SOSCCAuthPlugin/SOSCCAuthPlugin.m

   1 //
   2 //  SOSCCAuthPlugin.m
   3 //  Security
   4 //
   5 //  Created by Christian Schmidt on 7/8/15.
   6 //  Copyright 2015 Apple, Inc. All rights reserved.
   7 //
   8
   9 #import "SOSCCAuthPlugin.h"
  10 #import <Foundation/Foundation.h>
  11 #import <Accounts/Accounts.h>
  12 #import <Accounts/Accounts_Private.h>
  13 #import <AccountsDaemon/ACDAccountStore.h>
  14 #import <AppleAccount/ACAccount+AppleAccount.h>
  15 #import <AppleAccount/ACAccountStore+AppleAccount.h>
  16 #import <AuthKit/AuthKit.h>
  17 #import <AuthKit/AuthKit_Private.h>
  18 #import <SoftLinking/SoftLinking.h>
  19 #import <Security/SecureObjectSync/SOSCloudCircle.h>
  20 #import "utilities/SecCFRelease.h"
  21 #import "utilities/debugging.h"
  22
  23
  24 #if !TARGET_OS_SIMULATOR
  25 SOFT_LINK_FRAMEWORK(PrivateFrameworks, AuthKit);
  26
  27 #pragma clang diagnostic push
  28 #pragma clang diagnostic ignored "-Wstrict-prototypes"
  29 SOFT_LINK_CLASS(AuthKit, AKAccountManager);
  30 #pragma clang diagnostic pop
  31 #endif
  32
  33 @implementation SOSCCAuthPlugin
  34
  35 static bool accountIsHSA2(ACAccount *account) {
  36     bool hsa2 = false;
  37
  38 #if !TARGET_OS_SIMULATOR
  39     AKAccountManager *manager = [getAKAccountManagerClass() sharedInstance];
  40     if(manager != nil) {
  41         ACAccount *aka = [manager authKitAccountWithAltDSID:account.aa_altDSID];
  42         if (aka) {
  43             AKAppleIDSecurityLevel securityLevel = [manager securityLevelForAccount: aka];
  44             if(securityLevel == AKAppleIDSecurityLevelHSA2) {
  45                 hsa2 = true;
  46             }
  47         }
  48     }
  49 #endif
  50     secnotice("accounts", "Account %s HSA2", (hsa2) ? "is": "isn't" );
  51     return hsa2;
  52 }
  53
  54 - (void) didReceiveAuthenticationResponseParameters: (NSDictionary *) parameters
  55                                                                            accountStore: (ACDAccountStore *) store
  56                                                                                         account: (ACAccount *) account
  57                                                                                  completion: (dispatch_block_t) completion
  58 {
  59         BOOL    do_auth = NO;
  60     NSString* accountIdentifier = account.identifier; // strong reference
  61         secinfo("accounts", "parameters %@", parameters);
  62         secinfo("accounts", "account %@", account);
  63
  64         if ([account.accountType.identifier isEqualToString:ACAccountTypeIdentifierIdentityServices]) {
  65                 ACAccount *icloud = [store aa_primaryAppleAccount];
  66                 NSString  *dsid   = [parameters[@"com.apple.private.ids"][@"service-data"][@"profile-id"] substringFromIndex:2];        // remove "D:" prefix
  67                 secinfo("accounts", "IDS account: iCloud %@ (personID %@)", icloud, icloud.aa_personID);
  68                 do_auth = icloud && icloud.aa_personID && [icloud.aa_personID isEqualToString:dsid];
  69         } else if ([account.accountType.identifier isEqualToString:ACAccountTypeIdentifierAppleAccount]) {
  70         do_auth = [account aa_isAccountClass:AAAccountClassPrimary];
  71         secinfo("accounts", "AppleID account: primary %@", @(do_auth));
  72         }
  73
  74     if(do_auth && !accountIsHSA2(account)) {
  75                 NSString        *rawPassword = [account _aa_rawPassword];
  76
  77                 if (rawPassword != NULL) {
  78             dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
  79                 CFErrorRef asyncError = NULL;
  80                 NSString *dsid = [account aa_personID];
  81                 const char *password   = [rawPassword cStringUsingEncoding:NSUTF8StringEncoding];
  82                 CFDataRef passwordData = CFDataCreate(kCFAllocatorDefault, (const uint8_t *) password, strlen(password));
  83
  84                 if (passwordData) {
  85                     secinfo("accounts", "Performing async SOS circle credential set for account %@: %@", accountIdentifier, account.username);
  86
  87                     if (!SOSCCSetUserCredentialsAndDSID((__bridge CFStringRef) account.username, passwordData, (__bridge CFStringRef) dsid, &asyncError)) {
  88                         secerror("Unable to set SOS circle credentials for account %@: %@", accountIdentifier, asyncError);
  89                         secinfo("accounts", "Returning from failed async call to SOSCCSetUserCredentialsAndDSID");
  90                         CFReleaseNull(asyncError);
  91                     } else {
  92                         secinfo("accounts", "Returning from successful async call to SOSCCSetUserCredentialsAndDSID");
  93                     }
  94                     CFRelease(passwordData);
  95                 } else {
  96                     secinfo("accounts", "Failed to create string for call to SOSCCSetUserCredentialsAndDSID");
  97                 }
  98             });
  99                 } else {
 100             CFErrorRef    authError    = NULL;
 101                         if (!SOSCCCanAuthenticate(&authError)) {
 102                                 secerror("Account %@ did not present a password and we could not authenticate the SOS circle: %@", accountIdentifier, authError);
 103                                 CFReleaseNull(authError);
 104                         }
 105                 }
 106         } else {
 107                 secinfo("accounts", "NOT performing SOS circle credential set for account %@: %@", accountIdentifier, account.username);
 108         }
 109
 110         completion();
 111 }
 112
 113 @end