2 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
24 #include <AssertMacros.h>
26 #import <Foundation/Foundation.h>
28 #import "CKKSKeychainView.h"
30 #include <Security/SecItemPriv.h>
32 #include <utilities/SecDb.h>
33 #include <securityd/SecDbItem.h>
34 #include <securityd/SecItemSchema.h>
38 #import <CloudKit/CloudKit.h>
39 #import "CKKSOutgoingQueueEntry.h"
40 #import "CKKSItemEncrypter.h"
42 #import "keychain/ckks/CloudKitCategories.h"
43 #import "keychain/categories/NSError+UsefulConstructors.h"
46 @implementation CKKSOutgoingQueueEntry
48 - (NSString*)description {
49 return [NSString stringWithFormat: @"<%@(%@): %@ %@ (%@)>",
50 NSStringFromClass([self class]),
51 self.item.zoneID.zoneName,
57 - (instancetype) initWithCKKSItem:(CKKSItem*) item
58 action: (NSString*) action
59 state: (NSString*) state
60 waitUntil: (NSDate*) waitUntil
61 accessGroup: (NSString*) accessgroup
63 if((self = [super init])) {
67 _accessgroup = accessgroup;
68 _waitUntil = waitUntil;
74 - (BOOL)isEqual: (id) object {
75 if(![object isKindOfClass:[CKKSOutgoingQueueEntry class]]) {
79 CKKSOutgoingQueueEntry* obj = (CKKSOutgoingQueueEntry*) object;
81 return ([self.item isEqual: obj.item] &&
82 [self.action isEqual: obj.action] &&
83 [self.state isEqual: obj.state] &&
84 ((self.waitUntil == nil && obj.waitUntil == nil) || (fabs([self.waitUntil timeIntervalSinceDate: obj.waitUntil]) < 1)) &&
85 [self.accessgroup isEqual: obj.accessgroup] &&
89 + (instancetype)withItem:(SecDbItemRef)item action:(NSString*)action ckks:(CKKSKeychainView*)ckks error: (NSError * __autoreleasing *) error {
90 CFErrorRef cferror = NULL;
93 NSString* accessgroup = nil;
95 NSInteger newGenerationCount = -1;
97 NSMutableDictionary* objd = nil;
99 NSError* keyError = nil;
100 key = [ckks keyForItem:item error:&keyError];
101 if(!key || keyError) {
102 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:keyError.code description:@"No key for item" underlying:keyError];
103 ckkserror("ckksitem", ckks, "no key for item: %@ %@", localerror, item);
110 objd = (__bridge_transfer NSMutableDictionary*) SecDbItemCopyPListWithMask(item, kSecDbSyncFlag, &cferror);
112 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:CFErrorGetCode(cferror) description:@"Couldn't create object plist" underlying:(__bridge_transfer NSError*)cferror];
113 ckkserror("ckksitem", ckks, "no plist: %@ %@", localerror, item);
120 // Object classes aren't in the item plist, set them specifically
121 [objd setObject: (__bridge NSString*) item->class->name forKey: (__bridge NSString*) kSecClass];
123 uuid = (__bridge_transfer NSString*) CFRetainSafe(SecDbItemGetValue(item, &v10itemuuid, &cferror));
124 if(!uuid || cferror) {
125 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:CKKSNoUUIDOnItem description:@"No UUID for item" underlying:(__bridge_transfer NSError*)cferror];
126 ckkserror("ckksitem", ckks, "No UUID for item: %@ %@", localerror, item);
132 if([uuid isKindOfClass:[NSNull class]]) {
133 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:CKKSNoUUIDOnItem description:@"UUID not found in object" underlying:nil];
134 ckkserror("ckksitem", ckks, "couldn't fetch UUID: %@ %@", localerror, item);
141 accessgroup = (__bridge_transfer NSString*) CFRetainSafe(SecDbItemGetValue(item, &v6agrp, &cferror));
142 if(!accessgroup || cferror) {
143 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:CFErrorGetCode(cferror) description:@"accessgroup not found in object" underlying:(__bridge_transfer NSError*)cferror];
144 ckkserror("ckksitem", ckks, "couldn't fetch access group from item: %@ %@", localerror, item);
150 if([accessgroup isKindOfClass:[NSNull class]]) {
151 // That's okay; this is only used for rate limiting.
152 ckkserror("ckksitem", ckks, "couldn't fetch accessgroup: %@", item);
153 accessgroup = @"no-group";
156 CKKSMirrorEntry* ckme = [CKKSMirrorEntry tryFromDatabase:uuid zoneID:ckks.zoneID error:error];
158 // The action this change should be depends on any existing pending action, if any
159 // Particularly, we need to coalesce (existing action, new action) to:
160 // (add, modify) => add
161 // (add, delete) => no-op
162 // (delete, add) => modify
163 NSString* actualAction = action;
165 CKKSOutgoingQueueEntry* existingOQE = [CKKSOutgoingQueueEntry tryFromDatabase:uuid state:SecCKKSStateNew zoneID:ckks.zoneID error:error];
167 if([existingOQE.action isEqual: SecCKKSActionAdd]) {
168 if([action isEqual:SecCKKSActionModify]) {
169 actualAction = SecCKKSActionAdd;
170 } else if([action isEqual:SecCKKSActionDelete]) {
171 // we're deleting an add. If there's a ckme, keep as a delete
173 // Otherwise, remove from outgoingqueue and don't make a new OQE.
174 [existingOQE deleteFromDatabase:error];
180 if([existingOQE.action isEqual: SecCKKSActionDelete] && [action isEqual:SecCKKSActionAdd]) {
181 actualAction = SecCKKSActionModify;
185 newGenerationCount = ckme ? ckme.item.generationCount : (NSInteger) 0; // TODO: this is wrong
187 // Pull out any unencrypted fields
188 NSNumber* pcsServiceIdentifier = objd[(id)kSecAttrPCSPlaintextServiceIdentifier];
189 objd[(id)kSecAttrPCSPlaintextServiceIdentifier] = nil;
191 NSData* pcsPublicKey = objd[(id)kSecAttrPCSPlaintextPublicKey];
192 objd[(id)kSecAttrPCSPlaintextPublicKey] = nil;
194 NSData* pcsPublicIdentity = objd[(id)kSecAttrPCSPlaintextPublicIdentity];
195 objd[(id)kSecAttrPCSPlaintextPublicIdentity] = nil;
197 CKKSItem* baseitem = [[CKKSItem alloc] initWithUUID:uuid
198 parentKeyUUID:key.uuid
203 generationCount:newGenerationCount
204 encver:currentCKKSItemEncryptionVersion
205 plaintextPCSServiceIdentifier:pcsServiceIdentifier
206 plaintextPCSPublicKey:pcsPublicKey
207 plaintextPCSPublicIdentity:pcsPublicIdentity];
210 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:CKKSItemCreationFailure description:@"Couldn't create an item" underlying:nil];
211 ckkserror("ckksitem", ckks, "couldn't create an item: %@ %@", localerror, item);
218 NSError* encryptionError = nil;
219 CKKSItem* encryptedItem = [CKKSItemEncrypter encryptCKKSItem:baseitem
221 updatingCKKSItem:ckme.item
223 error:&encryptionError];
225 if(!encryptedItem || encryptionError) {
226 NSError* localerror = [NSError errorWithDomain:CKKSErrorDomain code:encryptionError.code description:@"Couldn't encrypt item" underlying:encryptionError];
227 ckkserror("ckksitem", ckks, "couldn't encrypt item: %@ %@", localerror, item);
234 return [[CKKSOutgoingQueueEntry alloc] initWithCKKSItem:encryptedItem
236 state:SecCKKSStateNew
238 accessGroup:accessgroup];
241 #pragma mark - Property access to underlying CKKSItem
244 return self.item.uuid;
247 -(void)setUuid:(NSString *)uuid {
248 self.item.uuid = uuid;
251 #pragma mark - Database Operations
253 + (instancetype) fromDatabase: (NSString*) uuid state: (NSString*) state zoneID:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
254 return [self fromDatabaseWhere: @{@"UUID": CKKSNilToNSNull(uuid), @"state": CKKSNilToNSNull(state), @"ckzone":CKKSNilToNSNull(zoneID.zoneName)} error: error];
257 + (instancetype) tryFromDatabase: (NSString*) uuid zoneID:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
258 return [self tryFromDatabaseWhere: @{@"UUID": CKKSNilToNSNull(uuid), @"ckzone":CKKSNilToNSNull(zoneID.zoneName)} error: error];
261 + (instancetype) tryFromDatabase: (NSString*) uuid state: (NSString*) state zoneID:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
262 return [self tryFromDatabaseWhere: @{@"UUID": CKKSNilToNSNull(uuid), @"state":CKKSNilToNSNull(state), @"ckzone":CKKSNilToNSNull(zoneID.zoneName)} error: error];
265 + (NSArray<CKKSOutgoingQueueEntry*>*) fetch:(ssize_t) n state: (NSString*) state zoneID:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
266 return [self fetch:n where: @{@"state":CKKSNilToNSNull(state), @"ckzone":CKKSNilToNSNull(zoneID.zoneName)} error:error];
269 + (NSArray<CKKSOutgoingQueueEntry*>*) allInState: (NSString*) state zoneID:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
270 return [self allWhere: @{@"state":CKKSNilToNSNull(state), @"ckzone":CKKSNilToNSNull(zoneID.zoneName)} error:error];
274 #pragma mark - CKKSSQLDatabaseObject methods
276 + (NSString*)sqlTable {
277 return @"outgoingqueue";
280 + (NSArray<NSString*>*)sqlColumns {
281 return [[CKKSItem sqlColumns] arrayByAddingObjectsFromArray: @[@"action", @"state", @"waituntil", @"accessgroup"]];
284 - (NSDictionary<NSString*,NSString*>*)whereClauseToFindSelf {
285 return @{@"UUID": self.uuid, @"state": self.state, @"ckzone":self.item.zoneID.zoneName};
288 - (NSDictionary<NSString*,NSString*>*)sqlValues {
289 NSISO8601DateFormatter* dateFormat = [[NSISO8601DateFormatter alloc] init];
291 NSMutableDictionary* values = [[self.item sqlValues] mutableCopy];
292 values[@"action"] = self.action;
293 values[@"state"] = self.state;
294 values[@"waituntil"] = CKKSNilToNSNull(self.waitUntil ? [dateFormat stringFromDate: self.waitUntil] : nil);
295 values[@"accessgroup"] = self.accessgroup;
301 + (instancetype)fromDatabaseRow:(NSDictionary<NSString *, CKKSSQLResult*>*) row {
302 return [[CKKSOutgoingQueueEntry alloc] initWithCKKSItem:[CKKSItem fromDatabaseRow: row]
303 action:row[@"action"].asString
304 state:row[@"state"].asString
305 waitUntil:row[@"waituntil"].asISO8601Date
306 accessGroup:row[@"accessgroup"].asString];
309 + (NSDictionary<NSString*,NSNumber*>*)countsByStateInZone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
310 NSMutableDictionary* results = [[NSMutableDictionary alloc] init];
312 [CKKSSQLDatabaseObject queryDatabaseTable: [[self class] sqlTable]
313 where: @{@"ckzone": CKKSNilToNSNull(zoneID.zoneName)}
314 columns: @[@"state", @"count(rowid)"]
318 processRow: ^(NSDictionary<NSString*, CKKSSQLResult*>* row) {
319 results[row[@"state"].asString] = row[@"count(rowid)"].asNSNumberInteger;
325 + (NSInteger)countByState:(CKKSItemState *)state zone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error {
326 __block NSInteger result = -1;
328 [CKKSSQLDatabaseObject queryDatabaseTable: [[self class] sqlTable]
329 where: @{@"ckzone": CKKSNilToNSNull(zoneID.zoneName), @"state": state }
330 columns: @[@"count(*)"]
334 processRow: ^(NSDictionary<NSString*, CKKSSQLResult*>* row) {
335 result = row[@"count(*)"].asNSInteger;