]> git.saurik.com Git - apple/security.git/blob - CircleJoinRequested/CircleJoinRequested.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-57336.1.9.tar.gz
[apple/security.git] / CircleJoinRequested / CircleJoinRequested.m
1 //
2 // CircleJoinRequested.m
3 // CircleJoinRequested
4 //
5 // Created by J Osborne on 3/5/13.
6 // Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
7 //
8 #import <Accounts/Accounts.h>
9 #import <Accounts/ACAccountStore_Private.h>
10 #import <AggregateDictionary/ADClient.h>
11 #import <AppleAccount/AppleAccount.h>
12 #import <AppleAccount/ACAccountStore+AppleAccount.h>
13 #import <Accounts/ACAccountType_Private.h>
14 #import <Foundation/Foundation.h>
15 #include <dispatch/dispatch.h>
16 #include "SecureObjectSync/SOSCloudCircle.h"
17 #include "SecureObjectSync/SOSPeerInfo.h"
18 #import <CoreFoundation/CFUserNotification.h>
19 #import <SpringBoardServices/SBSCFUserNotificationKeys.h>
20 #include <notify.h>
21 #include <sysexits.h>
22 #import "Applicant.h"
23 #import "NSArray+map.h"
24 #import <ManagedConfiguration/MCProfileConnection.h>
25 #import <ManagedConfiguration/MCFeatures.h>
26 #import <Security/SecFrameworkStrings.h>
27 #import "PersistentState.h"
28 #include <xpc/private.h>
29 #include <sys/time.h>
30 #import "NSDate+TimeIntervalDescription.h"
31 #include <MobileGestalt.h>
32 #include <xpc/activity.h>
33 #include <xpc/private.h>
34 #import <MobileCoreServices/MobileCoreServices.h>
35 #import <MobileCoreServices/LSApplicationWorkspace.h>
36 #import <CloudServices/SecureBackup.h>
37 #import <AppSupport/AppSupportUtils.h>
38 #import <syslog.h>
39 #include "utilities/SecCFRelease.h"
40 #include "utilities/debugging.h"
41
42 // As long as we are logging the failure use exit code of zero to make launchd happy
43 #define EXIT_LOGGED_FAILURE(code) xpc_transaction_end(); exit(0)
44
45 const char *kLaunchLaterXPCName = "com.apple.security.CircleJoinRequestedTick";
46 CFRunLoopSourceRef currentAlertSource = NULL;
47 CFUserNotificationRef currentAlert = NULL;
48 bool currentAlertIsForApplicants = true;
49 bool currentAlertIsForKickOut = false;
50 NSMutableDictionary *applicants = nil;
51 volatile NSString *debugState = @"main?";
52 dispatch_block_t doOnceInMainBlockChain = NULL;
53
54 NSString *castleKeychainUrl = @"prefs:root=CASTLE&path=Keychain/ADVANCED";
55
56 static void doOnceInMain(dispatch_block_t block)
57 {
58 if (doOnceInMainBlockChain) {
59 doOnceInMainBlockChain = ^{
60 doOnceInMainBlockChain();
61 block();
62 };
63 } else {
64 doOnceInMainBlockChain = block;
65 }
66 }
67
68
69 static NSString *appleIDAccountName()
70 {
71 ACAccountStore *accountStore = [[ACAccountStore alloc] init];
72 ACAccount *primaryAppleAccount = [accountStore aa_primaryAppleAccount];
73 return primaryAppleAccount.username;
74 }
75
76
77 static CFOptionFlags flagsForAsk(Applicant *applicant)
78 {
79 return kCFUserNotificationPlainAlertLevel | CFUserNotificationSecureTextField(0);
80 }
81
82
83 // NOTE: gives precedence to OnScreen
84 static Applicant *firstApplicantWaitingOrOnScreen()
85 {
86 Applicant *waiting = nil;
87 for (Applicant *applicant in [applicants objectEnumerator]) {
88 if (applicant.applicantUIState == ApplicantOnScreen) {
89 return applicant;
90 } else if (applicant.applicantUIState == ApplicantWaiting) {
91 waiting = applicant;
92 }
93 }
94
95 return waiting;
96 }
97
98
99 static NSMutableArray *applicantsInState(ApplicantUIState state)
100 {
101 NSMutableArray *results = [NSMutableArray new];
102 for (Applicant *applicant in [applicants objectEnumerator]) {
103 if (applicant.applicantUIState == state) {
104 [results addObject:applicant];
105 }
106 }
107
108 return results;
109 }
110
111
112 static BOOL processRequests(CFErrorRef *error) {
113 NSMutableArray *toAccept = [[applicantsInState(ApplicantAccepted) mapWithBlock:^id(id obj) {return (id)[obj rawPeerInfo];}] mutableCopy];
114 NSMutableArray *toReject = [[applicantsInState(ApplicantRejected) mapWithBlock:^id(id obj) {return (id)[obj rawPeerInfo];}] mutableCopy];
115 bool ok = true;
116
117 NSLog(@"Process accept: %@", toAccept);
118 NSLog(@"Process reject: %@", toReject);
119
120 if ([toAccept count])
121 ok = ok && SOSCCAcceptApplicants((__bridge CFArrayRef) toAccept, error);
122
123 if ([toReject count])
124 ok = ok && SOSCCRejectApplicants((__bridge CFArrayRef) toReject, error);
125
126 return ok;
127 }
128
129
130 static void cancelCurrentAlert(bool stopRunLoop) {
131 if (currentAlertSource) {
132 CFRunLoopRemoveSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode);
133 CFReleaseNull(currentAlertSource);
134 }
135 if (currentAlert) {
136 CFUserNotificationCancel(currentAlert);
137 CFReleaseNull(currentAlert);
138 }
139 if (stopRunLoop) {
140 CFRunLoopStop(CFRunLoopGetCurrent());
141 }
142 currentAlertIsForKickOut = currentAlertIsForApplicants = false;
143 }
144
145
146 static void askAboutAll(bool passwordFailure);
147
148
149 static void applicantChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags)
150 {
151 ApplicantUIState choice;
152
153 if (kCFUserNotificationAlternateResponse == responseFlags) {
154 choice = ApplicantRejected;
155 } else if (kCFUserNotificationDefaultResponse == responseFlags) {
156 choice = ApplicantAccepted;
157 } else {
158 NSLog(@"Unexpected response %lu", responseFlags);
159 choice = ApplicantRejected;
160 }
161
162 BOOL processed = NO;
163 CFErrorRef error = NULL;
164 NSArray *onScreen = applicantsInState(ApplicantOnScreen);
165
166 [onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
167 Applicant* applicant = (Applicant *) obj;
168 applicant.applicantUIState = choice;
169 }];
170
171 if (choice == ApplicantRejected) {
172 // If this device has ever set up the public key this should work without the password...
173 processed = processRequests(&error);
174 if (processed) {
175 NSLog(@"Didn't need password to process %@", onScreen);
176 cancelCurrentAlert(true);
177 return;
178 } else {
179 // ...however if the public key gets lost we should "just" fall through to the validate
180 // password path.
181 NSLog(@"Couldn't process reject without password (e=%@) for %@ (will try with password next)", error, onScreen);
182 }
183 CFReleaseNull(error);
184 }
185
186 NSString *password = (__bridge NSString *)(CFUserNotificationGetResponseValue(userNotification, kCFUserNotificationTextFieldValuesKey, 0));
187 if (!password) {
188 NSLog(@"No password given, retry");
189 askAboutAll(true);
190 return;
191 }
192 const char *passwordUTF8 = [password UTF8String];
193 NSData *passwordBytes = [NSData dataWithBytes:passwordUTF8 length:strlen(passwordUTF8)];
194
195 // Sometimes securityd crashes between SOSCCRegisterUserCredentials and processRequests
196 // (which results in a process error -- I think this is 13355140), as a workaround we retry
197 // failure a few times before we give up.
198 for (int try = 0; try < 5 && !processed; try++) {
199 if (!SOSCCTryUserCredentials(CFSTR(""), (__bridge CFDataRef)(passwordBytes), &error)) {
200 NSLog(@"Try user credentials failed %@", error);
201 if ((error == NULL) ||
202 (CFEqual(kSOSErrorDomain, CFErrorGetDomain(error)) && kSOSErrorWrongPassword == CFErrorGetCode(error))) {
203 NSLog(@"Calling askAboutAll again...");
204 [onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
205 Applicant* applicant = (Applicant*) obj;
206 applicant.applicantUIState = ApplicantWaiting;
207 }];
208 askAboutAll(true);
209 CFReleaseNull(error);
210 return;
211 }
212 EXIT_LOGGED_FAILURE(EX_DATAERR);
213 }
214
215 processed = processRequests(&error);
216 if (!processed) {
217 NSLog(@"Can't processRequests: %@ for %@", error, onScreen);
218 }
219 CFReleaseNull(error);
220 }
221
222 if (processed && firstApplicantWaitingOrOnScreen()) {
223 cancelCurrentAlert(false);
224 askAboutAll(false);
225 } else {
226 cancelCurrentAlert(true);
227 }
228 }
229
230
231 static void passwordFailurePrompt()
232 {
233 NSString *pwIncorrect = [NSString stringWithFormat:(NSString *)CFBridgingRelease(SecCopyCKString(SEC_CK_PASSWORD_INCORRECT)), appleIDAccountName()];
234 NSString *tryAgain = CFBridgingRelease(SecCopyCKString(SEC_CK_TRY_AGAIN));
235 NSDictionary *noteAttributes = @{
236 (id) kCFUserNotificationAlertHeaderKey : pwIncorrect,
237 (id) kCFUserNotificationDefaultButtonTitleKey : tryAgain,
238 (id) kCFUserNotificationAlertTopMostKey : @YES, // get us onto the lock screen
239 (__bridge id) SBUserNotificationDontDismissOnUnlock: @YES,
240 (__bridge id) SBUserNotificationDismissOnLock : @NO,
241 };
242 CFOptionFlags flags = kCFUserNotificationPlainAlertLevel;
243 SInt32 err;
244 CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef)noteAttributes);
245
246 if (note) {
247 CFUserNotificationReceiveResponse(note, 0.0, &flags);
248 CFRelease(note);
249 }
250 }
251
252
253 static NSString *getLocalizedApprovalBody(NSString *deviceType) {
254 CFStringRef applicationReminder = NULL;
255
256 if ([deviceType isEqualToString:@"iPhone"])
257 applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_IPHONE);
258 else if ([deviceType isEqualToString:@"iPod"])
259 applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_IPOD);
260 else if ([deviceType isEqualToString:@"iPad"])
261 applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_IPAD);
262 else if ([deviceType isEqualToString:@"Mac"])
263 applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_MAC);
264 else
265 applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_GENERIC);
266
267 return (__bridge_transfer NSString *) applicationReminder;
268 }
269
270
271 static NSDictionary *createNote(Applicant *applicantToAskAbout)
272 {
273 if(!applicantToAskAbout || !applicantToAskAbout.name || !applicantToAskAbout.deviceType)
274 return NULL;
275
276 NSString *header = [NSString stringWithFormat: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_APPROVAL_TITLE_IOS), applicantToAskAbout.name];
277 NSString *body = [NSString stringWithFormat: getLocalizedApprovalBody(applicantToAskAbout.deviceType), appleIDAccountName()];
278
279 return @{
280 (id) kCFUserNotificationAlertHeaderKey : header,
281 (id) kCFUserNotificationAlertMessageKey : body,
282 (id) kCFUserNotificationDefaultButtonTitleKey : (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_ALLOW),
283 (id) kCFUserNotificationAlternateButtonTitleKey: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_DONT_ALLOW),
284 (id) kCFUserNotificationTextFieldTitlesKey : (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_ICLOUD_PASSWORD),
285 (id) kCFUserNotificationAlertTopMostKey : @YES, // get us onto the lock screen
286 (__bridge_transfer id) SBUserNotificationDontDismissOnUnlock: @YES,
287 (__bridge_transfer id) SBUserNotificationDismissOnLock : @NO,
288 };
289 }
290
291
292 static void askAboutAll(bool passwordFailure)
293 {
294 if ([[MCProfileConnection sharedConnection] effectiveBoolValueForSetting: MCFeatureAccountModificationAllowed] == MCRestrictedBoolExplicitNo) {
295 NSLog(@"Account modifications not allowed.");
296 return;
297 }
298
299 if (passwordFailure) {
300 passwordFailurePrompt();
301 }
302
303 if ((passwordFailure || !currentAlertIsForApplicants) && currentAlert) {
304 if (!currentAlertIsForApplicants) {
305 CFUserNotificationCancel(currentAlert);
306 }
307 // after password failure we need to remove the existing alert and supporting objects
308 // because we can't reuse them.
309 CFReleaseNull(currentAlert);
310 CFReleaseNull(currentAlertSource);
311 }
312 currentAlertIsForApplicants = true;
313
314 Applicant *applicantToAskAbout = firstApplicantWaitingOrOnScreen();
315 NSLog(@"Asking about: %@ (of: %@)", applicantToAskAbout, applicants);
316
317 NSDictionary *noteAttributes = createNote(applicantToAskAbout);
318 if(!noteAttributes) {
319 NSLog(@"NULL data for %@", applicantToAskAbout);
320 cancelCurrentAlert(true);
321 return;
322 }
323
324 CFOptionFlags flags = flagsForAsk(applicantToAskAbout);
325
326 if (currentAlert) {
327 SInt32 err = CFUserNotificationUpdate(currentAlert, 0, flags, (__bridge CFDictionaryRef)noteAttributes);
328 if (err) {
329 NSLog(@"CFUserNotificationUpdate err=%d", (int)err);
330 EXIT_LOGGED_FAILURE(EX_SOFTWARE);
331 }
332 } else {
333 SInt32 err = 0;
334 currentAlert = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef)(noteAttributes));
335 if (err) {
336 NSLog(@"Can't make notification for %@ err=%x", applicantToAskAbout, (int)err);
337 EXIT_LOGGED_FAILURE(EX_SOFTWARE);
338 }
339
340 currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, applicantChoice, 0);
341 CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode);
342 }
343
344 applicantToAskAbout.applicantUIState = ApplicantOnScreen;
345 }
346
347
348 static void scheduleActivity(int alertInterval)
349 {
350 xpc_object_t options = xpc_dictionary_create(NULL, NULL, 0);
351 xpc_dictionary_set_uint64(options, XPC_ACTIVITY_DELAY, alertInterval);
352 xpc_dictionary_set_uint64(options, XPC_ACTIVITY_GRACE_PERIOD, XPC_ACTIVITY_INTERVAL_1_MIN);
353 xpc_dictionary_set_bool(options, XPC_ACTIVITY_REPEATING, false);
354 xpc_dictionary_set_bool(options, XPC_ACTIVITY_ALLOW_BATTERY, true);
355 xpc_dictionary_set_string(options, XPC_ACTIVITY_PRIORITY, XPC_ACTIVITY_PRIORITY_UTILITY);
356
357 xpc_activity_register(kLaunchLaterXPCName, options, ^(xpc_activity_t activity) {
358 NSLog(@"activity handler fired");
359 });
360 }
361
362
363 static void reminderChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) {
364 if (responseFlags == kCFUserNotificationAlternateResponse || responseFlags == kCFUserNotificationDefaultResponse) {
365 PersistentState *state = [PersistentState loadFromStorage];
366 NSDate *nowish = [NSDate new];
367 state.pendingApplicationReminder = [nowish dateByAddingTimeInterval: state.pendingApplicationReminderAlertInterval];
368 scheduleActivity(state.pendingApplicationReminderAlertInterval);
369 [state writeToStorage];
370 if (responseFlags == kCFUserNotificationAlternateResponse) {
371 // Use security code
372 BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:[NSURL URLWithString:castleKeychainUrl] withOptions:nil];
373 NSLog(@"%s iCSC: opening %@ ok=%d", __FUNCTION__, castleKeychainUrl, ok);
374 }
375 }
376
377 cancelCurrentAlert(true);
378 }
379
380
381 static bool iCloudResetAvailable() {
382 SecureBackup *backupd = [SecureBackup new];
383 NSDictionary *backupdResults;
384 NSError *error = [backupd getAccountInfoWithInfo:nil results:&backupdResults];
385 NSLog(@"SecureBackup e=%@ r=%@", error, backupdResults);
386 return (error == nil && [backupdResults[kSecureBackupIsEnabledKey] isEqualToNumber:@YES]);
387 }
388
389
390
391 static NSString *getLocalizedApplicationReminder() {
392 CFStringRef applicationReminder = NULL;
393 switch (MGGetSInt32Answer(kMGQDeviceClassNumber, MGDeviceClassInvalid)) {
394 case MGDeviceClassiPhone:
395 applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_IPHONE);
396 break;
397 case MGDeviceClassiPod:
398 applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_IPOD);
399 break;
400 case MGDeviceClassiPad:
401 applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_IPAD);
402 break;
403 default:
404 applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_GENERIC);
405 break;
406 }
407 return (__bridge_transfer NSString *) applicationReminder;
408 }
409
410
411 static void postApplicationReminderAlert(NSDate *nowish, PersistentState *state, unsigned int alertInterval)
412 {
413 NSString *body = getLocalizedApplicationReminder();
414 bool has_iCSC = iCloudResetAvailable();
415
416 if (state.defaultPendingApplicationReminderAlertInterval != state.pendingApplicationReminderAlertInterval) {
417 body = [body stringByAppendingFormat: @"〖debug interval %u; wait time %@〗",
418 state.pendingApplicationReminderAlertInterval,
419 [nowish copyDescriptionOfIntervalSince:state.applicationDate]];
420 }
421
422 NSDictionary *pendingAttributes = @{
423 (id) kCFUserNotificationAlertHeaderKey : (__bridge NSString *) SecCopyCKString(SEC_CK_REMINDER_TITLE_IOS),
424 (id) kCFUserNotificationAlertMessageKey : body,
425 (id) kCFUserNotificationDefaultButtonTitleKey : (__bridge NSString *) SecCopyCKString(SEC_CK_REMINDER_BUTTON_OK),
426 (id) kCFUserNotificationAlternateButtonTitleKey: has_iCSC ? (__bridge NSString *) SecCopyCKString(SEC_CK_REMINDER_BUTTON_ICSC) : @"",
427 (id) kCFUserNotificationAlertTopMostKey : @YES,
428 (__bridge id) SBUserNotificationDontDismissOnUnlock : @YES,
429 (__bridge id) SBUserNotificationDismissOnLock : @NO,
430 (__bridge id) SBUserNotificationOneButtonPerLine : @YES,
431 };
432 SInt32 err = 0;
433 currentAlert = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef) pendingAttributes);
434
435 if (err) {
436 NSLog(@"Can't make pending notification err=%x", (int)err);
437 } else {
438 currentAlertIsForApplicants = false;
439 currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, reminderChoice, 0);
440 CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode);
441 }
442 }
443
444
445 static void kickOutChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) {
446 NSLog(@"kOC %@ %lu", userNotification, responseFlags);
447 if (responseFlags == kCFUserNotificationDefaultResponse) {
448 // We need to let things unwind to main for the new state to get saved
449 doOnceInMain(^{
450 BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:[NSURL URLWithString:castleKeychainUrl] withOptions:nil];
451 NSLog(@"ok=%d opening %@", ok, [NSURL URLWithString:castleKeychainUrl]);
452 });
453 }
454 cancelCurrentAlert(true);
455 }
456
457
458 CFStringRef const CJRAggdDepartureReasonKey = CFSTR("com.apple.security.circlejoinrequested.departurereason");
459 CFStringRef const CJRAggdNumCircleDevicesKey = CFSTR("com.apple.security.circlejoinrequested.numcircledevices");
460
461 static void postKickedOutAlert(enum DepartureReason reason)
462 {
463 NSString *header = nil;
464 NSString *message = nil;
465
466 // <rdar://problem/20358568> iCDP telemetry: ☂ Statistics on circle reset and drop out events
467 ADClientSetValueForScalarKey(CJRAggdDepartureReasonKey, reason);
468
469 int64_t num_peers = 0;
470 CFArrayRef peerList = SOSCCCopyPeerPeerInfo(NULL);
471 if (peerList) {
472 num_peers = CFArrayGetCount(peerList);
473 if (num_peers > 99) {
474 // Round down # peers to 2 significant digits
475 int factor;
476 for (factor = 10; num_peers >= 100*factor; factor *= 10) ;
477 num_peers = (num_peers / factor) * factor;
478 }
479 CFRelease(peerList);
480 }
481 ADClientSetValueForScalarKey(CJRAggdNumCircleDevicesKey, num_peers);
482
483 debugState = @"pKOA A";
484 syslog(LOG_ERR, "DepartureReason %d", reason);
485 switch (reason) {
486 case kSOSDiscoveredRetirement:
487 case kSOSLostPrivateKey:
488 case kSOSWithdrewMembership:
489 // Was: SEC_CK_CR_BODY_WITHDREW
490 // "... if you turn off a switch you have some idea why the light is off" - Murf
491 return;
492 break;
493
494 case kSOSNeverAppliedToCircle:
495 // We didn't get kicked out, we were never here. This should only happen if we changed iCloud accounts
496 // (and we had sync on in the previous one, and never had it on in the new one). As this is explicit
497 // user action alot of the "Light switch" argument (above) applies.
498 return;
499 break;
500
501 case kSOSNeverLeftCircle:
502 case kSOSMembershipRevoked:
503 case kSOSLeftUntrustedCircle:
504 default:
505 header = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_PWD_REQUIRED_TITLE);
506 message = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_PWD_REQUIRED_BODY_IOS);
507 break;
508 }
509
510 if (CPIsInternalDevice()) {
511 static const char *departureReasonStrings[] = {
512 "kSOSDepartureReasonError",
513 "kSOSNeverLeftCircle",
514 "kSOSWithdrewMembership",
515 "kSOSMembershipRevoked",
516 "kSOSLeftUntrustedCircle",
517 "kSOSNeverAppliedToCircle",
518 "kSOSDiscoveredRetirement",
519 "kSOSLostPrivateKey",
520 "unknown reason"
521 };
522 int idx = (kSOSDepartureReasonError <= reason && reason <= kSOSLostPrivateKey) ? reason : (kSOSLostPrivateKey + 1);
523 NSString *reason_str = [NSString stringWithFormat:(__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CR_REASON_INTERNAL),
524 departureReasonStrings[idx]];
525 message = [message stringByAppendingString: reason_str];
526 }
527
528 NSDictionary *kickedAttributes = @{
529 (id) kCFUserNotificationAlertHeaderKey : header,
530 (id) kCFUserNotificationAlertMessageKey : message,
531 (id) kCFUserNotificationDefaultButtonTitleKey : (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CONTINUE),
532 (id) kCFUserNotificationAlternateButtonTitleKey: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_NOT_NOW),
533 (id) kCFUserNotificationAlertTopMostKey : @YES,
534 (__bridge id) SBUserNotificationDismissOnLock : @NO,
535 (__bridge id) SBUserNotificationDontDismissOnUnlock : @YES,
536 (__bridge id) SBUserNotificationOneButtonPerLine : @YES,
537 };
538 SInt32 err = 0;
539
540 if (currentAlertIsForKickOut) {
541 debugState = @"pKOA B";
542 NSLog(@"Updating existing alert %@ with %@", currentAlert, kickedAttributes);
543 CFUserNotificationUpdate(currentAlert, 0, kCFUserNotificationPlainAlertLevel, (__bridge CFDictionaryRef) kickedAttributes);
544 } else {
545 debugState = @"pKOA C";
546
547 CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef) kickedAttributes);
548 assert((note == NULL) == (err != 0));
549 if (err) {
550 NSLog(@"Can't make kicked out notification err=%x", (int)err);
551 } else {
552 currentAlertIsForApplicants = false;
553 currentAlertIsForKickOut = true;
554
555 currentAlert = note;
556 NSLog(@"New ko alert %@ a=%@", currentAlert, kickedAttributes);
557 currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, kickOutChoice, 0);
558 CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode);
559 int backupStateChangeToken;
560 notify_register_dispatch("com.apple.EscrowSecurityAlert.reset", &backupStateChangeToken, dispatch_get_main_queue(), ^(int token) {
561 if (currentAlert == note) {
562 NSLog(@"Backup state might have changed (dS=%@)", debugState);
563 postKickedOutAlert(reason);
564 } else {
565 NSLog(@"Backup state may have changed, but we don't care anymore (dS=%@)", debugState);
566 }
567 });
568 debugState = @"pKOA D";
569 CFRunLoopRun();
570 debugState = @"pKOA E";
571 notify_cancel(backupStateChangeToken);
572 }
573 }
574 debugState = @"pKOA Z";
575 }
576
577
578 static bool processEvents()
579 {
580 debugState = @"processEvents A";
581
582 CFErrorRef error = NULL;
583 CFErrorRef departError = NULL;
584 SOSCCStatus circleStatus = SOSCCThisDeviceIsInCircle(&error);
585 NSDate *nowish = [NSDate date];
586 PersistentState *state = [PersistentState loadFromStorage];
587 enum DepartureReason departureReason = SOSCCGetLastDepartureReason(&departError);
588 NSLog(@"CircleStatus %d -> %d{%d} (s=%p)", state.lastCircleStatus, circleStatus, departureReason, state);
589
590
591 // Pending application reminder
592 NSTimeInterval timeUntilApplicationAlert = [state.pendingApplicationReminder timeIntervalSinceDate:nowish];
593 NSLog(@"Time until pendingApplicationReminder (%@) %f", [state.pendingApplicationReminder debugDescription], timeUntilApplicationAlert);
594 if (circleStatus == kSOSCCRequestPending) {
595 if (timeUntilApplicationAlert <= 0) {
596 debugState = @"reminderAlert";
597 postApplicationReminderAlert(nowish, state, state.pendingApplicationReminderAlertInterval);
598 } else {
599 scheduleActivity(ceil(timeUntilApplicationAlert));
600 }
601 }
602
603
604 // No longer in circle?
605 if ((state.lastCircleStatus == kSOSCCInCircle && (circleStatus == kSOSCCNotInCircle || circleStatus == kSOSCCCircleAbsent)) ||
606 (state.lastCircleStatus == kSOSCCCircleAbsent && circleStatus == kSOSCCNotInCircle && state.absentCircleWithNoReason) ||
607 state.debugShowLeftReason) {
608 // Used to be in the circle, now we aren't - tell the user why
609 debugState = @"processEvents B";
610
611 if (state.debugShowLeftReason) {
612 NSLog(@"debugShowLeftReason: %@", state.debugShowLeftReason);
613 departureReason = [state.debugShowLeftReason intValue];
614 state.debugShowLeftReason = nil;
615 CFReleaseNull(departError);
616 [state writeToStorage];
617 }
618
619 if (departureReason != kSOSDepartureReasonError) {
620 state.absentCircleWithNoReason = (circleStatus == kSOSCCCircleAbsent && departureReason == kSOSNeverLeftCircle);
621 NSLog(@"Depature reason %d", departureReason);
622 postKickedOutAlert(departureReason);
623 NSLog(@"pKOA returned (cS %d lCS %d)", circleStatus, state.lastCircleStatus);
624 } else {
625 NSLog(@"Couldn't get last departure reason: %@", departError);
626 }
627 }
628
629
630 // Circle applications: pending request(s) started / completed
631 debugState = @"processEvents C";
632 if (circleStatus != state.lastCircleStatus) {
633 SOSCCStatus lastCircleStatus = state.lastCircleStatus;
634 state.lastCircleStatus = circleStatus;
635
636 if (lastCircleStatus != kSOSCCRequestPending && circleStatus == kSOSCCRequestPending) {
637 NSLog(@"Pending request started");
638 state.applicationDate = nowish;
639 state.pendingApplicationReminder = [nowish dateByAddingTimeInterval: state.pendingApplicationReminderAlertInterval];
640 scheduleActivity(state.pendingApplicationReminderAlertInterval);
641 }
642 if (lastCircleStatus == kSOSCCRequestPending && circleStatus != kSOSCCRequestPending) {
643 NSLog(@"Pending request completed");
644 state.applicationDate = [NSDate distantPast];
645 state.pendingApplicationReminder = [NSDate distantFuture];
646 }
647
648 [state writeToStorage];
649 }
650
651 if (circleStatus != kSOSCCInCircle) {
652 if (circleStatus == kSOSCCRequestPending && currentAlert) {
653 int notifyToken = 0;
654 CFUserNotificationRef postedAlert = currentAlert;
655
656 debugState = @"processEvents D1";
657 notify_register_dispatch(kSOSCCCircleChangedNotification, &notifyToken, dispatch_get_main_queue(), ^(int token) {
658 if (postedAlert != currentAlert) {
659 NSLog(@"-- CC after original alert gone (currentAlertIsForApplicants %d, pA %p, cA %p -- %@)",
660 currentAlertIsForApplicants, postedAlert, currentAlert, currentAlert);
661 notify_cancel(token);
662 } else {
663 CFErrorRef localError = NULL;
664 SOSCCStatus newCircleStatus = SOSCCThisDeviceIsInCircle(&localError);
665 if (newCircleStatus != kSOSCCRequestPending) {
666 if (newCircleStatus == kSOSCCError)
667 NSLog(@"No longer pending (nCS=%d, alert=%@) error: %@", newCircleStatus, currentAlert, localError);
668 else
669 NSLog(@"No longer pending (nCS=%d, alert=%@)", newCircleStatus, currentAlert);
670 cancelCurrentAlert(true);
671 } else {
672 NSLog(@"Still pending...");
673 }
674 CFReleaseNull(localError);
675 }
676 });
677 debugState = @"processEvents D2";
678 NSLog(@"NOTE: currentAlertIsForApplicants %d, token %d", currentAlertIsForApplicants, notifyToken);
679 CFRunLoopRun();
680 return true;
681 }
682 debugState = @"processEvents D4";
683 NSLog(@"SOSCCThisDeviceIsInCircle status %d, not checking applicants", circleStatus);
684 return false;
685 }
686
687
688 // Applicants
689 debugState = @"processEvents E";
690 applicants = [NSMutableDictionary new];
691 for (id applicantInfo in (__bridge_transfer NSArray *) SOSCCCopyApplicantPeerInfo(&error)) {
692 Applicant *applicant = [[Applicant alloc] initWithPeerInfo:(__bridge SOSPeerInfoRef) applicantInfo];
693 applicants[applicant.idString] = applicant;
694 }
695
696 // Log error from SOSCCCopyApplicantPeerInfo() above?
697 CFReleaseNull(error);
698
699 int notify_token = -42;
700 debugState = @"processEvents F";
701 int notify_register_status = notify_register_dispatch(kSOSCCCircleChangedNotification, &notify_token, dispatch_get_main_queue(), ^(int token) {
702 NSLog(@"Notified: %s", kSOSCCCircleChangedNotification);
703 CFErrorRef circleStatusError = NULL;
704
705 bool needsUpdate = false;
706 CFErrorRef copyPeerError = NULL;
707 NSMutableSet *newIds = [NSMutableSet new];
708 for (id applicantInfo in (__bridge_transfer NSArray *) SOSCCCopyApplicantPeerInfo(&copyPeerError)) {
709 Applicant *newApplicant = [[Applicant alloc] initWithPeerInfo:(__bridge SOSPeerInfoRef) applicantInfo];
710 [newIds addObject:newApplicant.idString];
711 Applicant *existingApplicant = applicants[newApplicant.idString];
712 if (existingApplicant) {
713 switch (existingApplicant.applicantUIState) {
714 case ApplicantWaiting:
715 applicants[newApplicant.idString] = newApplicant;
716 break;
717
718 case ApplicantOnScreen:
719 newApplicant.applicantUIState = ApplicantOnScreen;
720 applicants[newApplicant.idString] = newApplicant;
721 break;
722
723 default:
724 NSLog(@"Update to %@ >> %@ with pending order, should work out ok though", existingApplicant, newApplicant);
725 break;
726 }
727 } else {
728 needsUpdate = true;
729 applicants[newApplicant.idString] = newApplicant;
730 }
731 }
732 if (copyPeerError) {
733 NSLog(@"Could not update peer info array: %@", copyPeerError);
734 CFRelease(copyPeerError);
735 return;
736 }
737
738 NSMutableArray *idsToRemoveFromApplicants = [NSMutableArray new];
739 for (NSString *exisitngId in [applicants keyEnumerator]) {
740 if (![newIds containsObject:exisitngId]) {
741 [idsToRemoveFromApplicants addObject:exisitngId];
742 needsUpdate = true;
743 }
744 }
745 [applicants removeObjectsForKeys:idsToRemoveFromApplicants];
746
747 if (newIds.count == 0) {
748 NSLog(@"All applicants were handled elsewhere");
749 cancelCurrentAlert(true);
750 }
751 SOSCCStatus currentCircleStatus = SOSCCThisDeviceIsInCircle(&circleStatusError);
752 if (kSOSCCInCircle != currentCircleStatus) {
753 NSLog(@"Left circle (%d), not handling remaining %lu applicants", currentCircleStatus, (unsigned long)newIds.count);
754 cancelCurrentAlert(true);
755 }
756 if (needsUpdate) {
757 askAboutAll(false);
758 } else {
759 NSLog(@"needsUpdate false, not updating alert");
760 }
761 // Log circleStatusError?
762 CFReleaseNull(circleStatusError);
763 });
764 NSLog(@"ACC token %d, status %d", notify_token, notify_register_status);
765 debugState = @"processEvents F2";
766
767 if (applicants.count == 0) {
768 NSLog(@"No applicants");
769 } else {
770 debugState = @"processEvents F3";
771 askAboutAll(false);
772 debugState = @"processEvents F4";
773 if (currentAlert) {
774 debugState = @"processEvents F5";
775 CFRunLoopRun();
776 }
777 }
778
779 debugState = @"processEvents F6";
780 notify_cancel(notify_token);
781 debugState = @"processEvents DONE";
782
783 return false;
784 }
785
786
787 int main (int argc, const char * argv[]) {
788 xpc_transaction_begin();
789
790 @autoreleasepool {
791 // NOTE: DISPATCH_QUEUE_PRIORITY_LOW will not actually manage to drain events in a lot of cases (like circleStatus != kSOSCCInCircle)
792 xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) {
793 char *event_description = xpc_copy_description(object);
794 NSLog(@"notifyd event: %s\nAlert (%p) %s %s\ndebugState: %@", event_description, currentAlert,
795 currentAlertIsForApplicants ? "for applicants" : "!applicants",
796 currentAlertIsForKickOut ? "KO" : "!KO", debugState);
797 free(event_description);
798 });
799
800 xpc_activity_register(kLaunchLaterXPCName, XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) {
801 });
802
803 int falseInARow = 0;
804 while (falseInARow < 2) {
805 if (processEvents()) {
806 falseInARow = 0;
807 } else {
808 falseInARow++;
809 }
810 cancelCurrentAlert(false);
811 if (doOnceInMainBlockChain) {
812 doOnceInMainBlockChain();
813 doOnceInMainBlockChain = NULL;
814 }
815 }
816 }
817
818 NSLog(@"Done");
819 xpc_transaction_end();
820 return(0);
821 }
mirror of Security