[apple/security.git] / OSX / libsecurity_codesigning / lib / evaluationmanager.cpp

/*
 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#include "evaluationmanager.h"
#include "policyengine.h"
#include <security_utilities/cfmunge.h>
#include <xpc/xpc.h>
#include <exception>
#include <vector>


namespace Security {
namespace CodeSigning {


#pragma mark - EvaluationTask


//
// An evaluation task object manages the assessment - either directly, or in the
// form of waiting for another evaluation task to finish an assessment on the
// same target.
//
class EvaluationTask
{
public:
    CFURLRef path()      const { return mPath.get(); }
    AuthorityType type() const { return mType; }
    bool isSharable()    const { return mSharable; }
    void setUnsharable()       { mSharable = false; }

private:
    EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type);
    virtual ~EvaluationTask();
    void performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context);
    void waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result);

    PolicyEngine                      *mPolicyEngine;
    AuthorityType                      mType;
    dispatch_queue_t                   mWorkQueue;
    dispatch_queue_t                   mFeedbackQueue;
    dispatch_semaphore_t               mAssessmentLock;
    __block dispatch_once_t            mAssessmentKicked;
    int32_t                            mReferenceCount;
    int32_t                            mEvalCount;
// This whole thing is a pre-existing crutch and must be fixed soon.
#define UNOFFICIAL_MAX_XPC_ID_LENGTH 127
    char                               mXpcActivityName[UNOFFICIAL_MAX_XPC_ID_LENGTH];
    bool                               mSharable;

    CFCopyRef<CFURLRef>                mPath;
    CFCopyRef<CFMutableDictionaryRef>  mResult;
    std::vector<SecAssessmentFeedback> mFeedback;

    std::exception_ptr                 mExceptionToRethrow;

    friend class EvaluationManager;
};


EvaluationTask::EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type) :
    mPolicyEngine(engine), mType(type), mAssessmentLock(dispatch_semaphore_create(0)),
    mAssessmentKicked(0), mReferenceCount(0), mEvalCount(0), mSharable(true),
    mExceptionToRethrow(0)
{
    mXpcActivityName[0] = 0;

    mWorkQueue = dispatch_queue_create("EvaluationTask", 0);
    mFeedbackQueue = dispatch_queue_create("EvaluationTaskFeedback", 0);

    mPath = path;
    mResult.take(makeCFMutableDictionary());
}


EvaluationTask::~EvaluationTask()
{
    dispatch_release(mFeedbackQueue);
    dispatch_release(mWorkQueue);
    dispatch_release(mAssessmentLock);
}


void EvaluationTask::performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context)
{
    bool performTheEvaluation = false;
    bool lowPriority = flags & kSecAssessmentFlagLowPriority;

    // each evaluation task performs at most a single evaluation
    if (OSAtomicIncrement32Barrier(&mEvalCount) == 1)
        performTheEvaluation = true;

    // define a block to run when the assessment has feedback available
    SecAssessmentFeedback relayFeedback = ^Boolean(CFStringRef type, CFDictionaryRef information) {

        __block Boolean proceed = true;
        dispatch_sync(mFeedbackQueue, ^{
            if (mFeedback.size() > 0) {
                proceed = false; // we need at least one interested party to proceed
                // forward the feedback to all registered listeners
                for (int i = 0; i < mFeedback.size(); ++i) {
                    proceed |= mFeedback[i](type, information);
                }
            }
        });
        if (!proceed)
            this->setUnsharable(); // don't share an expiring evaluation task
        return proceed;
    };


    // if the calling context has a feedback block, register it to listen to
    // our feedback relay
    dispatch_sync(mFeedbackQueue, ^{
        SecAssessmentFeedback feedback = (SecAssessmentFeedback)CFDictionaryGetValue(context, kSecAssessmentContextKeyFeedback);
        if (feedback && CFGetTypeID(feedback) == CFGetTypeID(relayFeedback))
            mFeedback.push_back(feedback);
    });

    // if we haven't already started the evaluation (we're the first interested
    // party), do it now
    if (performTheEvaluation) {
        dispatch_semaphore_t startLock = dispatch_semaphore_create(0);

        // create the assessment block
        dispatch_async(mWorkQueue, dispatch_block_create_with_qos_class(DISPATCH_BLOCK_ENFORCE_QOS_CLASS, QOS_CLASS_UTILITY, 0, ^{
            // signal that the assessment is ready to start
            dispatch_semaphore_signal(startLock);

            // wait until we're permitted to start the assessment. if we're in low
            // priority mode, this will not happen until we're on AC power. if not
            // in low priority mode, we're either already free to perform the
            // assessment or we will be quite soon
            dispatch_semaphore_wait(mAssessmentLock, DISPATCH_TIME_FOREVER);

            // Unregister a possibly still scheduled activity, as it lost its point.
            if (strlen(mXpcActivityName)) {
                xpc_activity_unregister(mXpcActivityName);
            }

            // copy the original context into our own mutable dictionary and replace
            // (or assign) the feedback entry within it to our multi-receiver
            // feedback relay block
            CFRef<CFMutableDictionaryRef> contextOverride = makeCFMutableDictionary(context);
            CFDictionaryRemoveValue(contextOverride.get(), kSecAssessmentContextKeyFeedback);
            CFDictionaryAddValue(contextOverride.get(), kSecAssessmentContextKeyFeedback, relayFeedback);

            try {
                // perform the evaluation
                switch (mType) {
                    case kAuthorityExecute:
                        mPolicyEngine->evaluateCode(mPath.get(), kAuthorityExecute, flags, contextOverride.get(), mResult.get(), true);
                        break;
                    case kAuthorityInstall:
                        mPolicyEngine->evaluateInstall(mPath.get(), flags, contextOverride.get(), mResult.get());
                        break;
                    case kAuthorityOpenDoc:
                        mPolicyEngine->evaluateDocOpen(mPath.get(), flags, contextOverride.get(), mResult.get());
                        break;
                    default:
                        MacOSError::throwMe(errSecCSInvalidAttributeValues);
                        break;
                }
            } catch(...) {
                mExceptionToRethrow = std::current_exception();
            }

        }));

        // wait for the assessment to start
        dispatch_semaphore_wait(startLock, DISPATCH_TIME_FOREVER);
        dispatch_release(startLock);

        if (lowPriority) {
            // This whole thing is a crutch and should be handled differently.
            // Maybe by having just one activity that just kicks off all remaining
            // background assessments, CTS determines that it's a good time.

            // reduce the bundle path name to just the app component and generate an
            // xpc_activity identifier from it. this identifier should be smaller than
            // 128 characters due to rdar://problem/20094806
            string path = cfString(mPath);
            size_t bundleNamePosition = path.rfind('/');
            const char *bundleName = "/default";
            if (bundleNamePosition != string::npos)
                bundleName = path.c_str() + bundleNamePosition;
            snprintf(mXpcActivityName, UNOFFICIAL_MAX_XPC_ID_LENGTH, "com.apple.security.assess%s", bundleName);

            // schedule the assessment to be permitted to run (beyond start) -- this
            // will either happen once we're no longer on battery power, or
            // immediately, based on the flag value of kSecAssessmentFlagLowPriority
            xpc_object_t criteria = xpc_dictionary_create(NULL, NULL, 0);
            xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_REPEATING, false);
            xpc_dictionary_set_int64(criteria, XPC_ACTIVITY_DELAY, 0);
            xpc_dictionary_set_int64(criteria, XPC_ACTIVITY_GRACE_PERIOD, 0);

            xpc_dictionary_set_string(criteria, XPC_ACTIVITY_PRIORITY, XPC_ACTIVITY_PRIORITY_MAINTENANCE);
            xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_ALLOW_BATTERY, false);

            xpc_activity_register(mXpcActivityName, criteria, ^(xpc_activity_t activity) {
                dispatch_once(&mAssessmentKicked, ^{
                    dispatch_semaphore_signal(mAssessmentLock);
                });
            });
            xpc_release(criteria);
        }
    }

    // If this is a foreground assessment to begin with, or if an assessment
    // with an existing task has been requested in the foreground, kick it
    // immediately.
    if (!lowPriority) {
        dispatch_once(&mAssessmentKicked, ^{
            dispatch_semaphore_signal(mAssessmentLock);
        });
    }
}


void EvaluationTask::waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result)
{
    // if the caller didn't request low priority we will elevate the dispatch
    // queue priority via our wait block
    dispatch_qos_class_t qos_class = QOS_CLASS_USER_INITIATED;
    if (flags & kSecAssessmentFlagLowPriority)
        qos_class = QOS_CLASS_UTILITY;

    // wait for the assessment to complete; our wait block will queue up behind
    // the assessment and the copy its results
    dispatch_sync(mWorkQueue, dispatch_block_create_with_qos_class  (DISPATCH_BLOCK_ENFORCE_QOS_CLASS, qos_class, 0, ^{
        // copy the class result back to the caller
        cfDictionaryApplyBlock(mResult.get(), ^(const void *key, const void *value){
            CFDictionaryAddValue(result, key, value);
        });
    }));
}


#pragma mark -


static Boolean evaluationTasksAreEqual(const EvaluationTask *task1, const EvaluationTask *task2)
{
    if (!task1->isSharable() || !task2->isSharable()) return false;
    if ((task1->type() != task2->type()) ||
        (cfString(task1->path()) != cfString(task2->path())))
        return false;

    return true;
}


#pragma mark - EvaluationManager


EvaluationManager *EvaluationManager::globalManager()
{
    static EvaluationManager *singleton;
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        singleton = new EvaluationManager();
    });
    return singleton;
}


EvaluationManager::EvaluationManager()
{
    static CFDictionaryValueCallBacks evalTaskValueCallbacks = kCFTypeDictionaryValueCallBacks;
    evalTaskValueCallbacks.equal = (CFDictionaryEqualCallBack)evaluationTasksAreEqual;
    evalTaskValueCallbacks.retain = NULL;
    evalTaskValueCallbacks.release = NULL;
    mCurrentEvaluations.take(
        CFDictionaryCreateMutable(NULL,
                              0,
                              &kCFTypeDictionaryKeyCallBacks,
                              &evalTaskValueCallbacks));

    mListLockQueue = dispatch_queue_create("EvaluationManagerSyncronization", 0);
}


EvaluationManager::~EvaluationManager()
{
    dispatch_release(mListLockQueue);
}


EvaluationTask *EvaluationManager::evaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
{
    __block EvaluationTask *evalTask = NULL;

    dispatch_sync(mListLockQueue, ^{
        // is path already being evaluated?
        if (!(flags & kSecAssessmentFlagIgnoreActiveAssessments))
            evalTask = (EvaluationTask *)CFDictionaryGetValue(mCurrentEvaluations.get(), path);
        if (!evalTask) {
            // create a new task for the evaluation
            evalTask = new EvaluationTask(engine, path, type);
            if (flags & kSecAssessmentFlagIgnoreActiveAssessments)
                evalTask->setUnsharable();
            CFDictionaryAddValue(mCurrentEvaluations.get(), path, evalTask);
        }
        evalTask->mReferenceCount++;
    });

    if (evalTask)
        evalTask->performEvaluation(flags, context);

    return evalTask;
}


void EvaluationManager::finalizeTask(EvaluationTask *task, SecAssessmentFlags flags, CFMutableDictionaryRef result)
{
    task->waitForCompletion(flags, result);

    std::exception_ptr pendingException = task->mExceptionToRethrow;

    removeTask(task);

    if (pendingException) std::rethrow_exception(pendingException);
}


void EvaluationManager::removeTask(EvaluationTask *task)
{
    dispatch_sync(mListLockQueue, ^{
        // are we done with this evaluation task?
        if (--task->mReferenceCount == 0) {
            // yes -- remove it from our list and delete the object
            CFDictionaryRemoveValue(mCurrentEvaluations.get(), task->path());
            delete task;
        }
    });
}


} // end namespace CodeSigning
} // end namespace Security
Commit	Line	Data
5c19dc3a A	1	/*
	2	* Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include "evaluationmanager.h"
	25	#include "policyengine.h"
	26	#include <security_utilities/cfmunge.h>
	27	#include <xpc/xpc.h>
	28	#include <exception>
	29	#include <vector>
	30
	31
	32
	33
	34	namespace Security {
	35	namespace CodeSigning {
	36
	37
	38
	39
	40	#pragma mark - EvaluationTask
	41
	42
	43	//
	44	// An evaluation task object manages the assessment - either directly, or in the
	45	// form of waiting for another evaluation task to finish an assessment on the
	46	// same target.
	47	//
	48	class EvaluationTask
	49	{
	50	public:
	51	CFURLRef path() const { return mPath.get(); }
	52	AuthorityType type() const { return mType; }
	53	bool isSharable() const { return mSharable; }
	54	void setUnsharable() { mSharable = false; }
	55
	56	private:
	57	EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type);
	58	virtual ~EvaluationTask();
	59	void performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context);
	60	void waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result);
	61
	62	PolicyEngine *mPolicyEngine;
	63	AuthorityType mType;
	64	dispatch_queue_t mWorkQueue;
65	dispatch_queue_t mFeedbackQueue;
66	dispatch_semaphore_t mAssessmentLock;
67	__block dispatch_once_t mAssessmentKicked;
68	int32_t mReferenceCount;
69	int32_t mEvalCount;
70	// This whole thing is a pre-existing crutch and must be fixed soon.
71	#define UNOFFICIAL_MAX_XPC_ID_LENGTH 127
72	char mXpcActivityName[UNOFFICIAL_MAX_XPC_ID_LENGTH];
73	bool mSharable;
74
75	CFCopyRef<CFURLRef> mPath;
76	CFCopyRef<CFMutableDictionaryRef> mResult;
77	std::vector<SecAssessmentFeedback> mFeedback;
78
79	std::exception_ptr mExceptionToRethrow;
80
81	friend class EvaluationManager;
82	};
83
84
85	EvaluationTask::EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type) :
86	mPolicyEngine(engine), mType(type), mAssessmentLock(dispatch_semaphore_create(0)),
87	mAssessmentKicked(0), mReferenceCount(0), mEvalCount(0), mSharable(true),
88	mExceptionToRethrow(0)
89	{
90	mXpcActivityName[0] = 0;
91
92	mWorkQueue = dispatch_queue_create("EvaluationTask", 0);
93	mFeedbackQueue = dispatch_queue_create("EvaluationTaskFeedback", 0);
94
95	mPath = path;
96	mResult.take(makeCFMutableDictionary());
97	}
98
99
100	EvaluationTask::~EvaluationTask()
101	{
102	dispatch_release(mFeedbackQueue);
103	dispatch_release(mWorkQueue);
104	dispatch_release(mAssessmentLock);
105	}
106
107
108	void EvaluationTask::performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context)
109	{
110	bool performTheEvaluation = false;
111	bool lowPriority = flags & kSecAssessmentFlagLowPriority;
112
113	// each evaluation task performs at most a single evaluation
114	if (OSAtomicIncrement32Barrier(&mEvalCount) == 1)
115	performTheEvaluation = true;
116
117	// define a block to run when the assessment has feedback available
118	SecAssessmentFeedback relayFeedback = ^Boolean(CFStringRef type, CFDictionaryRef information) {
119
120	__block Boolean proceed = true;
121	dispatch_sync(mFeedbackQueue, ^{
122	if (mFeedback.size() > 0) {
123	proceed = false; // we need at least one interested party to proceed
124	// forward the feedback to all registered listeners
125	for (int i = 0; i < mFeedback.size(); ++i) {
126	proceed \|= mFeedback[i](type, information);
127	}
128	}
129	});
130	if (!proceed)
131	this->setUnsharable(); // don't share an expiring evaluation task
132	return proceed;
133	};
134
135
136	// if the calling context has a feedback block, register it to listen to
137	// our feedback relay
138	dispatch_sync(mFeedbackQueue, ^{
139	SecAssessmentFeedback feedback = (SecAssessmentFeedback)CFDictionaryGetValue(context, kSecAssessmentContextKeyFeedback);
140	if (feedback && CFGetTypeID(feedback) == CFGetTypeID(relayFeedback))
141	mFeedback.push_back(feedback);
142	});
143
144	// if we haven't already started the evaluation (we're the first interested
145	// party), do it now
146	if (performTheEvaluation) {
147	dispatch_semaphore_t startLock = dispatch_semaphore_create(0);
148
149	// create the assessment block
150	dispatch_async(mWorkQueue, dispatch_block_create_with_qos_class(DISPATCH_BLOCK_ENFORCE_QOS_CLASS, QOS_CLASS_UTILITY, 0, ^{
151	// signal that the assessment is ready to start
152	dispatch_semaphore_signal(startLock);
153
154	// wait until we're permitted to start the assessment. if we're in low
155	// priority mode, this will not happen until we're on AC power. if not
156	// in low priority mode, we're either already free to perform the
157	// assessment or we will be quite soon
158	dispatch_semaphore_wait(mAssessmentLock, DISPATCH_TIME_FOREVER);
159
160	// Unregister a possibly still scheduled activity, as it lost its point.
161	if (strlen(mXpcActivityName)) {
162	xpc_activity_unregister(mXpcActivityName);
163	}
164
165	// copy the original context into our own mutable dictionary and replace
166	// (or assign) the feedback entry within it to our multi-receiver
167	// feedback relay block
168	CFRef<CFMutableDictionaryRef> contextOverride = makeCFMutableDictionary(context);
169	CFDictionaryRemoveValue(contextOverride.get(), kSecAssessmentContextKeyFeedback);
170	CFDictionaryAddValue(contextOverride.get(), kSecAssessmentContextKeyFeedback, relayFeedback);
171
172	try {
173	// perform the evaluation
174	switch (mType) {
175	case kAuthorityExecute:
176	mPolicyEngine->evaluateCode(mPath.get(), kAuthorityExecute, flags, contextOverride.get(), mResult.get(), true);
177	break;
178	case kAuthorityInstall:
179	mPolicyEngine->evaluateInstall(mPath.get(), flags, contextOverride.get(), mResult.get());
180	break;
181	case kAuthorityOpenDoc:
182	mPolicyEngine->evaluateDocOpen(mPath.get(), flags, contextOverride.get(), mResult.get());
183	break;
184	default:
185	MacOSError::throwMe(errSecCSInvalidAttributeValues);
186	break;
187	}
188	} catch(...) {
189	mExceptionToRethrow = std::current_exception();
190	}
191
192	}));
193
194	// wait for the assessment to start
195	dispatch_semaphore_wait(startLock, DISPATCH_TIME_FOREVER);
196	dispatch_release(startLock);
197
198	if (lowPriority) {
199	// This whole thing is a crutch and should be handled differently.
200	// Maybe by having just one activity that just kicks off all remaining
201	// background assessments, CTS determines that it's a good time.
202
203	// reduce the bundle path name to just the app component and generate an
204	// xpc_activity identifier from it. this identifier should be smaller than
205	// 128 characters due to rdar://problem/20094806
206	string path = cfString(mPath);
207	size_t bundleNamePosition = path.rfind('/');
208	const char *bundleName = "/default";
209	if (bundleNamePosition != string::npos)
210	bundleName = path.c_str() + bundleNamePosition;
211	snprintf(mXpcActivityName, UNOFFICIAL_MAX_XPC_ID_LENGTH, "com.apple.security.assess%s", bundleName);
212
213	// schedule the assessment to be permitted to run (beyond start) -- this
214	// will either happen once we're no longer on battery power, or
215	// immediately, based on the flag value of kSecAssessmentFlagLowPriority
216	xpc_object_t criteria = xpc_dictionary_create(NULL, NULL, 0);
217	xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_REPEATING, false);
218	xpc_dictionary_set_int64(criteria, XPC_ACTIVITY_DELAY, 0);
219	xpc_dictionary_set_int64(criteria, XPC_ACTIVITY_GRACE_PERIOD, 0);
220
221	xpc_dictionary_set_string(criteria, XPC_ACTIVITY_PRIORITY, XPC_ACTIVITY_PRIORITY_MAINTENANCE);
222	xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_ALLOW_BATTERY, false);
223
224	xpc_activity_register(mXpcActivityName, criteria, ^(xpc_activity_t activity) {
225	dispatch_once(&mAssessmentKicked, ^{
226	dispatch_semaphore_signal(mAssessmentLock);
227	});
228	});
229	xpc_release(criteria);
230	}
231	}
232
233	// If this is a foreground assessment to begin with, or if an assessment
234	// with an existing task has been requested in the foreground, kick it
235	// immediately.
236	if (!lowPriority) {
237	dispatch_once(&mAssessmentKicked, ^{
238	dispatch_semaphore_signal(mAssessmentLock);
239	});
240	}
241	}
242
243
244
245	void EvaluationTask::waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result)
246	{
247	// if the caller didn't request low priority we will elevate the dispatch
248	// queue priority via our wait block
249	dispatch_qos_class_t qos_class = QOS_CLASS_USER_INITIATED;
250	if (flags & kSecAssessmentFlagLowPriority)
251	qos_class = QOS_CLASS_UTILITY;
252
253	// wait for the assessment to complete; our wait block will queue up behind
254	// the assessment and the copy its results
255	dispatch_sync(mWorkQueue, dispatch_block_create_with_qos_class (DISPATCH_BLOCK_ENFORCE_QOS_CLASS, qos_class, 0, ^{
256	// copy the class result back to the caller
257	cfDictionaryApplyBlock(mResult.get(), ^(const void key, const void value){
258	CFDictionaryAddValue(result, key, value);
259	});
260	}));
5c19dc3a A	261	}
	262
	263
	264
	265	#pragma mark -
	266
	267
	268	static Boolean evaluationTasksAreEqual(const EvaluationTask task1, const EvaluationTask task2)
	269	{
	270	if (!task1->isSharable() \|\| !task2->isSharable()) return false;
	271	if ((task1->type() != task2->type()) \|\|
	272	(cfString(task1->path()) != cfString(task2->path())))
	273	return false;
	274
	275	return true;
	276	}
	277
	278
	279
	280
	281	#pragma mark - EvaluationManager
	282
	283
	284	EvaluationManager *EvaluationManager::globalManager()
	285	{
	286	static EvaluationManager *singleton;
	287	static dispatch_once_t onceToken;
	288	dispatch_once(&onceToken, ^{
	289	singleton = new EvaluationManager();
	290	});
	291	return singleton;
	292	}
	293
	294
	295	EvaluationManager::EvaluationManager()
	296	{
	297	static CFDictionaryValueCallBacks evalTaskValueCallbacks = kCFTypeDictionaryValueCallBacks;
	298	evalTaskValueCallbacks.equal = (CFDictionaryEqualCallBack)evaluationTasksAreEqual;
	299	evalTaskValueCallbacks.retain = NULL;
	300	evalTaskValueCallbacks.release = NULL;
	301	mCurrentEvaluations.take(
	302	CFDictionaryCreateMutable(NULL,
	303	0,
	304	&kCFTypeDictionaryKeyCallBacks,
	305	&evalTaskValueCallbacks));
	306
	307	mListLockQueue = dispatch_queue_create("EvaluationManagerSyncronization", 0);
	308	}
	309
	310
	311	EvaluationManager::~EvaluationManager()
	312	{
	313	dispatch_release(mListLockQueue);
	314	}
	315
	316
	317	EvaluationTask EvaluationManager::evaluationTask(PolicyEngine engine, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
	318	{
	319	__block EvaluationTask *evalTask = NULL;
	320
	321	dispatch_sync(mListLockQueue, ^{
	322	// is path already being evaluated?
	323	if (!(flags & kSecAssessmentFlagIgnoreActiveAssessments))
	324	evalTask = (EvaluationTask *)CFDictionaryGetValue(mCurrentEvaluations.get(), path);
325	if (!evalTask) {
326	// create a new task for the evaluation
327	evalTask = new EvaluationTask(engine, path, type);
328	if (flags & kSecAssessmentFlagIgnoreActiveAssessments)
329	evalTask->setUnsharable();
330	CFDictionaryAddValue(mCurrentEvaluations.get(), path, evalTask);
331	}
332	evalTask->mReferenceCount++;
333	});
334
335	if (evalTask)
336	evalTask->performEvaluation(flags, context);
337
338	return evalTask;
339	}
340
341
822b670c	342	void EvaluationManager::finalizeTask(EvaluationTask *task, SecAssessmentFlags flags, CFMutableDictionaryRef result)
5c19dc3a A	343	{
5c19dc3a A	344	task->waitForCompletion(flags, result);
822b670c A	345
	346	std::exception_ptr pendingException = task->mExceptionToRethrow;
	347
	348	removeTask(task);
	349
	350	if (pendingException) std::rethrow_exception(pendingException);
5c19dc3a A	351	}
	352
	353
	354	void EvaluationManager::removeTask(EvaluationTask *task)
	355	{
	356	dispatch_sync(mListLockQueue, ^{
	357	// are we done with this evaluation task?
	358	if (--task->mReferenceCount == 0) {
	359	// yes -- remove it from our list and delete the object
	360	CFDictionaryRemoveValue(mCurrentEvaluations.get(), task->path());
	361	delete task;
	362	}
	363	});
	364	}
	365
	366
	367
	368	} // end namespace CodeSigning
	369	} // end namespace Security
	370