChangesOperation.recordWithIDWasDeletedBlock = ^(CKRecordID recordID, NSString recordType) {
206	__strong __typeof(weakSelf) strongSelf = weakSelf;
207	__strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
208	if(!strongSelf) {
209	ckkserror("ckksfetch", strongCKKS, "received callback for released object");
210	return;
211	}
212
213	ckksinfo("ckksfetch", strongCKKS, "CloudKit notification: deleted record(%@): %@", recordType, recordID);
214
215	// Add to the deletions, and remove any pending modifications
216	[strongSelf.modifications removeObjectForKey: recordID];
217	[strongSelf.deletions setObject: recordType forKey: recordID];
218	};
219
220	// This class only supports fetching from a single zone, so we can ignore recordZoneID
221	self.fetchRecordZoneChangesOperation.recordZoneChangeTokensUpdatedBlock = ^(CKRecordZoneID recordZoneID, CKServerChangeToken serverChangeToken, NSData *clientChangeTokenData) {
222	__strong __typeof(weakSelf) strongSelf = weakSelf;
223	__strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
224	if(!strongSelf) {
225	ckkserror("ckksfetch", strongCKKS, "received callback for released object");
226	return;
227	}
228
229	ckksinfo("ckksfetch", strongCKKS, "Received a new server change token: %@ %@", serverChangeToken, clientChangeTokenData);
230	strongSelf.serverChangeToken = serverChangeToken;
231	};
232
233	// Completion blocks don't count for dependencies. Use this intermediate operation hack instead.
234	NSBlockOperation* recordZoneChangesCompletedOperation = [[NSBlockOperation alloc] init];
235	recordZoneChangesCompletedOperation.name = @"record-zone-changes-completed";
236
237	self.fetchRecordZoneChangesOperation.recordZoneFetchCompletionBlock = ^(CKRecordZoneID recordZoneID, CKServerChangeToken serverChangeToken, NSData clientChangeTokenData, BOOL moreComing, NSError recordZoneError) {
238	__strong __typeof(weakSelf) strongSelf = weakSelf;
239	__strong __typeof(strongSelf.ckks) blockCKKS = strongSelf.ckks;
240
241	if(!strongSelf) {
242	ckkserror("ckksfetch", blockCKKS, "received callback for released object");
243	return;
244	}
245
246	if(!blockCKKS) {
247	ckkserror("ckksfetch", blockCKKS, "no CKKS object");
248	return;
249	}
250
251	ckksnotice("ckksfetch", blockCKKS, "Record zone fetch complete: changeToken=%@ clientChangeTokenData=%@ changed=%lu deleted=%lu error=%@", serverChangeToken, clientChangeTokenData,
252	(unsigned long)strongSelf.deletions.count,
253	(unsigned long)strongSelf.deletions.count,
254	recordZoneError);
255
256	// Completion! Mark these down.
257	if(recordZoneError) {
258	strongSelf.error = recordZoneError;
259	}
260	strongSelf.serverChangeToken = serverChangeToken;
261
262	if(recordZoneError != nil) {
263	// An error occurred. All our fetches are useless. Skip to the end.
264	} else {
265	// Commit these changes!
266	__block NSError* error = nil;
267
268	NSMutableDictionary<NSString, NSMutableArray>* changedRecordsDict = [[NSMutableDictionary alloc] init];
269
270	[blockCKKS dispatchSyncWithAccountQueue:^bool{
271	// let's process records in a specific order by type
272	// 1. Manifest leaf records, without which the manifest master records are meaningless
273	// 2. Manifest master records, which will be used to validate incoming items
274	// 3. Intermediate key records
275	// 4. Current key records
276	// 5. Item records
277
278	[strongSelf.modifications enumerateKeysAndObjectsUsingBlock:^(CKRecordID* _Nonnull recordID, CKRecord* _Nonnull record, BOOL* stop) {
279	ckksinfo("ckksfetch", blockCKKS, "Sorting record modification %@: %@", recordID, record);
280	NSMutableArray* changedRecordsByType = changedRecordsDict[record.recordType];
281	if(!changedRecordsByType) {
282	changedRecordsByType = [[NSMutableArray alloc] init];
283	changedRecordsDict[record.recordType] = changedRecordsByType;
284	};
285
286	[changedRecordsByType addObject:record];
287	}];
288
289	if ([CKKSManifest shouldSyncManifests]) {
290	if (!strongSelf.resync) {
291	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordManifestLeafType]];
292	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordManifestType]];
293	}
294
295	[strongSelf _updateLatestTrustedManifest];
296	}
297
298	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordIntermediateKeyType]];
299	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordCurrentKeyType]];
300	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordItemType]];
301	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordCurrentItemType]];
302	[strongSelf _onqueueRecordsChanged:changedRecordsDict[SecCKRecordDeviceStateType]];
303
304	[strongSelf _onqueueProcessRecordDeletions];
305	[strongSelf _onqueueScanForExtraneousLocalItems];
306
307	CKKSZoneStateEntry* state = [CKKSZoneStateEntry state: blockCKKS.zoneName];
308	state.lastFetchTime = [NSDate date]; // The last fetch happened right now!
309	if(strongSelf.serverChangeToken) {
310	ckksdebug("ckksfetch", blockCKKS, "Zone change fetch complete: saving new server change token: %@", strongSelf.serverChangeToken);
311	state.changeToken = strongSelf.serverChangeToken;
312	}
313	[state saveToDatabase:&error];
314	if(error) {
315	ckkserror("ckksfetch", blockCKKS, "Couldn't save new server change token: %@", error);
316	strongSelf.error = error;
317	}
318
319	if(error) {
320	ckkserror("ckksfetch", blockCKKS, "horrible error occurred: %@", error);
321	strongSelf.error = error;
322	return false;
323	}
324
325	return true;
326	}];
327	}
328	};
329
330	// Called with overall operation success. As I understand it, this block will be called for every operation.
331	// In the case of, e.g., network failure, the recordZoneFetchCompletionBlock will not be called, but this one will.
332	self.fetchRecordZoneChangesOperation.fetchRecordZoneChangesCompletionBlock = ^(NSError * _Nullable operationError) {
333	__strong __typeof(weakSelf) strongSelf = weakSelf;
334	__strong __typeof(strongSelf.ckks) strongCKKS = strongSelf.ckks;
335	if(!strongSelf) {
336	ckkserror("ckksfetch", strongCKKS, "received callback for released object");
337	return;
338	}
339
340	ckksnotice("ckksfetch", strongCKKS, "Record zone changes fetch complete: error=%@", operationError);
341	if(operationError) {
342	strongSelf.error = operationError;
343	}
344
345	// Trigger the fake 'we're done' operation.
346	[strongSelf runBeforeGroupFinished: recordZoneChangesCompletedOperation];
347	};
348
349	[self dependOnBeforeGroupFinished: recordZoneChangesCompletedOperation];
350	[self dependOnBeforeGroupFinished: self.fetchRecordZoneChangesOperation];
351	[ckks.database addOperation: self.fetchRecordZoneChangesOperation];
352	return true;
353	}];
354	}
355
356	- (void)cancel {
357	[self.fetchRecordZoneChangesOperation cancel];
358	[super cancel];
359	}
360
361	@end
362
363	#endif