2 * Copyright (c) 2020 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #import <CloudKit/CloudKit.h>
27 #import <XCTest/XCTest.h>
28 #import <OCMock/OCMock.h>
30 #import <TrustedPeers/TrustedPeers.h>
31 #import <TrustedPeers/TPPBPolicyKeyViewMapping.h>
32 #import <TrustedPeers/TPDictionaryMatchingRules.h>
34 #import "keychain/categories/NSError+UsefulConstructors.h"
35 #import "keychain/ckks/CKKS.h"
36 #import "keychain/ckks/CKKSIncomingQueueEntry.h"
37 #import "keychain/ckks/CKKSOutgoingQueueEntry.h"
38 #import "keychain/ckks/CloudKitCategories.h"
39 #import "keychain/ckks/tests/CKKSTests.h"
40 #import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h"
41 #import "keychain/ckks/tests/CloudKitMockXCTest.h"
42 #import "keychain/ckks/tests/MockCloudKit.h"
44 @interface CloudKitKeychainForwardCompatibilityTests : CloudKitKeychainSyncingTestsBase
45 @property CKRecordZoneID* unknownZoneID;
46 @property CKRecordZoneID* passwordsZoneID;
47 @property CKKSKeychainView* passwordsView;
49 @property TPSyncingPolicy* originalPolicy;
50 @property TPSyncingPolicy* originalPolicyPlusUnknownVwht;
51 @property TPSyncingPolicy* allItemsToPasswordsPolicy;
54 @implementation CloudKitKeychainForwardCompatibilityTests
59 self.passwordsZoneID = [[CKRecordZoneID alloc] initWithZoneName:@"Passwords" ownerName:CKCurrentUserDefaultName];
60 self.unknownZoneID = [[CKRecordZoneID alloc] initWithZoneName:@"unknown-zone" ownerName:CKCurrentUserDefaultName];
62 self.zones[self.passwordsZoneID] = [[FakeCKZone alloc] initZone:self.passwordsZoneID];
64 self.originalPolicy = self.viewSortingPolicyForManagedViewList;
67 NSMutableArray<TPPBPolicyKeyViewMapping*>* newRules = [self.originalPolicy.keyViewMapping mutableCopy];
68 TPPBPolicyKeyViewMapping* unknownVwhtMapping = [[TPPBPolicyKeyViewMapping alloc] init];
69 unknownVwhtMapping.view = self.keychainZoneID.zoneName;
70 unknownVwhtMapping.matchingRule = [TPDictionaryMatchingRule fieldMatch:@"vwht"
71 fieldRegex:[NSString stringWithFormat:@"^%@$", self.unknownZoneID.zoneName]];
72 [newRules insertObject:unknownVwhtMapping atIndex:0];
74 self.originalPolicyPlusUnknownVwht = [[TPSyncingPolicy alloc] initWithModel:@"test-policy"
75 version:[[TPPolicyVersion alloc] initWithVersion:2 hash:@"fake-policy-for-views-with-unknown-view"]
76 viewList:self.originalPolicy.viewList
77 userControllableViews:self.originalPolicy.userControllableViews
78 syncUserControllableViews:self.originalPolicy.syncUserControllableViews
79 viewsToPiggybackTLKs:self.originalPolicy.viewsToPiggybackTLKs
80 keyViewMapping:newRules];
82 TPPBPolicyKeyViewMapping* passwordsVwhtMapping = [[TPPBPolicyKeyViewMapping alloc] init];
83 passwordsVwhtMapping.view = self.passwordsZoneID.zoneName;
84 passwordsVwhtMapping.matchingRule = [TPDictionaryMatchingRule trueMatch];
86 self.allItemsToPasswordsPolicy = [[TPSyncingPolicy alloc] initWithModel:@"test-policy"
87 version:[[TPPolicyVersion alloc] initWithVersion:2 hash:@"fake-policy-for-views-with-passwords-view"]
88 viewList:[NSSet setWithArray:@[self.keychainView.zoneName, self.passwordsZoneID.zoneName]]
89 userControllableViews:self.originalPolicy.userControllableViews
90 syncUserControllableViews:self.originalPolicy.syncUserControllableViews
91 viewsToPiggybackTLKs:self.originalPolicy.viewsToPiggybackTLKs
92 keyViewMapping:@[passwordsVwhtMapping]];
95 - (void)setPolicyAndWaitForQuiescence:(TPSyncingPolicy*)policy policyIsFresh:(BOOL)policyIsFresh {
96 [self.injectedManager setCurrentSyncingPolicy:policy policyIsFresh:policyIsFresh];
97 self.ckksViews = [NSMutableSet setWithArray:[[self.injectedManager views] allValues]];
98 [self beginSOSTrustedOperationForAllViews];
100 // And wait for everything to enter a resting state
101 for(CKKSKeychainView* view in self.ckksViews) {
102 XCTAssertEqual(0, [view.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
103 [view waitForOperationsOfClass:[CKKSIncomingQueueOperation class]];
104 [view waitForOperationsOfClass:[CKKSOutgoingQueueOperation class]];
108 - (void)testReceiveItemForWrongView {
109 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
110 OCMExpect([self.requestPolicyCheck trigger]);
112 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
114 [self startCKKSSubsystem];
115 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
117 NSString* wrongZoneAccount = @"wrong-zone";
118 NSDictionary* item = [self fakeRecordDictionary:wrongZoneAccount zoneID:self.unknownZoneID];
119 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.keychainZoneID];
120 CKRecord* ckr = [self newRecord:ckrid withNewItemData:item];
121 [self.keychainZone addToZone:ckr];
123 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
124 [self.keychainView waitForFetchAndIncomingQueueProcessing];
126 [self findGenericPassword:wrongZoneAccount expecting:errSecItemNotFound];
128 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
130 NSError* zoneError = nil;
131 NSInteger count = [CKKSIncomingQueueEntry countByState:SecCKKSStateMismatchedView zone:self.keychainView.zoneID error:&zoneError];
132 XCTAssertNil(zoneError, "should be no error counting all IQEs");
133 XCTAssertEqual(count, 1, "Should be one mismatched IQE");
136 - (void)testConflictingItemInWrongView {
137 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
138 OCMExpect([self.requestPolicyCheck trigger]);
140 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
141 [self createAndSaveFakeKeyHierarchy:self.passwordsZoneID];
143 [self startCKKSSubsystem];
145 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:NO];
146 self.passwordsView = [self.injectedManager findView:@"Passwords"];
147 XCTAssertNotNil(self.passwordsView, @"Policy created a passwords view");
149 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
150 XCTAssertEqual(0, [self.passwordsView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
152 NSDictionary* item = [self fakeRecordDictionary:@"account-delete-me" zoneID:self.passwordsZoneID];
153 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.passwordsZoneID];
154 CKRecordID* ckr2id = [[CKRecordID alloc] initWithRecordName:@"FFFF8D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.keychainZoneID];
155 CKRecord* ckr = [self newRecord:ckrid withNewItemData:item];
157 NSMutableDictionary* item2 = [item mutableCopy];
158 item2[@"v_Data"] = @"wrongview";
159 CKRecord* ckr2 = [self newRecord:ckr2id withNewItemData:item2];
161 // Receive the passwords item first
162 [self.zones[self.passwordsZoneID] addToZone:ckr];
164 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
165 [self.passwordsView waitForFetchAndIncomingQueueProcessing];
166 [self checkGenericPassword:@"data" account:@"account-delete-me"];
168 [self.zones[self.keychainZoneID] addToZone:ckr2];
169 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
170 [self.keychainView waitForFetchAndIncomingQueueProcessing];
172 // THe view should ask for an update, and receive one
173 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
174 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:YES];
176 // And we have ignored the change in the other view
177 [self checkGenericPassword:@"data" account:@"account-delete-me"];
179 OCMVerifyAllWithDelay(self.mockDatabase, 20);
181 // And the item is then deleted
182 [self.zones[self.keychainZoneID] deleteCKRecordIDFromZone:ckr2id];
183 OCMExpect([self.requestPolicyCheck trigger]);
184 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
185 [self.keychainView waitForFetchAndIncomingQueueProcessing];
186 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:YES];
188 // The password should still exist
189 [self checkGenericPassword:@"data" account:@"account-delete-me"];
192 - (void)testConflictingItemInWrongViewWithLowerUUID {
193 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
194 OCMExpect([self.requestPolicyCheck trigger]);
196 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
197 [self createAndSaveFakeKeyHierarchy:self.passwordsZoneID];
199 [self startCKKSSubsystem];
201 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:NO];
202 self.passwordsView = [self.injectedManager findView:@"Passwords"];
203 XCTAssertNotNil(self.passwordsView, @"Policy created a passwords view");
205 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
206 XCTAssertEqual(0, [self.passwordsView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
208 NSDictionary* item = [self fakeRecordDictionary:@"account-delete-me" zoneID:self.passwordsZoneID];
209 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.passwordsZoneID];
210 CKRecordID* ckr2id = [[CKRecordID alloc] initWithRecordName:@"00008D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.keychainZoneID];
211 CKRecord* ckr = [self newRecord:ckrid withNewItemData:item];
213 NSMutableDictionary* item2 = [item mutableCopy];
214 item2[@"v_Data"] = @"wrongview";
215 CKRecord* ckr2 = [self newRecord:ckr2id withNewItemData:item2];
217 // Receive the passwords item first
218 [self.zones[self.passwordsZoneID] addToZone:ckr];
220 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
221 [self.passwordsView waitForFetchAndIncomingQueueProcessing];
222 [self checkGenericPassword:@"data" account:@"account-delete-me"];
224 [self.zones[self.keychainZoneID] addToZone:ckr2];
225 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
226 [self.keychainView waitForFetchAndIncomingQueueProcessing];
228 // THe view should ask for an update, and receive one
229 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
230 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:YES];
232 OCMVerifyAllWithDelay(self.mockDatabase, 20);
233 [self checkGenericPassword:@"data" account:@"account-delete-me"];
235 // And the item is then deleted
236 [self.zones[self.keychainZoneID] deleteCKRecordIDFromZone:ckr2id];
237 OCMExpect([self.requestPolicyCheck trigger]);
238 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
239 [self.keychainView waitForFetchAndIncomingQueueProcessing];
240 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:YES];
242 // The password should still exist
243 [self checkGenericPassword:@"data" account:@"account-delete-me"];
246 - (void)testConflictingItemInWrongViewWithSameUUID {
247 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
248 OCMExpect([self.requestPolicyCheck trigger]);
250 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
251 [self createAndSaveFakeKeyHierarchy:self.passwordsZoneID];
253 [self startCKKSSubsystem];
255 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:NO];
256 self.passwordsView = [self.injectedManager findView:@"Passwords"];
257 XCTAssertNotNil(self.passwordsView, @"Policy created a passwords view");
259 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
260 XCTAssertEqual(0, [self.passwordsView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
262 NSDictionary* item = [self fakeRecordDictionary:@"account-delete-me" zoneID:self.passwordsZoneID];
263 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.passwordsZoneID];
264 CKRecordID* ckr2id = [[CKRecordID alloc] initWithRecordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.keychainZoneID];
265 CKRecord* ckr = [self newRecord:ckrid withNewItemData:item];
267 NSMutableDictionary* item2 = [item mutableCopy];
268 item2[@"v_Data"] = @"wrongview";
269 CKRecord* ckr2 = [self newRecord:ckr2id withNewItemData:item2];
271 // Receive the passwords item first
272 [self.zones[self.passwordsZoneID] addToZone:ckr];
274 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
275 [self.passwordsView waitForFetchAndIncomingQueueProcessing];
276 [self checkGenericPassword:@"data" account:@"account-delete-me"];
278 [self.zones[self.keychainZoneID] addToZone:ckr2];
279 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
280 [self.keychainView waitForFetchAndIncomingQueueProcessing];
282 // THe view should ask for a policy update, and receive one
283 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
284 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:YES];
286 OCMVerifyAllWithDelay(self.mockDatabase, 20);
287 [self checkGenericPassword:@"data" account:@"account-delete-me"];
289 // And the item is then deleted
290 [self.zones[self.keychainZoneID] deleteCKRecordIDFromZone:ckr2id];
291 OCMExpect([self.requestPolicyCheck trigger]);
292 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
293 [self.keychainView waitForFetchAndIncomingQueueProcessing];
294 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:YES];
296 // The password should still exist
297 [self checkGenericPassword:@"data" account:@"account-delete-me"];
300 - (void)testReceiveItemForFuturePolicy {
301 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
302 OCMExpect([self.requestPolicyCheck trigger]);
304 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
306 [self startCKKSSubsystem];
307 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
309 NSString* wrongZoneAccount = @"wrong-zone";
310 NSDictionary* item = [self fakeRecordDictionary:wrongZoneAccount zoneID:self.unknownZoneID];
311 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" zoneID:self.keychainZoneID];
312 CKRecord* ckr = [self newRecord:ckrid withNewItemData:item];
313 [self.keychainZone addToZone:ckr];
315 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
316 [self.keychainView waitForFetchAndIncomingQueueProcessing];
318 [self findGenericPassword:wrongZoneAccount expecting:errSecItemNotFound];
320 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
322 // Now, Octagon discovers that there's a new policy that allows this item in the keychain view
323 TPSyncingPolicy* currentPolicy = self.injectedManager.policy;
324 XCTAssertNotNil(currentPolicy, "should have a current policy");
326 [self setPolicyAndWaitForQuiescence:self.originalPolicyPlusUnknownVwht policyIsFresh:YES];
328 [self findGenericPassword:wrongZoneAccount expecting:errSecSuccess];
331 - (void)testHandleItemMovedBetweenViewsBeforePolicyChange {
332 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
333 [self createAndSaveFakeKeyHierarchy:self.passwordsZoneID];
335 [self startCKKSSubsystem];
336 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
338 // A password is created and uploaded out of the keychain view.
339 __block CKRecord* itemCKRecord = nil;
340 [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID checkItem:^BOOL(CKRecord * _Nonnull record) {
341 itemCKRecord = record;
344 NSString* itemAccount = @"account-delete-me";
345 [self addGenericPassword:@"data" account:itemAccount viewHint:self.keychainZoneID.zoneName];
346 OCMVerifyAllWithDelay(self.mockDatabase, 20);
347 XCTAssertNotNil(itemCKRecord, "Should have some CKRecord for the added item");
349 // Update etag as well
350 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
351 [self.keychainView waitForFetchAndIncomingQueueProcessing];
353 // Another device shows up, changes the item sync policy, and moves the item over into the passwords view.
355 NSDictionary* itemContents = [self decryptRecord:itemCKRecord];
356 XCTAssertNotNil(itemContents, "should have some item contents");
358 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:itemCKRecord.recordID.recordName zoneID:self.passwordsZoneID];
359 CKRecord* ckr = [self newRecord:ckrid withNewItemData:itemContents];
360 [self.zones[self.passwordsZoneID] addToZone:ckr];
362 TPSyncingPolicy* currentPolicy = self.injectedManager.policy;
363 XCTAssertNotNil(currentPolicy, "should have a current policy");
365 // In this test, we receive the deletion, and then the policy change adding the Passwords view
366 [self.keychainZone deleteCKRecordIDFromZone:itemCKRecord.recordID];
367 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
368 [self.keychainView waitForFetchAndIncomingQueueProcessing];
369 [self findGenericPassword:itemAccount expecting:errSecItemNotFound];
371 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:NO];
373 // And once passwords syncs, the item should appear again
374 [self findGenericPassword:itemAccount expecting:errSecSuccess];
377 - (void)testHandleItemMovedBetweenViewsAfterPolicyChange {
378 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
379 OCMExpect([self.requestPolicyCheck trigger]);
381 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
382 [self createAndSaveFakeKeyHierarchy:self.passwordsZoneID];
384 [self startCKKSSubsystem];
385 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
387 // A password is created and uploaded out of the keychain view.
388 __block CKRecord* itemCKRecord = nil;
389 [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID checkItem:^BOOL(CKRecord * _Nonnull record) {
390 itemCKRecord = record;
393 NSString* itemAccount = @"account-delete-me";
394 [self addGenericPassword:@"data" account:itemAccount viewHint:self.keychainZoneID.zoneName];
395 OCMVerifyAllWithDelay(self.mockDatabase, 20);
396 XCTAssertNotNil(itemCKRecord, "Should have some CKRecord for the added item");
398 // Update etag as well
399 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
400 [self.keychainView waitForFetchAndIncomingQueueProcessing];
402 // Another device shows up, changes the item sync policy, and moves the item over into the Passwords view.
403 // But, in this case, we receive the item delete in the Keychain view after we've synced the item in the Passwords view
405 NSDictionary* itemContents = [self decryptRecord:itemCKRecord];
406 XCTAssertNotNil(itemContents, "should have some item contents");
408 CKRecordID* ckrid = [[CKRecordID alloc] initWithRecordName:itemCKRecord.recordID.recordName zoneID:self.passwordsZoneID];
409 CKRecord* ckr = [self newRecord:ckrid withNewItemData:itemContents];
410 [self.zones[self.passwordsZoneID] addToZone:ckr];
412 TPSyncingPolicy* currentPolicy = self.injectedManager.policy;
413 XCTAssertNotNil(currentPolicy, "should have a current policy");
415 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:NO];
417 CKKSKeychainView* passwordsView = [self.injectedManager findView:self.passwordsZoneID.zoneName];
418 XCTAssertNotNil(passwordsView, @"Should have a passwords view");
420 // And once Passwords syncs, the item should appear again
421 [self findGenericPassword:itemAccount expecting:errSecSuccess];
423 // And now we receive the delete in the keychain view. The item should still exist!
424 [self.keychainZone deleteCKRecordIDFromZone:itemCKRecord.recordID];
425 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
426 [self.keychainView waitForFetchAndIncomingQueueProcessing];
427 [self findGenericPassword:itemAccount expecting:errSecSuccess];
429 // Keychain View should have asked for a policy set
430 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
431 [self.injectedManager setCurrentSyncingPolicy:self.allItemsToPasswordsPolicy policyIsFresh:YES];
433 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
434 [self.keychainView waitForFetchAndIncomingQueueProcessing];
435 [self findGenericPassword:itemAccount expecting:errSecSuccess];
437 NSError* zoneError = nil;
438 NSInteger count = [CKKSIncomingQueueEntry countByState:SecCKKSStateMismatchedView zone:self.keychainView.zoneID error:&zoneError];
439 XCTAssertNil(zoneError, "should be no error counting all IQEs");
440 XCTAssertEqual(count, 0, "Should be no remaining mismatched IQEs");
443 - (void)testMoveItemUploadedToOldZone {
444 self.requestPolicyCheck = OCMClassMock([CKKSNearFutureScheduler class]);
445 OCMExpect([self.requestPolicyCheck trigger]);
447 [self createAndSaveFakeKeyHierarchy:self.keychainZoneID];
448 [self createAndSaveFakeKeyHierarchy:self.passwordsZoneID];
450 [self startCKKSSubsystem];
451 XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], @"Key state should have arrived at ready");
453 [self setPolicyAndWaitForQuiescence:self.allItemsToPasswordsPolicy policyIsFresh:NO];
455 // Now, someone uploads an item to the keychain view. We should move it to the passwords view
456 CKRecord* ckr = [self createFakeRecord:self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:@"account0"];
457 [self.keychainZone addToZone:ckr];
459 [self.injectedManager.zoneChangeFetcher notifyZoneChange:nil];
460 [self.keychainView waitForFetchAndIncomingQueueProcessing];
462 // The keychain view should request a policy refetch
463 OCMVerifyAllWithDelay(self.requestPolicyCheck, 10);
465 // Note that ideally, we'd remove the old item from CloudKit. But, other devices which participate in CKKS4All
466 // might not have this forward-compatiblity change, and will treat this as a deletion. If they process this deletion,
467 // then sync the resulting tombstone to a third SOS device, then receive the addition in the 'right' view, and then the
468 // tombstone syncs back to the CKKS4All devices, then we might end up deleting the item across the account.
469 // Until enough internal folk have moved onto builds with this forward-compat change, we can't issue these deletes.
470 //[self expectCKDeleteItemRecords:1 zoneID:self.keychainZoneID];
472 // The item should be reuploaded to Passwords, though.
473 [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.passwordsZoneID checkItem:^BOOL(CKRecord * _Nonnull record) {
474 return [record.recordID.recordName isEqualToString:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85"];
477 [self.injectedManager setCurrentSyncingPolicy:self.allItemsToPasswordsPolicy policyIsFresh:YES];
478 OCMVerifyAllWithDelay(self.mockDatabase, 20);
480 // And the keychain item should still exist
481 [self findGenericPassword:@"account0" expecting:errSecSuccess];
projects / apple / security.git / blob