[apple/security.git] / OSX / sec / Security / SecSharedCredential.m

/*
 * Copyright (c) 2020 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 *
 * SecSharedCredential.m - Retrieve shared credentials with AuthenticationServices.
 *
 */

#include <Security/SecSharedCredential.h>
#include <Security/SecBasePriv.h>
#include <utilities/SecCFError.h>
#include <utilities/SecCFWrappers.h>
#include "SecItemInternal.h"
#include <dlfcn.h>

#import <Foundation/Foundation.h>
#import <AuthenticationServices/AuthenticationServices.h>

// Forward declaration of the primary function implemented in this file
OSStatus SecCopySharedWebCredentialSyncUsingAuthSvcs(CFStringRef fqdn, CFStringRef account, CFArrayRef *credentials, CFErrorRef *error);

// Classes we will load dynamically
static Class kASAuthorizationClass = NULL;
static Class kASAuthorizationControllerClass = NULL;
static Class kASAuthorizationPasswordProviderClass = NULL;
static Class kASPasswordCredentialClass = NULL;
static Class kUIApplicationClass = NULL;
static Class kNSApplicationClass = NULL;

static void loadAuthenticationServices(void) {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        const char *path = "/System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices";
        if ( [NSProcessInfo processInfo].macCatalystApp == YES ) {
            path = "/System/iOSSupport/System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices";
        }
        void* lib_handle = dlopen(path, RTLD_LAZY);
        if (lib_handle != NULL) {
            kASAuthorizationClass = NSClassFromString(@"ASAuthorization");
            kASAuthorizationControllerClass = NSClassFromString(@"ASAuthorizationController");
            kASAuthorizationPasswordProviderClass = NSClassFromString(@"ASAuthorizationPasswordProvider");
            kASPasswordCredentialClass = NSClassFromString(@"ASPasswordCredential");
        }
    });
}

static void loadUIKit(void) {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        const char *path = "/System/Library/Frameworks/UIKit.framework/UIKit";
        if ( [NSProcessInfo processInfo].macCatalystApp == YES ) {
            path = "/System/Library/iOSSupport/System/Library/Frameworks/UIKit.framework/UIKit";
        }
        void* lib_handle = dlopen(path, RTLD_LAZY);
        if (lib_handle != NULL) {
            kUIApplicationClass = NSClassFromString(@"UIApplication");
        }
    });
}

static void loadAppKit(void) {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        const char *path = "/System/Library/Frameworks/AppKit.framework/AppKit";
        void* lib_handle = dlopen(path, RTLD_LAZY);
        if (lib_handle != NULL) {
            kNSApplicationClass = NSClassFromString(@"NSApplication");
        }
    });
}

static Class ASAuthorizationClass() {
    loadAuthenticationServices();
    return kASAuthorizationClass;
}

static Class ASAuthorizationControllerClass() {
    loadAuthenticationServices();
    return kASAuthorizationControllerClass;
}

static Class ASAuthorizationPasswordProviderClass() {
    loadAuthenticationServices();
    return kASAuthorizationPasswordProviderClass;
}

static Class ASPasswordCredentialClass() {
    loadAuthenticationServices();
    return kASPasswordCredentialClass;
}

static Class UIApplicationClass() {
    loadUIKit();
    return kUIApplicationClass;
}

static Class NSApplicationClass() {
    loadAppKit();
    return kNSApplicationClass;
}

@interface SharedCredentialController : NSObject
    <ASAuthorizationControllerDelegate,
     ASAuthorizationControllerPresentationContextProviding>

-(ASPasswordCredential *)passwordCredential;

@end

@implementation SharedCredentialController {
    ASAuthorizationPasswordProvider *_provider;
    ASAuthorizationController *_controller;
    ASPasswordCredential *_passwordCredential;
    dispatch_semaphore_t _semaphore;
    NSError *_error;
    OSStatus _result;
}

- (void)dealloc {
    // Don't want any further callbacks since we are going away
    _controller.delegate = nil;
    _controller.presentationContextProvider = nil;
}

- (void)_requestCredential {
    if (!_provider) {
        _provider = [[ASAuthorizationPasswordProviderClass() alloc] init];
    }
    if (!_controller) {
        _controller = [[ASAuthorizationControllerClass() alloc] initWithAuthorizationRequests:@[ [_provider createRequest] ]];
    }
    _controller.delegate = self;
    _controller.presentationContextProvider = self;
    _semaphore = dispatch_semaphore_create(0);
    _result = errSecItemNotFound;
    _error = nil;

    [_controller performRequests];
}

- (ASPasswordCredential *)passwordCredential {
    if (_passwordCredential) {
        return _passwordCredential;
    }
    BOOL shouldRequest = YES; // ( [NSProcessInfo processInfo].macCatalystApp == YES );
    if (shouldRequest) {
        [self _requestCredential];
        // wait synchronously until user picks a credential or cancels
        dispatch_semaphore_wait(_semaphore, DISPATCH_TIME_FOREVER);
    } else {
        // unable to return a shared credential: <rdar://problem/59958701>
        _result = errSecItemNotFound;
        _error = [[NSError alloc] initWithDomain:NSOSStatusErrorDomain code:_result userInfo:NULL];
    }
    return _passwordCredential;
}

- (NSError *)error {
    return _error;
}

- (OSStatus)result {
    return _result;
}

- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithAuthorization:(ASAuthorization *)authorization {
    secinfo("swcagent", "SWC received didCompleteWithAuthorization");
    ASPasswordCredential *passwordCredential = authorization.credential;
    if (![passwordCredential isKindOfClass:[ASPasswordCredentialClass() class]]) {
        _passwordCredential = nil;
        _result = errSecItemNotFound;
    } else {
        _passwordCredential = passwordCredential;
        _result = errSecSuccess;
    }
    dispatch_semaphore_signal(_semaphore);
}

- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithError:(NSError *)error {
    secinfo("swcagent", "SWC received didCompleteWithError");
    _passwordCredential = nil;
    _error = error;
    _result = errSecItemNotFound;
    dispatch_semaphore_signal(_semaphore);
}

- (ASPresentationAnchor)presentationAnchorForAuthorizationController:(ASAuthorizationController *)controller
{
    ASPresentationAnchor anchorWindow = nil;
#if TARGET_OS_OSX
    if ( [NSProcessInfo processInfo].macCatalystApp == NO ) {
        anchorWindow = [[NSApplicationClass() sharedApplication] keyWindow];
    }
#endif
    if (!anchorWindow) {
        anchorWindow = [[UIApplicationClass() sharedApplication] keyWindow];
    }
    return anchorWindow;
}

@end

OSStatus SecCopySharedWebCredentialSyncUsingAuthSvcs(CFStringRef fqdn, CFStringRef account, CFArrayRef *credentials, CFErrorRef *error) {
    SharedCredentialController *controller = [[SharedCredentialController alloc] init];
    ASPasswordCredential *passwordCredential = [controller passwordCredential];
    OSStatus status = [controller result];
    NSArray *returnedCredentials = @[];
    if (status != errSecSuccess) {
        secinfo("swcagent", "SecCopySharedWebCredentialSyncUsingAuthSvcs received result %d", (int)status);
        if (error) {
            *error = (CFErrorRef)CFBridgingRetain([controller error]);
        }
    } else if (passwordCredential) {
        // Use the .user and .password of the passwordCredential to satisfy the SWC interface.
        NSDictionary *credential = @{
            (id)kSecAttrServer : (__bridge NSString*)fqdn,
            (id)kSecAttrAccount : passwordCredential.user,
            (id)kSecSharedPassword : passwordCredential.password,
        };
        returnedCredentials = @[ credential ];
    } else {
        secinfo("swcagent", "SecCopySharedWebCredentialSyncUsingAuthSvcs found no credential");
        status = errSecItemNotFound;
    }
    if (credentials) {
        *credentials = (CFArrayRef)CFBridgingRetain(returnedCredentials);
    }
    return status;
}
Commit	Line	Data
d64be36e A	1	/*
	2	* Copyright (c) 2020 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*
	23	* SecSharedCredential.m - Retrieve shared credentials with AuthenticationServices.
	24	*
	25	*/
	26
	27	#include <Security/SecSharedCredential.h>
	28	#include <Security/SecBasePriv.h>
	29	#include <utilities/SecCFError.h>
	30	#include <utilities/SecCFWrappers.h>
	31	#include "SecItemInternal.h"
	32	#include <dlfcn.h>
	33
	34	#import <Foundation/Foundation.h>
	35	#import <AuthenticationServices/AuthenticationServices.h>
	36
	37	// Forward declaration of the primary function implemented in this file
	38	OSStatus SecCopySharedWebCredentialSyncUsingAuthSvcs(CFStringRef fqdn, CFStringRef account, CFArrayRef credentials, CFErrorRef error);
	39
	40	// Classes we will load dynamically
	41	static Class kASAuthorizationClass = NULL;
	42	static Class kASAuthorizationControllerClass = NULL;
	43	static Class kASAuthorizationPasswordProviderClass = NULL;
	44	static Class kASPasswordCredentialClass = NULL;
	45	static Class kUIApplicationClass = NULL;
	46	static Class kNSApplicationClass = NULL;
	47
	48	static void loadAuthenticationServices(void) {
	49	static dispatch_once_t onceToken;
	50	dispatch_once(&onceToken, ^{
	51	const char *path = "/System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices";
	52	if ( [NSProcessInfo processInfo].macCatalystApp == YES ) {
	53	path = "/System/iOSSupport/System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices";
	54	}
	55	void* lib_handle = dlopen(path, RTLD_LAZY);
	56	if (lib_handle != NULL) {
	57	kASAuthorizationClass = NSClassFromString(@"ASAuthorization");
	58	kASAuthorizationControllerClass = NSClassFromString(@"ASAuthorizationController");
	59	kASAuthorizationPasswordProviderClass = NSClassFromString(@"ASAuthorizationPasswordProvider");
	60	kASPasswordCredentialClass = NSClassFromString(@"ASPasswordCredential");
	61	}
	62	});
	63	}
	64
65	static void loadUIKit(void) {
66	static dispatch_once_t onceToken;
67	dispatch_once(&onceToken, ^{
68	const char *path = "/System/Library/Frameworks/UIKit.framework/UIKit";
69	if ( [NSProcessInfo processInfo].macCatalystApp == YES ) {
70	path = "/System/Library/iOSSupport/System/Library/Frameworks/UIKit.framework/UIKit";
71	}
72	void* lib_handle = dlopen(path, RTLD_LAZY);
73	if (lib_handle != NULL) {
74	kUIApplicationClass = NSClassFromString(@"UIApplication");
75	}
76	});
77	}
78
79	static void loadAppKit(void) {
80	static dispatch_once_t onceToken;
81	dispatch_once(&onceToken, ^{
82	const char *path = "/System/Library/Frameworks/AppKit.framework/AppKit";
83	void* lib_handle = dlopen(path, RTLD_LAZY);
84	if (lib_handle != NULL) {
85	kNSApplicationClass = NSClassFromString(@"NSApplication");
86	}
87	});
88	}
89
90	static Class ASAuthorizationClass() {
91	loadAuthenticationServices();
92	return kASAuthorizationClass;
93	}
94
95	static Class ASAuthorizationControllerClass() {
96	loadAuthenticationServices();
97	return kASAuthorizationControllerClass;
98	}
99
100	static Class ASAuthorizationPasswordProviderClass() {
101	loadAuthenticationServices();
102	return kASAuthorizationPasswordProviderClass;
103	}
104
105	static Class ASPasswordCredentialClass() {
106	loadAuthenticationServices();
107	return kASPasswordCredentialClass;
108	}
109
110	static Class UIApplicationClass() {
111	loadUIKit();
112	return kUIApplicationClass;
113	}
114
115	static Class NSApplicationClass() {
116	loadAppKit();
117	return kNSApplicationClass;
118	}
119
120	@interface SharedCredentialController : NSObject
121	<ASAuthorizationControllerDelegate,
122	ASAuthorizationControllerPresentationContextProviding>
123
124	-(ASPasswordCredential *)passwordCredential;
125
126	@end
127
128	@implementation SharedCredentialController {
129	ASAuthorizationPasswordProvider *_provider;
130	ASAuthorizationController *_controller;
131	ASPasswordCredential *_passwordCredential;
132	dispatch_semaphore_t _semaphore;
133	NSError *_error;
134	OSStatus _result;
135	}
136
137	- (void)dealloc {
138	// Don't want any further callbacks since we are going away
139	_controller.delegate = nil;
140	_controller.presentationContextProvider = nil;
141	}
142
143	- (void)_requestCredential {
144	if (!_provider) {
145	_provider = [[ASAuthorizationPasswordProviderClass() alloc] init];
146	}
147	if (!_controller) {
148	_controller = [[ASAuthorizationControllerClass() alloc] initWithAuthorizationRequests:@[ [_provider createRequest] ]];
149	}
150	_controller.delegate = self;
151	_controller.presentationContextProvider = self;
152	_semaphore = dispatch_semaphore_create(0);
153	_result = errSecItemNotFound;
154	_error = nil;
155
156	[_controller performRequests];
157	}
158
159	- (ASPasswordCredential *)passwordCredential {
160	if (_passwordCredential) {
161	return _passwordCredential;
162	}
163	BOOL shouldRequest = YES; // ( [NSProcessInfo processInfo].macCatalystApp == YES );
164	if (shouldRequest) {
165	[self _requestCredential];
166	// wait synchronously until user picks a credential or cancels
167	dispatch_semaphore_wait(_semaphore, DISPATCH_TIME_FOREVER);
168	} else {
169	// unable to return a shared credential: <rdar://problem/59958701>
170	_result = errSecItemNotFound;
171	_error = [[NSError alloc] initWithDomain:NSOSStatusErrorDomain code:_result userInfo:NULL];
172	}
173	return _passwordCredential;
174	}
175
176	- (NSError *)error {
177	return _error;
178	}
179
180	- (OSStatus)result {
181	return _result;
182	}
183
184	- (void)authorizationController:(ASAuthorizationController )controller didCompleteWithAuthorization:(ASAuthorization )authorization {
185	secinfo("swcagent", "SWC received didCompleteWithAuthorization");
186	ASPasswordCredential *passwordCredential = authorization.credential;
187	if (![passwordCredential isKindOfClass:[ASPasswordCredentialClass() class]]) {
188	_passwordCredential = nil;
189	_result = errSecItemNotFound;
190	} else {
191	_passwordCredential = passwordCredential;
192	_result = errSecSuccess;
193	}
194	dispatch_semaphore_signal(_semaphore);
195	}
196
197	- (void)authorizationController:(ASAuthorizationController )controller didCompleteWithError:(NSError )error {
198	secinfo("swcagent", "SWC received didCompleteWithError");
199	_passwordCredential = nil;
200	_error = error;
201	_result = errSecItemNotFound;
202	dispatch_semaphore_signal(_semaphore);
203	}
204
205	- (ASPresentationAnchor)presentationAnchorForAuthorizationController:(ASAuthorizationController *)controller
206	{
207	ASPresentationAnchor anchorWindow = nil;
208	#if TARGET_OS_OSX
209	if ( [NSProcessInfo processInfo].macCatalystApp == NO ) {
210	anchorWindow = [[NSApplicationClass() sharedApplication] keyWindow];
211	}
212	#endif
213	if (!anchorWindow) {
214	anchorWindow = [[UIApplicationClass() sharedApplication] keyWindow];
215	}
216	return anchorWindow;
217	}
218
219	@end
220
221	OSStatus SecCopySharedWebCredentialSyncUsingAuthSvcs(CFStringRef fqdn, CFStringRef account, CFArrayRef credentials, CFErrorRef error) {
222	SharedCredentialController *controller = [[SharedCredentialController alloc] init];
223	ASPasswordCredential *passwordCredential = [controller passwordCredential];
224	OSStatus status = [controller result];
225	NSArray *returnedCredentials = @[];
226	if (status != errSecSuccess) {
227	secinfo("swcagent", "SecCopySharedWebCredentialSyncUsingAuthSvcs received result %d", (int)status);
228	if (error) {
229	*error = (CFErrorRef)CFBridgingRetain([controller error]);
230	}
231	} else if (passwordCredential) {
232	// Use the .user and .password of the passwordCredential to satisfy the SWC interface.
233	NSDictionary *credential = @{
234	(id)kSecAttrServer : (__bridge NSString*)fqdn,
235	(id)kSecAttrAccount : passwordCredential.user,
236	(id)kSecSharedPassword : passwordCredential.password,
237	};
238	returnedCredentials = @[ credential ];
239	} else {
240	secinfo("swcagent", "SecCopySharedWebCredentialSyncUsingAuthSvcs found no credential");
241	status = errSecItemNotFound;
242	}
243	if (credentials) {
244	*credentials = (CFArrayRef)CFBridgingRetain(returnedCredentials);
245	}
246	return status;
247	}