keychain/ckks/tests/CKKSManifestTests.m

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #if OCTAGON
  25
  26 #import "CKKSTests.h"
  27 #import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h"
  28 #import "keychain/ckks/CKKSManifest.h"
  29 #import "keychain/ckks/CKKSMirrorEntry.h"
  30 #import "keychain/ckks/CKKSViewManager.h"
  31 #import "keychain/ckks/CKKSCurrentItemPointer.h"
  32 #import <Security/SecEntitlements.h>
  33 #include <ipc/server_security_helpers.h>
  34 #import <SecurityFoundation/SFKey.h>
  35 #import <Foundation/Foundation.h>
  36 #import <XCTest/XCTest.h>
  37 #import <OCMock/OCMock.h>
  38
  39 @interface CKKSManifestTests : CloudKitKeychainSyncingTestsBase {
  40     BOOL _manifestIsSetup;
  41     CKKSEgoManifest* _egoManifest;
  42     id _manifestMock;
  43     id _fakeSigner1Mock;
  44 }
  45
  46 @end
  47
  48 @implementation CKKSManifestTests
  49
  50 - (NSArray*)mirrorItemsForExistingItems
  51 {
  52     NSArray<CKRecord*>* records = [self.keychainZone.currentDatabase.allValues filteredArrayUsingPredicate: [NSPredicate predicateWithFormat:@"self.recordType like %@", SecCKRecordItemType]];
  53     NSMutableArray* items = [[NSMutableArray alloc] init];
  54     __weak __typeof(self) weakSelf = self;
  55     __block NSError* error = nil;
  56     [self.keychainView dispatchSyncWithSQLTransaction:^CKKSDatabaseTransactionResult{
  57         for (CKRecord* record in records) {
  58             CKKSMirrorEntry* mirrorEntry = [CKKSMirrorEntry tryFromDatabase:record.recordID.recordName zoneID:weakSelf.keychainZoneID error:&error];
  59             XCTAssertNil(error, @"error encountered trying to generate CKKSMirrorEntry: %@", error);
  60             XCTAssertNotNil(mirrorEntry, @"failed to generate mirror entry");
  61             if (mirrorEntry) {
  62                 [items addObject:mirrorEntry.item];
  63             }
  64         }
  65
  66         return CKKSDatabaseTransactionCommit;
  67     }];
  68
  69     return items;
  70 }
  71
  72 - (void)setUp
  73 {
  74     // Lie to our superclass about how the world is
  75     (void)[CKKSManifest shouldSyncManifests]; // initialize.
  76     SecCKKSSetSyncManifests(false);
  77     SecCKKSSetEnforceManifests(false);
  78
  79     [super setUp];
  80
  81     // Should be removed when manifests is turned back on
  82     SFECKeyPair* keyPair = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]];
  83     [CKKSManifestInjectionPointHelper registerEgoPeerID:@"MeMyselfAndI" keyPair:keyPair];
  84
  85     // We've now disabled manifests.
  86     SecCKKSSetSyncManifests(false);
  87     SecCKKSSetEnforceManifests(false);
  88
  89     XCTAssertFalse([CKKSManifest shouldSyncManifests], "Manifests syncing is disabled");
  90     XCTAssertFalse([CKKSManifest shouldEnforceManifests], "Manifests enforcement is disabled");
  91
  92     NSError* error = nil;
  93
  94     [CKKSManifestInjectionPointHelper setIgnoreChanges:NO];
  95
  96     // Test starts with keys in CloudKit (so we can create items later)
  97     [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID];
  98     [self putFakeDeviceStatusInCloudKit:self.keychainZoneID];
  99     [self saveTLKMaterialToKeychain:self.keychainZoneID];
 100
 101     [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID];
 102
 103     [self addGenericPassword:@"data" account:@"first"];
 104     [self addGenericPassword:@"data" account:@"second"];
 105     [self addGenericPassword:@"data" account:@"third"];
 106     [self addGenericPassword:@"data" account:@"fourth"];
 107     NSUInteger passwordCount = 4u;
 108
 109     [self checkGenericPassword:@"data" account:@"first"];
 110     [self checkGenericPassword:@"data" account:@"second"];
 111     [self checkGenericPassword:@"data" account:@"third"];
 112     [self checkGenericPassword:@"data" account:@"fourth"];
 113
 114     [self expectCKModifyItemRecords:passwordCount currentKeyPointerRecords:1 zoneID:self.keychainZoneID];
 115
 116     [self startCKKSSubsystem];
 117     [self.keychainView waitForKeyHierarchyReadiness];
 118
 119     // Wait for uploads to happen
 120     OCMVerifyAllWithDelay(self.mockDatabase, 20);
 121     [self waitForCKModifications];
 122     int tlkshares = 1;
 123     int extraDeviceStates = 1;
 124     XCTAssertEqual(self.keychainZone.currentDatabase.count, SYSTEM_DB_RECORD_COUNT + passwordCount + tlkshares + extraDeviceStates, "Have 6+passwordCount objects in cloudkit");
 125
 126     NSArray* items = [self mirrorItemsForExistingItems];
 127     _egoManifest = [CKKSEgoManifest newManifestForZone:self.keychainZoneID.zoneName withItems:items peerManifestIDs:@[] currentItems:@{} error:&error];
 128     XCTAssertNil(error, @"no error encountered generating ego manifest");
 129     XCTAssertNotNil(_egoManifest, @"generated ego manifest");
 130 }
 131
 132 - (void)tearDown {
 133     _egoManifest = nil;
 134     [super tearDown];
 135 }
 136
 137 - (void)testSaveEgoManifest
 138 {
 139     if (![CKKSManifest shouldSyncManifests]) {
 140         return;
 141     }
 142
 143     NSError* error;
 144     [_egoManifest saveToDatabase:&error];
 145     XCTAssertNil(error, @"error encountered attempting to save ego manifest: %@", error);
 146 }
 147
 148 - (void)testManifestValidatesItems
 149 {
 150     if (![CKKSManifest shouldSyncManifests]) {
 151         return;
 152     }
 153
 154     NSError* error = nil;
 155     for (CKKSItem* mirrorItem in [self mirrorItemsForExistingItems]) {
 156         XCTAssertTrue([_egoManifest validateItem:mirrorItem withError:&error], @"failed to validate item against manifest");
 157         XCTAssertNil(error, @"error generated attempting to validate item against manifest: %@", error);
 158     }
 159 }
 160
 161 - (void)disable32852700testManifestDoesNotValidateUnknownItems
 162 {
 163     [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test.
 164     [self startCKKSSubsystem];
 165
 166     NSArray* knownItems = [self mirrorItemsForExistingItems];
 167     [self addGenericPassword:@"data" account:@"unknown_account"];
 168     [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID];
 169     OCMVerifyAllWithDelay(self.mockDatabase, 20);
 170     [self waitForCKModifications];
 171
 172     NSArray* newItems = [self mirrorItemsForExistingItems];
 173     CKKSItem* unknownItem = nil;
 174     for (CKKSItem* item in newItems) {
 175         BOOL found = NO;
 176         for (CKKSItem* knownItem in knownItems) {
 177             if ([knownItem.CKRecordName isEqualToString:item.CKRecordName]) {
 178                 found = YES;
 179                 break;
 180             }
 181         }
 182
 183         if (!found) {
 184             unknownItem = item;
 185             break;
 186         }
 187     }
 188
 189     NSError* error = nil;
 190     XCTAssertNotNil(_egoManifest, @"have an ego manifest");
 191     XCTAssertFalse([_egoManifest validateItem:unknownItem withError:&error], @"erroneously validated an unknown item against the manifest");
 192     XCTAssertNotNil(error, @"failed to generate error when trying to validate an unknown item against the manifest");
 193 }
 194
 195 - (void)testManifestValidatesCurrentItems
 196 {
 197     NSError* error = nil;
 198     CKKSItem* item = [[self mirrorItemsForExistingItems] firstObject];
 199     [_egoManifest setCurrentItemUUID:item.uuid forIdentifier:@"testCurrentItemIdentifier"];
 200     CKKSCurrentItemPointer* currentItemPointer = [[CKKSCurrentItemPointer alloc] initForIdentifier:@"testCurrentItemIdentifier" currentItemUUID:item.uuid state:SecCKKSProcessedStateLocal zoneID:self.keychainZoneID encodedCKRecord:nil];
 201     XCTAssertTrue([_egoManifest validateCurrentItem:currentItemPointer withError:&error], @"failed to validate current item against manifest");
 202     XCTAssertNil(error, @"error encountered validating current item: %@", error);
 203 }
 204
 205 - (void)testManifestDoesNotValidateUnknownCurrentItems
 206 {
 207     NSError* error = nil;
 208     CKKSItem* item = [[self mirrorItemsForExistingItems] firstObject];
 209     CKKSCurrentItemPointer* currentItemPointer = [[CKKSCurrentItemPointer alloc] initForIdentifier:@"testCurrentItemIdentifier" currentItemUUID:item.uuid state:SecCKKSProcessedStateLocal zoneID:self.keychainZoneID encodedCKRecord:nil];
 210     XCTAssertFalse([_egoManifest validateCurrentItem:currentItemPointer withError:&error], @"erroneously validated an uunknown current item against the manifest");
 211     XCTAssertNotNil(error, @"failed to generate error when trying to validate an unknown item against the manifest %@", error);
 212 }
 213
 214 - (void)testEgoManifestValidates
 215 {
 216     if (![CKKSManifest shouldSyncManifests]) {
 217         return;
 218     }
 219
 220     NSError* error = nil;
 221     XCTAssertTrue([_egoManifest validateWithError:&error], @"failed to validate our own ego manifest");
 222     XCTAssertNil(error, @"error generated attempting to validate ego manifest: %@", error);
 223 }
 224
 225 - (void)testEgoManifestCreatedOnUpload
 226 {
 227     if (![CKKSManifest shouldSyncManifests]) {
 228         return;
 229     }
 230
 231     CKKSEgoManifest* manifest = [CKKSEgoManifest tryCurrentEgoManifestForZone:self.keychainZoneID.zoneName];
 232     XCTAssertNotNil(manifest, @"created some items, but we don't have a current manifest");
 233 }
 234
 235 - (void)disable32852700testGenerationCountIncreaseOnChanges
 236 {
 237     if (![CKKSManifest shouldSyncManifests]) {
 238         return;
 239     }
 240
 241     NSInteger initialManifestGenerationCount = [[CKKSEgoManifest tryCurrentEgoManifestForZone:self.keychainZoneID.zoneName] generationCount];
 242
 243     [self addGenericPassword:@"data" account:@"GenerationCountIncrease"];
 244     [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID];
 245     OCMVerifyAllWithDelay(self.mockDatabase, 20);
 246     [self waitForCKModifications];
 247
 248     NSInteger postUpdateGenerationCount = [[CKKSEgoManifest tryCurrentEgoManifestForZone:self.keychainZoneID.zoneName] generationCount];
 249     XCTAssertGreaterThan(postUpdateGenerationCount, initialManifestGenerationCount, @"the manifest after the update does not have a larger generation count as expected");
 250 }
 251
 252 - (NSDictionary*)receiveOneItemInManifest:(BOOL)inManifest
 253 {
 254     if (!inManifest) {
 255         [CKKSManifestInjectionPointHelper setIgnoreChanges:YES];
 256     }
 257
 258     NSError* error = nil;
 259
 260     NSDictionary *query = @{(id)kSecClass : (id)kSecClassGenericPassword,
 261                             (id)kSecAttrAccessGroup : @"com.apple.security.ckks",
 262                             (id)kSecAttrAccount : @"account-delete-me",
 263                             (id)kSecAttrSynchronizable : (id)kCFBooleanTrue,
 264                             (id)kSecMatchLimit : (id)kSecMatchLimitOne,
 265                             };
 266
 267     CFTypeRef item = NULL;
 268     XCTAssertEqual(errSecItemNotFound, SecItemCopyMatching((__bridge CFDictionaryRef) query, &item), "item should not yet exist");
 269
 270     CKRecord* ckr = [self createFakeRecord:self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85"];
 271
 272     SFECKeyPair* keyPair = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]];
 273     CKKSEgoManifest* manifest = [CKKSEgoManifest newFakeManifestForZone:self.keychainZoneID.zoneName withItemRecords:@[ckr] currentItems:@{} signerID:@"FakeSigner-1" keyPair:keyPair error:&error];
 274     [manifest saveToDatabase:&error];
 275     XCTAssertNil(error, @"error encountered generating fake manifest: %@", error);
 276     XCTAssertNotNil(manifest, @"failed to generate a fake manifest");
 277
 278     [self.keychainZone addToZone:ckr];
 279     for (CKRecord* record in [manifest allCKRecordsWithZoneID:self.keychainZoneID]) {
 280         [self.keychainZone addToZone:record];
 281     }
 282
 283     [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
 284     [self.keychainView waitForFetchAndIncomingQueueProcessing];
 285
 286     return query;
 287 }
 288
 289 // <rdar://problem/35102286> Fix primary keys in ckmanifest sql table
 290 // The ckmanifest table only has a single primary key column, so each new manifest written appears to overwrite older manifests
 291 // This is causing this test to fail, since the local peer overwrites the manifest created by FakeSigner-1.
 292 // Disable this test until manifests come back.
 293 - (void)disable35102286testReceiveManifest
 294 {
 295     if (![CKKSManifest shouldSyncManifests]) {
 296         return;
 297     }
 298
 299     NSError* error = nil;
 300
 301     NSDictionary* itemQuery = [self receiveOneItemInManifest:YES];
 302     CFTypeRef item = NULL;
 303     XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef)itemQuery, &item), "item should exist now");
 304
 305     CKKSManifest* fetchedManifest = [CKKSManifest manifestForZone:self.keychainZoneID.zoneName peerID:@"FakeSigner-1" error:&error];
 306     XCTAssertNil(error, @"error encountered fetching expected manifest from database: %@", error);
 307     XCTAssertNotNil(fetchedManifest, @"failed to fetch manifest expected in database");
 308
 309     CKKSMirrorEntry* fetchedEntry = [CKKSMirrorEntry tryFromDatabase:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.keychainZoneID error:&error];
 310     XCTAssertNil(error, @"error encountered fetching expected item from database: %@", error);
 311     XCTAssertNotNil(fetchedEntry, @"failed to fetch item expected in database");
 312
 313     XCTAssertTrue([fetchedManifest validateWithError:&error], @"failed to validate fetched manifest with error: %@", error);
 314     XCTAssertTrue([fetchedManifest validateItem:fetchedEntry.item withError:&error], @"failed to validate item (%@) against manifest with error: %@", fetchedEntry, error);
 315 }
 316
 317 - (void)testUnauthorizedItemRejected
 318 {
 319     if (![CKKSManifest shouldSyncManifests] || ![CKKSManifest shouldEnforceManifests]) {
 320         return;
 321     }
 322
 323     NSDictionary* itemQuery = [self receiveOneItemInManifest:NO];
 324     CFTypeRef item = NULL;
 325     XCTAssertNotEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef)itemQuery, &item), "item should have been rejected");
 326 }
 327
 328 - (void)testSaveManifestWithNilValues
 329 {
 330     [CKKSSQLDatabaseObject performCKKSTransaction:^CKKSDatabaseTransactionResult {
 331         SFECKeyPair* keyPair = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]];
 332         CKKSManifest* manifest = [CKKSEgoManifest newFakeManifestForZone:@"SomeZone" withItemRecords:@[] currentItems:@{} signerID:@"BadBoy" keyPair:keyPair error:nil];
 333         [manifest nilAllIvars];
 334         XCTAssertNil(manifest.zoneID);
 335         XCTAssertNil(manifest.signerID);
 336         XCTAssertNoThrow([manifest saveToDatabase:nil]);
 337         return CKKSDatabaseTransactionRollback;
 338     }];
 339 }
 340
 341 @end
 342
 343 #endif // OCTAGON