keychain/ot/OTUpdateTPHOperation.m

   1
   2 #if OCTAGON
   3
   4 #import "keychain/TrustedPeersHelper/TrustedPeersHelperProtocol.h"
   5 #import "keychain/ot/categories/OTAccountMetadataClassC+KeychainSupport.h"
   6
   7 #import <CloudKit/CloudKit_Private.h>
   8
   9 #import "keychain/ckks/CloudKitCategories.h"
  10
  11 #import "keychain/ot/ObjCImprovements.h"
  12
  13 #import "keychain/ot/OTCuttlefishAccountStateHolder.h"
  14 #import "keychain/ot/OTOperationDependencies.h"
  15 #import "keychain/ot/OTStates.h"
  16 #import "keychain/ot/OTUpdateTPHOperation.h"
  17
  18 @interface OTUpdateTPHOperation ()
  19 @property OTOperationDependencies* deps;
  20
  21 @property NSOperation* finishedOp;
  22
  23 @property (nullable) OctagonFlag* retryFlag;
  24 @end
  25
  26 @implementation OTUpdateTPHOperation
  27 @synthesize nextState = _nextState;
  28 @synthesize intendedState = _intendedState;
  29
  30 - (instancetype)initWithDependencies:(OTOperationDependencies*)dependencies
  31                        intendedState:(OctagonState*)intendedState
  32                           errorState:(OctagonState*)errorState
  33                            retryFlag:(OctagonFlag* _Nullable)retryFlag
  34 {
  35     if((self = [super init])) {
  36         _deps = dependencies;
  37
  38         _intendedState = intendedState;
  39         _nextState = errorState;
  40
  41         _retryFlag = retryFlag;
  42     }
  43     return self;
  44 }
  45
  46 - (void)groupStart
  47 {
  48     WEAKIFY(self);
  49     self.finishedOp = [NSBlockOperation blockOperationWithBlock:^{
  50         // If we errored in some unknown way, ask to try again!
  51         STRONGIFY(self);
  52
  53         if(self.error) {
  54             if(self.retryFlag == nil) {
  55                 secerror("octagon: Received an error updating TPH, but no retry flag present.");
  56                 return;
  57             }
  58
  59             // Is this a very scary error?
  60             bool fatal = true;
  61
  62             OctagonPendingFlag* pendingFlag = nil;
  63
  64             if([self.deps.lockStateTracker isLockedError:self.error]) {
  65                 secnotice("octagon", "Updating trust state failed because locked, retry once unlocked: %@", self.error);
  66                 self.nextState = OctagonStateWaitForUnlock;
  67                 pendingFlag = [[OctagonPendingFlag alloc] initWithFlag:self.retryFlag
  68                                                             conditions:OctagonPendingConditionsDeviceUnlocked];
  69                 fatal = false;
  70             } else {
  71                 // more CloudKit errors should trigger a retry here
  72                 secnotice("octagon", "Error is currently unknown, aborting: %@", self.error);
  73             }
  74
  75             if(!fatal) {
  76                 if(!pendingFlag) {
  77                     NSTimeInterval baseDelay = SecCKKSTestsEnabled() ? 2 : 30;
  78                     NSTimeInterval ckDelay = CKRetryAfterSecondsForError(self.error);
  79                     NSTimeInterval cuttlefishDelay = [self.error cuttlefishRetryAfter];
  80                     NSTimeInterval delay = MAX(ckDelay, cuttlefishDelay);
  81                     if (delay == 0) {
  82                         delay = baseDelay;
  83                     }
  84
  85                     pendingFlag = [[OctagonPendingFlag alloc] initWithFlag:self.retryFlag
  86                                                             delayInSeconds:delay];
  87                 }
  88                 secnotice("octagon", "Updating trust state no fatal: requesting retry: %@",
  89                           pendingFlag);
  90                 [self.deps.flagHandler handlePendingFlag:pendingFlag];
  91             }
  92         }
  93     }];
  94     [self dependOnBeforeGroupFinished:self.finishedOp];
  95
  96
  97     [self.deps.cuttlefishXPCWrapper updateWithContainer:self.deps.containerName
  98                                                 context:self.deps.contextID
  99                                              deviceName:self.deps.deviceInformationAdapter.deviceName
 100                                            serialNumber:self.deps.deviceInformationAdapter.serialNumber
 101                                               osVersion:self.deps.deviceInformationAdapter.osVersion
 102                                           policyVersion:nil
 103                                           policySecrets:nil
 104                                                   reply:^(TrustedPeersHelperPeerState* peerState, NSError* error) {
 105             STRONGIFY(self);
 106             if(error || !peerState) {
 107                 secerror("octagon: update errored: %@", error);
 108                 self.error = error;
 109
 110                 // On an error, for now, go back to the intended state
 111                 // <rdar://problem/50190005> Octagon: handle lock state errors in update()
 112                 self.nextState = self.intendedState;
 113                 [self runBeforeGroupFinished:self.finishedOp];
 114                 return;
 115             }
 116
 117             secnotice("octagon", "update complete: %@", peerState);
 118
 119             if(peerState.identityIsPreapproved) {
 120                 secnotice("octagon-sos", "Self peer is now preapproved!");
 121                 [self.deps.flagHandler handleFlag:OctagonFlagEgoPeerPreapproved];
 122             }
 123             if (peerState.memberChanges) {
 124                 secnotice("octagon", "Member list changed");
 125                 [self.deps.octagonAdapter sendTrustedPeerSetChangedUpdate];
 126             }
 127
 128             if (peerState.unknownMachineIDsPresent) {
 129                 secnotice("octagon-authkit", "Unknown machine IDs are present; requesting fetch");
 130                 [self.deps.flagHandler handleFlag:OctagonFlagFetchAuthKitMachineIDList];
 131             }
 132
 133             if(peerState.peerStatus & TPPeerStatusExcluded) {
 134                 secnotice("octagon", "Self peer (%@) is excluded; moving to untrusted", peerState.peerID);
 135                 self.nextState = OctagonStateBecomeUntrusted;
 136
 137             } else if(peerState.peerStatus & TPPeerStatusUnknown) {
 138                 secnotice("octagon", "Self peer (%@) is unknown; moving to untrusted", peerState.peerID);
 139                 self.nextState = OctagonStateBecomeUntrusted;
 140
 141             } else {
 142                 self.nextState = self.intendedState;
 143             }
 144
 145             [self runBeforeGroupFinished:self.finishedOp];
 146         }];
 147 }
 148
 149 @end
 150
 151 #endif // OCTAGON