2 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <Security/SecEntitlements.h>
26 #import <Foundation/NSXPCConnection.h>
27 #import <Foundation/NSXPCConnection_Private.h>
30 #import <TargetConditionals.h>
31 #import "keychain/ot/ObjCImprovements.h"
32 #import "keychain/ot/OTControlProtocol.h"
33 #import "keychain/ot/OTControl.h"
34 #import "keychain/ot/OTClique.h"
35 #import "keychain/ot/OTManager.h"
36 #import "keychain/ot/OTDefines.h"
37 #import "keychain/ot/OTRamping.h"
38 #import "keychain/ot/OT.h"
39 #import "keychain/ot/OTConstants.h"
40 #import "keychain/ot/OTCuttlefishContext.h"
41 #import "keychain/ot/OTClientStateMachine.h"
42 #import "keychain/ot/OTStates.h"
43 #import "keychain/ot/OTJoiningConfiguration.h"
44 #import "keychain/ot/OTSOSAdapter.h"
46 #import "keychain/categories/NSError+UsefulConstructors.h"
47 #import "keychain/ckks/CKKSAnalytics.h"
48 #import "keychain/ckks/CKKSNearFutureScheduler.h"
49 #import "keychain/ckks/CKKS.h"
50 #import "keychain/ckks/CKKSViewManager.h"
51 #import "keychain/ckks/CKKSLockStateTracker.h"
52 #import "keychain/ckks/CKKSCloudKitClassDependencies.h"
54 #import <CloudKit/CloudKit.h>
55 #import <CloudKit/CloudKit_Private.h>
57 #import <SecurityFoundation/SFKey.h>
58 #import <SecurityFoundation/SFKey_Private.h>
59 #import "SecPasswordGenerate.h"
61 #import "keychain/categories/NSError+UsefulConstructors.h"
62 #include <CloudKit/CloudKit_Private.h>
63 #import <KeychainCircle/PairingChannel.h>
65 #import "keychain/escrowrequest/Framework/SecEscrowRequest.h"
66 #import "keychain/escrowrequest/EscrowRequestServer.h"
68 // If your callbacks might pass back a CK error, you should use XPCSanitizeError()
69 // Otherwise, XPC might crash on the other side if they haven't linked CloudKit.framework.
70 #define XPCSanitizeError CKXPCSuitableError
72 #import <Accounts/Accounts.h>
73 #import <Accounts/ACAccountStore_Private.h>
74 #import <Accounts/ACAccountType_Private.h>
75 #import <Accounts/ACAccountStore.h>
76 #import <AppleAccount/ACAccountStore+AppleAccount.h>
77 #import <AppleAccount/ACAccount+AppleAccount.h>
79 #import <CoreCDP/CDPFollowUpController.h>
81 #import "keychain/TrustedPeersHelper/TPHObjcTranslation.h"
82 #import "keychain/SecureObjectSync/SOSAccountTransaction.h"
83 #pragma clang diagnostic push
84 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
85 #import "keychain/SecureObjectSync/SOSAccount.h"
86 #pragma clang diagnostic pop
88 #import "utilities/SecTapToRadar.h"
90 static NSString* const kOTRampForEnrollmentRecordName = @"metadata_rampstate_enroll";
91 static NSString* const kOTRampForRestoreRecordName = @"metadata_rampstate_restore";
92 static NSString* const kOTRampForCFURecordName = @"metadata_rampstate_cfu";
93 static NSString* const kOTRampForGhostBustMIDName = @"metadata_rampstate_ghostBustMID";
94 static NSString* const kOTRampForghostBustSerialName = @"metadata_rampstate_ghostBustSerial";
95 static NSString* const kOTRampForghostBustAgeName = @"metadata_rampstate_ghostBustAge";
96 static NSString* const kOTRampZoneName = @"metadata_zone";
97 #define NUM_NSECS_IN_24_HRS (86400 * NSEC_PER_SEC)
100 @interface OTManager (lockstateTracker) <CKKSLockStateNotification>
104 @interface OTManager () <NSXPCListenerDelegate>
105 @property NSXPCListener *listener;
107 @property (nonatomic, strong) OTRamp *gbmidRamp;
108 @property (nonatomic, strong) OTRamp *gbserialRamp;
109 @property (nonatomic, strong) OTRamp *gbAgeRamp;
110 @property (nonatomic, strong) CKKSLockStateTracker *lockStateTracker;
111 @property (nonatomic, strong) id<OctagonFollowUpControllerProtocol> cdpd;
114 @property NSMutableDictionary<NSString*, OTCuttlefishContext*>* contexts;
115 @property NSMutableDictionary<NSString*, OTClientStateMachine*>* clients;
116 @property dispatch_queue_t queue;
118 @property id<NSXPCProxyCreating> cuttlefishXPCConnection;
120 // Dependencies for injection
121 @property (readonly) id<OTSOSAdapter> sosAdapter;
122 @property (readonly) id<OTAuthKitAdapter> authKitAdapter;
123 @property (readonly) id<OTDeviceInformationAdapter> deviceInformationAdapter;
124 @property (readonly) Class<OctagonAPSConnection> apsConnectionClass;
125 @property (readonly) Class<SecEscrowRequestable> escrowRequestClass;
126 // If this is nil, all logging is disabled
127 @property (readonly, nullable) Class<SFAnalyticsProtocol> loggerClass;
128 @property (nonatomic) BOOL sosEnabledForPlatform;
131 @implementation OTManager
132 @synthesize cuttlefishXPCConnection = _cuttlefishXPCConnection;
133 @synthesize sosAdapter = _sosAdapter;
134 @synthesize authKitAdapter = _authKitAdapter;
135 @synthesize deviceInformationAdapter = _deviceInformationAdapter;
139 // Under Octagon, the sos adapter is not considered essential.
140 id<OTSOSAdapter> sosAdapter = (OctagonPlatformSupportsSOS() ?
141 [[OTSOSActualAdapter alloc] initAsEssential:NO] :
142 [[OTSOSMissingAdapter alloc] init]);
144 return [self initWithSOSAdapter:sosAdapter
145 authKitAdapter:[[OTAuthKitActualAdapter alloc] init]
146 deviceInformationAdapter:[[OTDeviceInformationActualAdapter alloc] init]
147 apsConnectionClass:[APSConnection class]
148 escrowRequestClass:[EscrowRequestServer class] // Use the server class here to skip the XPC layer
149 loggerClass:[CKKSAnalytics class]
150 lockStateTracker:[CKKSLockStateTracker globalTracker]
151 cloudKitClassDependencies:[CKKSCloudKitClassDependencies forLiveCloudKit]
152 cuttlefishXPCConnection:nil
153 cdpd:[[CDPFollowUpController alloc] init]];
156 - (instancetype)initWithSOSAdapter:(id<OTSOSAdapter>)sosAdapter
157 authKitAdapter:(id<OTAuthKitAdapter>)authKitAdapter
158 deviceInformationAdapter:(id<OTDeviceInformationAdapter>)deviceInformationAdapter
159 apsConnectionClass:(Class<OctagonAPSConnection>)apsConnectionClass
160 escrowRequestClass:(Class<SecEscrowRequestable>)escrowRequestClass
161 loggerClass:(Class<SFAnalyticsProtocol>)loggerClass
162 lockStateTracker:(CKKSLockStateTracker*)lockStateTracker
163 cloudKitClassDependencies:(CKKSCloudKitClassDependencies*)cloudKitClassDependencies
164 cuttlefishXPCConnection:(id<NSXPCProxyCreating>)cuttlefishXPCConnection
165 cdpd:(id<OctagonFollowUpControllerProtocol>)cdpd
167 if((self = [super init])) {
168 _sosAdapter = sosAdapter;
169 _authKitAdapter = authKitAdapter;
170 _deviceInformationAdapter = deviceInformationAdapter;
171 _loggerClass = loggerClass;
172 _lockStateTracker = lockStateTracker;
173 _sosEnabledForPlatform = OctagonPlatformSupportsSOS();
174 _cuttlefishXPCConnection = cuttlefishXPCConnection;
176 _cloudKitContainer = [CKKSViewManager makeCKContainer:SecCKKSContainerName usePCS:SecCKKSContainerUsePCS];
177 _accountStateTracker = [[CKKSAccountStateTracker alloc] init:_cloudKitContainer
178 nsnotificationCenterClass:cloudKitClassDependencies.nsnotificationCenterClass];
180 self.contexts = [NSMutableDictionary dictionary];
181 self.clients = [NSMutableDictionary dictionary];
183 self.queue = dispatch_queue_create("otmanager", DISPATCH_QUEUE_SERIAL);
185 _apsConnectionClass = apsConnectionClass;
186 _escrowRequestClass = escrowRequestClass;
190 _viewManager = [[CKKSViewManager alloc] initWithContainer:_cloudKitContainer
191 sosAdapter:sosAdapter
192 accountStateTracker:_accountStateTracker
193 lockStateTracker:lockStateTracker
194 cloudKitClassDependencies:cloudKitClassDependencies];
196 // The default CuttlefishContext always exists:
197 (void) [self contextForContainerName:OTCKContainerName contextID:OTDefaultContext];
199 secnotice("octagon", "otmanager init");
204 - (instancetype)initWithSOSAdapter:(id<OTSOSAdapter>)sosAdapter
205 lockStateTracker:(CKKSLockStateTracker*)lockStateTracker
206 cloudKitClassDependencies:(CKKSCloudKitClassDependencies*)cloudKitClassDependencies
208 if((self = [super init])) {
209 _sosAdapter = sosAdapter;
210 _lockStateTracker = lockStateTracker;
212 _cloudKitContainer = [CKKSViewManager makeCKContainer:SecCKKSContainerName usePCS:SecCKKSContainerUsePCS];
213 _accountStateTracker = [[CKKSAccountStateTracker alloc] init:_cloudKitContainer
214 nsnotificationCenterClass:cloudKitClassDependencies.nsnotificationCenterClass];
216 _viewManager = [[CKKSViewManager alloc] initWithContainer:_cloudKitContainer
217 sosAdapter:sosAdapter
218 accountStateTracker:_accountStateTracker
219 lockStateTracker:lockStateTracker
220 cloudKitClassDependencies:cloudKitClassDependencies];
225 - (void)initializeOctagon
227 secnotice("octagon", "Initializing Octagon...");
229 if(OctagonIsEnabled()) {
230 secnotice("octagon", "starting default state machine...");
231 OTCuttlefishContext* c = [self contextForContainerName:OTCKContainerName
232 contextID:OTDefaultContext];
234 [c startOctagonStateMachine];
235 [self registerForCircleChangedNotifications];
239 - (BOOL)waitForReady:(NSString* _Nullable)containerName context:(NSString*)context wait:(int64_t)wait
241 OTCuttlefishContext* c = [self contextForContainerName:containerName contextID:context];
242 return [c waitForReady:wait];
245 - (void) moveToCheckTrustedStateForContainer:(NSString* _Nullable)containerName context:(NSString*)context
247 OTCuttlefishContext* c = [self contextForContainerName:containerName
249 [c startOctagonStateMachine];
250 [c moveToCheckTrustedState];
253 - (void)registerForCircleChangedNotifications
255 __weak __typeof(self) weakSelf = self;
257 // If we're not in the tests, go ahead and register for a notification
258 if(!SecCKKSTestsEnabled()) {
260 notify_register_dispatch(kSOSCCCircleChangedNotification, &token, dispatch_get_global_queue(QOS_CLASS_UTILITY, 0), ^(int t) {
261 secnotice("octagon", "circle changed notification called, checking trust state");
262 [weakSelf moveToCheckTrustedStateForContainer:OTCKContainerName context:OTDefaultContext];
267 + (instancetype _Nullable)manager {
268 if(!OctagonIsEnabled()) {
269 secerror("octagon: Attempt to fetch a manager while Octagon is disabled");
273 if([CKDatabase class] == nil) {
274 // CloudKit is not linked. We cannot bring Octagon up.
275 secerror("Octagon: CloudKit.framework appears to not be linked. Cannot create an Octagon manager (on pain of crash).");
279 return [self resetManager:false to:nil];
282 + (instancetype _Nullable)resetManager:(bool)reset to:(OTManager* _Nullable)obj
284 static OTManager* manager = nil;
286 if(!manager || reset || obj) {
287 @synchronized([self class]) {
293 } else if (manager == nil && OctagonIsEnabled()) {
294 manager = [[OTManager alloc] init];
303 - (void)ensureRampsInitialized
305 CKContainer* container = [CKKSViewManager manager].container;
306 CKDatabase* database = [container privateCloudDatabase];
307 CKRecordZoneID* zoneID = [[CKRecordZoneID alloc] initWithZoneName:kOTRampZoneName ownerName:CKCurrentUserDefaultName];
309 CKKSAccountStateTracker *accountTracker = [CKKSViewManager manager].accountTracker;
310 CKKSReachabilityTracker *reachabilityTracker = [CKKSViewManager manager].reachabilityTracker;
311 CKKSLockStateTracker *lockStateTracker = [CKKSViewManager manager].lockStateTracker;
313 if(!self.gbmidRamp) {
314 self.gbmidRamp = [[OTRamp alloc]initWithRecordName:kOTRampForGhostBustMIDName
315 localSettingName:@"ghostBustMID"
319 accountTracker:accountTracker
320 lockStateTracker:lockStateTracker
321 reachabilityTracker:reachabilityTracker
322 fetchRecordRecordsOperationClass:[CKFetchRecordsOperation class]];
325 if(!self.gbserialRamp) {
326 self.gbserialRamp = [[OTRamp alloc]initWithRecordName:kOTRampForghostBustSerialName
327 localSettingName:@"ghostBustSerial"
331 accountTracker:accountTracker
332 lockStateTracker:lockStateTracker
333 reachabilityTracker:reachabilityTracker
334 fetchRecordRecordsOperationClass:[CKFetchRecordsOperation class]];
337 if(!self.gbAgeRamp) {
338 self.gbAgeRamp = [[OTRamp alloc]initWithRecordName:kOTRampForghostBustAgeName
339 localSettingName:@"ghostBustAge"
343 accountTracker:accountTracker
344 lockStateTracker:lockStateTracker
345 reachabilityTracker:reachabilityTracker
346 fetchRecordRecordsOperationClass:[CKFetchRecordsOperation class]];
351 // MARK: SPI routines
355 - (void)signIn:(NSString*)altDSID
356 container:(NSString* _Nullable)containerName
357 context:(NSString*)contextID
358 reply:(void (^)(NSError * _Nullable signedInError))reply
360 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityAccountAvailable];
362 if(containerName == nil) {
363 containerName = OTCKContainerName;
366 NSError *error = nil;
367 OTCuttlefishContext* context = [self contextForContainerName:containerName contextID:contextID];
369 secnotice("octagon","signing in %@ for altDSID: %@", context, altDSID);
370 [context accountAvailable:altDSID error:&error];
372 [tracker stopWithEvent:OctagonEventSignIn result:error];
377 - (void)signOut:(NSString* _Nullable)containerName
378 context:(NSString*)contextID
379 reply:(void (^)(NSError * _Nullable signedOutError))reply
381 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityAccountNotAvailable];
383 if(containerName == nil) {
384 containerName = OTCKContainerName;
387 NSError* error = nil;
389 // TODO: should we compare DSIDs here?
390 OTCuttlefishContext* context = [self contextForContainerName:containerName contextID:contextID];
392 secnotice("octagon", "signing out of octagon trust: %@", context);
394 [context accountNoLongerAvailable:&error];
396 secnotice("octagon", "signing out failed: %@", error);
399 [tracker stopWithEvent:OctagonEventSignOut result:error];
404 - (void)notifyIDMSTrustLevelChangeForContainer:(NSString* _Nullable)containerName
405 context:(NSString*)contextID
406 reply:(void (^)(NSError * _Nullable error))reply
408 if(containerName == nil) {
409 containerName = OTCKContainerName;
412 NSError *error = nil;
413 OTCuttlefishContext* context = [self contextForContainerName:containerName contextID:contextID];
414 secnotice("octagon","received a notification of IDMS trust level change in %@", context);
415 [context idmsTrustLevelChanged:&error];
420 - (void)handleIdentityChangeForSigningKey:(SFECKeyPair*)peerSigningKey
421 ForEncryptionKey:(SFECKeyPair*)encryptionKey
422 ForPeerID:(NSString*)peerID
423 reply:(void (^)(BOOL result,
424 NSError* _Nullable error))reply
426 secnotice("octagon", "handleIdentityChangeForSigningKey: %@", peerID);
428 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
429 code:errSecUnimplemented
433 - (void)preflightBottledPeer:(NSString*)contextID
435 reply:(void (^)(NSData* _Nullable entropy,
436 NSString* _Nullable bottleID,
437 NSData* _Nullable signingPublicKey,
438 NSError* _Nullable error))reply
440 secnotice("octagon", "preflightBottledPeer: %@ %@", contextID, dsid);
444 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
445 code:errSecUnimplemented
449 - (void)launchBottledPeer:(NSString*)contextID
450 bottleID:(NSString*)bottleID
451 reply:(void (^ _Nullable)(NSError* _Nullable error))reply
453 secnotice("octagon", "launchBottledPeer");
454 reply([NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
455 code:errSecUnimplemented
459 - (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID reply:(void (^)(NSData* signingKeyData, NSData* encryptionKeyData, NSError *))reply
461 secnotice("octagon", "restore");
464 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
465 code:errSecUnimplemented
469 - (void)scrubBottledPeer:(NSString*)contextID
470 bottleID:(NSString*)bottleID
471 reply:(void (^ _Nullable)(NSError* _Nullable error))reply
473 reply([NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
474 code:errSecUnimplemented
479 // MARK: OTCTL tool routines
482 -(void)reset:(void (^)(BOOL result, NSError *))reply
485 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
486 code:errSecUnimplemented
490 - (void)listOfEligibleBottledPeerRecords:(void (^)(NSArray* listOfRecords, NSError * _Nullable))reply
493 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
494 code:errSecUnimplemented
498 - (void)octagonEncryptionPublicKey:(void (^)(NSData* encryptionKey, NSError *))reply
501 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
502 code:errSecUnimplemented
506 -(void)octagonSigningPublicKey:(void (^)(NSData* encryptionKey, NSError *))reply
509 [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain
510 code:errSecUnimplemented
514 - (void)setCuttlefishXPCConnection:(id<NSXPCProxyCreating>)cuttlefishXPCConnection
516 _cuttlefishXPCConnection = cuttlefishXPCConnection;
519 - (id<NSXPCProxyCreating>)cuttlefishXPCConnection
521 if(!_cuttlefishXPCConnection) {
522 NSXPCConnection* xpcConnection = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.TrustedPeersHelper"];
523 xpcConnection.remoteObjectInterface = TrustedPeersHelperSetupProtocol([NSXPCInterface interfaceWithProtocol:@protocol(TrustedPeersHelperProtocol)]);
524 [xpcConnection resume];
525 _cuttlefishXPCConnection = xpcConnection;
528 return _cuttlefishXPCConnection;
531 - (OTClientStateMachine*)clientStateMachineForContainerName:(NSString* _Nullable)containerName
532 contextID:(NSString*)contextID
533 clientName:(NSString*)clientName
535 __block OTClientStateMachine* client = nil;
537 if(containerName == nil) {
538 containerName = SecCKKSContainerName;
541 dispatch_sync(self.queue, ^{
542 NSString* key = [NSString stringWithFormat:@"%@-%@", containerName, clientName];
543 secnotice("octagon-client", "fetching context for key: %@", key);
544 client = self.clients[key];
546 client = [[OTClientStateMachine alloc] initWithContainerName:containerName
548 clientName:clientName
549 cuttlefish:self.cuttlefishXPCConnection];
551 self.clients[key] = client;
558 - (void)removeClientContextForContainerName:(NSString* _Nullable)containerName
559 clientName:(NSString*)clientName
561 if(containerName == nil) {
562 containerName = SecCKKSContainerName;
565 dispatch_sync(self.queue, ^{
566 NSString* key = [NSString stringWithFormat:@"%@-%@", containerName, clientName];
567 [self.clients removeObjectForKey:key];
568 secnotice("octagon", "removed client context with key: %@", key);
572 - (void)removeContextForContainerName:(NSString*)containerName
573 contextID:(NSString*)contextID
575 dispatch_sync(self.queue, ^{
576 NSString* key = [NSString stringWithFormat:@"%@-%@", containerName, contextID];
577 self.contexts[key] = nil;
581 - (OTCuttlefishContext*)contextForContainerName:(NSString* _Nullable)containerName
582 contextID:(NSString*)contextID
584 return [self contextForContainerName:containerName
586 sosAdapter:self.sosAdapter
587 authKitAdapter:self.authKitAdapter
588 lockStateTracker:self.lockStateTracker
589 accountStateTracker:self.accountStateTracker
590 deviceInformationAdapter:self.deviceInformationAdapter];
593 - (OTCuttlefishContext*)contextForContainerName:(NSString* _Nullable)containerName
594 contextID:(NSString*)contextID
595 sosAdapter:(id<OTSOSAdapter>)sosAdapter
596 authKitAdapter:(id<OTAuthKitAdapter>)authKitAdapter
597 lockStateTracker:(CKKSLockStateTracker*)lockStateTracker
598 accountStateTracker:(CKKSAccountStateTracker*)accountStateTracker
599 deviceInformationAdapter:(id<OTDeviceInformationAdapter>)deviceInformationAdapter
601 __block OTCuttlefishContext* context = nil;
603 if(containerName == nil) {
604 containerName = SecCKKSContainerName;
607 dispatch_sync(self.queue, ^{
608 NSString* key = [NSString stringWithFormat:@"%@-%@", containerName, contextID];
610 context = self.contexts[key];
612 // Right now, CKKS can only handle one session per address space (and SQL database).
613 // Therefore, only the primary OTCuttlefishContext gets to own the view manager.
614 CKKSViewManager* viewManager = nil;
615 if([containerName isEqualToString:SecCKKSContainerName] &&
616 [contextID isEqualToString:OTDefaultContext]) {
617 viewManager = self.viewManager;
621 context = [[OTCuttlefishContext alloc] initWithContainerName:containerName
623 cuttlefish:self.cuttlefishXPCConnection
624 sosAdapter:sosAdapter
625 authKitAdapter:authKitAdapter
626 ckksViewManager:viewManager
627 lockStateTracker:lockStateTracker
628 accountStateTracker:accountStateTracker
629 deviceInformationAdapter:deviceInformationAdapter
630 apsConnectionClass:self.apsConnectionClass
631 escrowRequestClass:self.escrowRequestClass
633 self.contexts[key] = context;
640 - (void)clearAllContexts
643 dispatch_sync(self.queue, ^{
644 [self.contexts removeAllObjects];
649 - (void)fetchEgoPeerID:(NSString* _Nullable)container
650 context:(NSString*)context
651 reply:(void (^)(NSString* _Nullable peerID, NSError* _Nullable error))reply
654 container = OTCKContainerName;
656 secnotice("octagon", "Received a fetch peer ID for container (%@) and context (%@)", container, context);
657 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
658 [cfshContext rpcFetchEgoPeerID:^(NSString * _Nullable peerID,
659 NSError * _Nullable error) {
660 reply(peerID, XPCSanitizeError(error));
664 - (void)fetchTrustStatus:(NSString *)container
665 context:(NSString *)context
666 configuration:(OTOperationConfiguration *)configuration
667 reply:(void (^)(CliqueStatus status,
668 NSString* _Nullable peerID,
669 NSNumber * _Nullable numberOfPeersInOctagon,
671 NSError* _Nullable error))reply
674 container = OTCKContainerName;
676 secnotice("octagon", "Received a trust status for container (%@) and context (%@)", container, context);
677 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
679 [cfshContext rpcTrustStatus:configuration reply:^(CliqueStatus status,
680 NSString * _Nullable peerID,
681 NSDictionary<NSString *,NSNumber *> * _Nullable peerCountByModelID,
684 NSError * _Nullable error) {
685 // Our clients don't need the whole breakout of peers, so just count for them
687 for(NSNumber* n in peerCountByModelID.allValues) {
688 peerCount += [n longValue];
691 reply(status, peerID, @(peerCount), isExcluded, error);
695 - (void)fetchCliqueStatus:(NSString* _Nullable)container
696 context:(NSString*)contextID
697 configuration:(OTOperationConfiguration *)configuration
698 reply:(void (^)(CliqueStatus cliqueStatus, NSError* _Nullable error))reply
701 container = OTCKContainerName;
703 if(configuration == nil) {
704 configuration = [[OTOperationConfiguration alloc] init];
707 __block OTCuttlefishContext* context = nil;
708 dispatch_sync(self.queue, ^{
709 NSString* key = [NSString stringWithFormat:@"%@-%@", container, contextID];
711 context = self.contexts[key];
715 reply(-1, [NSError errorWithDomain:OctagonErrorDomain
716 code:OTErrorNoSuchContext
717 description:[NSString stringWithFormat:@"No context for (%@,%@)", container, contextID]]);
722 [context rpcTrustStatus:configuration reply:^(CliqueStatus status,
724 NSDictionary<NSString *,NSNumber *> * _Nullable peerCountByModelID,
727 NSError * _Nullable error) {
728 reply(status, error);
732 - (void)status:(NSString* _Nullable)containerName
733 context:(NSString*)contextID
734 reply:(void (^)(NSDictionary* _Nullable result, NSError* _Nullable error))reply
737 containerName = OTCKContainerName;
740 secnotice("octagon", "Received a status RPC for container (%@) and context (%@)", containerName, contextID);
742 __block OTCuttlefishContext* context = nil;
743 dispatch_sync(self.queue, ^{
744 NSString* key = [NSString stringWithFormat:@"%@-%@", containerName, contextID];
746 context = self.contexts[key];
750 reply(nil, [NSError errorWithDomain:OctagonErrorDomain
751 code:OTErrorNoSuchContext
752 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
756 [context rpcStatus:reply];
759 - (void)startOctagonStateMachine:(NSString* _Nullable)container
760 context:(NSString*)context
761 reply:(void (^)(NSError* _Nullable error))reply
763 secnotice("octagon", "Received a start-state-machine RPC for container (%@) and context (%@)", container, context);
765 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
766 [cfshContext startOctagonStateMachine];
770 - (void)resetAndEstablish:(NSString *)container
771 context:(NSString *)context
772 altDSID:(NSString*)altDSID
773 resetReason:(CuttlefishResetReason)resetReason
774 reply:(void (^)(NSError * _Nullable))reply
776 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityResetAndEstablish];
778 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
779 [cfshContext startOctagonStateMachine];
780 [cfshContext rpcResetAndEstablish:resetReason reply:^(NSError* resetAndEstablishError) {
781 [tracker stopWithEvent:OctagonEventResetAndEstablish result:resetAndEstablishError];
782 reply(resetAndEstablishError);
786 - (void)establish:(NSString *)container
787 context:(NSString *)context
788 altDSID:(NSString*)altDSID
789 reply:(void (^)(NSError * _Nullable))reply
791 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityEstablish];
793 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
794 [cfshContext startOctagonStateMachine];
795 [cfshContext rpcEstablish:altDSID reply:^(NSError* establishError) {
796 [tracker stopWithEvent:OctagonEventEstablish result:establishError];
797 reply(establishError);
801 - (void)leaveClique:(NSString* _Nullable)container
802 context:(NSString*)context
803 reply:(void (^)(NSError* _Nullable error))reply
805 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityLeaveClique];
807 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
808 [cfshContext startOctagonStateMachine];
809 [cfshContext rpcLeaveClique:^(NSError* leaveError) {
810 [tracker stopWithEvent:OctagonEventLeaveClique result:leaveError];
815 - (void)removeFriendsInClique:(NSString* _Nullable)container
816 context:(NSString*)context
817 peerIDs:(NSArray<NSString*>*)peerIDs
818 reply:(void (^)(NSError* _Nullable error))reply
820 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityRemoveFriendsInClique];
822 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
823 [cfshContext startOctagonStateMachine];
824 [cfshContext rpcRemoveFriendsInClique:peerIDs reply:^(NSError* removeFriendsError) {
825 [tracker stopWithEvent:OctagonEventRemoveFriendsInClique result:removeFriendsError];
826 reply(removeFriendsError);
830 - (void)peerDeviceNamesByPeerID:(NSString* _Nullable)container
831 context:(NSString*)context
832 reply:(void (^)(NSDictionary<NSString*, NSString*>* _Nullable peers, NSError* _Nullable error))reply
834 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
835 [cfshContext rpcFetchDeviceNamesByPeerID:reply];
838 - (void)fetchAllViableBottles:(NSString* _Nullable)container
839 context:(NSString*)context
840 reply:(void (^)(NSArray<NSString*>* _Nullable sortedBottleIDs, NSArray<NSString*>* _Nullable sortedPartialBottleIDs, NSError* _Nullable error))reply
842 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityFetchAllViableBottles];
844 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
845 [cfshContext rpcFetchAllViableBottles:^(NSArray<NSString *> * _Nullable sortedBottleIDs,
846 NSArray<NSString *> * _Nullable sortedPartialEscrowRecordIDs,
847 NSError * _Nullable error) {
848 [tracker stopWithEvent:OctagonEventFetchAllBottles result:error];
849 reply(sortedBottleIDs, sortedPartialEscrowRecordIDs, error);
853 - (void)fetchEscrowContents:(NSString* _Nullable)containerName
854 contextID:(NSString *)contextID
855 reply:(void (^)(NSData* _Nullable entropy,
856 NSString* _Nullable bottleID,
857 NSData* _Nullable signingPublicKey,
858 NSError* _Nullable error))reply
860 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityFetchEscrowContents];
862 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
863 [cfshContext fetchEscrowContents:^(NSData *entropy,
865 NSData *signingPublicKey,
867 [tracker stopWithEvent:OctagonEventFetchEscrowContents result:error];
868 reply(entropy, bottleID, signingPublicKey, error);
873 // MARK: Pairing Routines as Initiator
875 - (void)rpcPrepareIdentityAsApplicantWithConfiguration:(OTJoiningConfiguration*)config
876 reply:(void (^)(NSString * _Nullable peerID,
877 NSData * _Nullable permanentInfo,
878 NSData * _Nullable permanentInfoSig,
879 NSData * _Nullable stableInfo,
880 NSData * _Nullable stableInfoSig,
881 NSError * _Nullable error))reply
883 OTCuttlefishContext* cfshContext = [self contextForContainerName:config.containerName contextID:config.contextID];
884 [cfshContext handlePairingRestart:config];
885 [cfshContext startOctagonStateMachine];
886 [cfshContext rpcPrepareIdentityAsApplicantWithConfiguration:config
888 reply:^(NSString * _Nullable peerID,
889 NSData * _Nullable permanentInfo,
890 NSData * _Nullable permanentInfoSig,
891 NSData * _Nullable stableInfo,
892 NSData * _Nullable stableInfoSig,
893 NSError * _Nullable error) {
894 reply(peerID, permanentInfo, permanentInfoSig, stableInfo, stableInfoSig, error);
898 - (void)rpcJoinWithConfiguration:(OTJoiningConfiguration*)config
899 vouchData:(NSData*)vouchData
900 vouchSig:(NSData*)vouchSig
901 reply:(void (^)(NSError * _Nullable error))reply
903 OTCuttlefishContext* cfshContext = [self contextForContainerName:config.containerName contextID:config.contextID];
904 [cfshContext handlePairingRestart:config];
905 [cfshContext startOctagonStateMachine];
906 [cfshContext rpcJoin:vouchData vouchSig:vouchSig reply:^(NSError * _Nullable error) {
912 // MARK: Pairing Routines as Acceptor
915 - (void)rpcEpochWithConfiguration:(OTJoiningConfiguration*)config
916 reply:(void (^)(uint64_t epoch,
917 NSError * _Nullable error))reply
919 OTCuttlefishContext* acceptorCfshContext = [self contextForContainerName:config.containerName contextID:config.contextID];
920 [acceptorCfshContext startOctagonStateMachine];
922 // Let's assume that the new device's machine ID has made it to the IDMS list by now, and let's refresh our idea of that list
923 [acceptorCfshContext requestTrustedDeviceListRefresh];
925 OTClientStateMachine *clientStateMachine = [self clientStateMachineForContainerName:config.containerName contextID:config.contextID clientName:config.pairingUUID];
927 [clientStateMachine startOctagonStateMachine];
929 [clientStateMachine rpcEpoch:acceptorCfshContext reply:^(uint64_t epoch, NSError * _Nullable error) {
934 - (void)rpcVoucherWithConfiguration:(OTJoiningConfiguration*)config
935 peerID:(NSString*)peerID
936 permanentInfo:(NSData *)permanentInfo
937 permanentInfoSig:(NSData *)permanentInfoSig
938 stableInfo:(NSData *)stableInfo
939 stableInfoSig:(NSData *)stableInfoSig
940 reply:(void (^)(NSData* voucher, NSData* voucherSig, NSError * _Nullable error))reply
942 OTCuttlefishContext* acceptorCfshContext = [self contextForContainerName:config.containerName contextID:config.contextID];
943 [acceptorCfshContext startOctagonStateMachine];
945 // Let's assume that the new device's machine ID has made it to the IDMS list by now, and let's refresh our idea of that list
946 [acceptorCfshContext requestTrustedDeviceListRefresh];
947 OTClientStateMachine *clientStateMachine = [self clientStateMachineForContainerName:config.containerName contextID:config.contextID clientName:config.pairingUUID];
949 [clientStateMachine rpcVoucher:acceptorCfshContext peerID:peerID permanentInfo:permanentInfo permanentInfoSig:permanentInfoSig stableInfo:stableInfo stableInfoSig:stableInfoSig reply:^(NSData *voucher, NSData *voucherSig, NSError *error) {
950 reply(voucher, voucherSig, error);
954 - (void)restore:(NSString * _Nullable)containerName
955 contextID:(nonnull NSString *)contextID
956 bottleSalt:(nonnull NSString *)bottleSalt
957 entropy:(nonnull NSData *)entropy
958 bottleID:(nonnull NSString *)bottleID
959 reply:(nonnull void (^)(NSError * _Nullable))reply {
960 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityBottledPeerRestore];
962 secnotice("octagon", "restore via bottle invoked for container: %@, context: %@", containerName, contextID);
964 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
966 [cfshContext startOctagonStateMachine];
968 [cfshContext joinWithBottle:bottleID entropy:entropy bottleSalt:bottleSalt reply:^(NSError *error) {
969 [tracker stopWithEvent:OctagonEventBottledPeerRestore result:error];
975 // MARK: Ghost busting using ramp records
978 -(BOOL) ghostbustByMidEnabled {
979 [self ensureRampsInitialized];
980 return [self.gbmidRamp checkRampStateWithError:nil];
983 -(BOOL) ghostbustBySerialEnabled {
984 [self ensureRampsInitialized];
985 return [self.gbserialRamp checkRampStateWithError:nil];
988 -(BOOL) ghostbustByAgeEnabled {
989 [self ensureRampsInitialized];
990 return [self.gbAgeRamp checkRampStateWithError:nil];
997 - (void)setupAnalytics
1001 [[self.loggerClass logger] AddMultiSamplerForName:@"Octagon-healthSummary"
1002 withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport
1003 block:^NSDictionary<NSString *,NSNumber *> *{
1006 // We actually only care about the default context for the default container
1007 OTCuttlefishContext* cuttlefishContext = [self contextForContainerName:OTCKContainerName contextID:OTDefaultContext];
1009 secnotice("octagon-analytics", "Reporting analytics for container: %@, context: %@", OTCKContainerName, OTDefaultContext);
1011 NSMutableDictionary* values = [NSMutableDictionary dictionary];
1013 NSError* error = nil;
1014 SOSCCStatus sosStatus = [self.sosAdapter circleStatus:&error];
1016 secnotice("octagon-analytics", "Error fetching SOS status: %@", error);
1018 values[OctagonAnalyticsSOSStatus] = @((int)sosStatus);
1019 NSDate* dateOfLastPPJ = [[CKKSAnalytics logger] datePropertyForKey:OctagonEventUpgradePreflightPreapprovedJoin];
1020 values[OctagonAnalyticsDateOfLastPreflightPreapprovedJoin] = @([CKKSAnalytics fuzzyDaysSinceDate:dateOfLastPPJ]);
1022 values[OctagonAnalyticsStateMachineState] = OctagonStateMap()[cuttlefishContext.stateMachine.currentState];
1024 NSError* metadataError = nil;
1025 OTAccountMetadataClassC* metadata = [cuttlefishContext.accountMetadataStore loadOrCreateAccountMetadata:&metadataError];
1026 if(!metadata || metadataError) {
1027 secnotice("octagon-analytics", "Error fetching Octagon metadata: %@", metadataError);
1029 values[OctagonAnalyticIcloudAccountState] = metadata ? @(metadata.icloudAccountState) : nil;
1030 values[OctagonAnalyticCDPBitStatus] = metadata? @(metadata.cdpState) : nil;
1031 values[OctagonAnalyticsTrustState] = metadata ? @(metadata.trustState) : nil;
1033 TPSyncingPolicy* syncingPolicy = [metadata getTPSyncingPolicy];
1034 values[OctagonAnalyticsUserControllableViewsSyncing] = syncingPolicy ? @(syncingPolicy.syncUserControllableViewsAsBoolean) : nil;
1036 NSDate* healthCheck = [cuttlefishContext currentMemoizedLastHealthCheck];
1037 values[OctagonAnalyticsLastHealthCheck] = @([CKKSAnalytics fuzzyDaysSinceDate:healthCheck]);
1039 NSDate* dateOfLastKSR = [[CKKSAnalytics logger] datePropertyForKey: OctagonAnalyticsLastKeystateReady];
1040 values[OctagonAnalyticsLastKeystateReady] = @([CKKSAnalytics fuzzyDaysSinceDate:dateOfLastKSR]);
1042 if(metadata && metadata.icloudAccountState == OTAccountMetadataClassC_AccountState_ACCOUNT_AVAILABLE) {
1043 values[OctagonAnalyticsAttemptedJoin] = @(metadata.attemptedJoin);
1045 NSError* machineIDError = nil;
1046 NSString* machineID = [cuttlefishContext.authKitAdapter machineID:&machineIDError];
1047 if(machineIDError) {
1048 secnotice("octagon-analytics", "Error fetching machine ID: %@", metadataError);
1051 values[OctagonAnalyticsHaveMachineID] = @(machineID != nil);
1054 NSError* midOnListError = nil;
1055 BOOL midOnList = [cuttlefishContext machineIDOnMemoizedList:machineID error:&midOnListError];
1057 if(midOnListError) {
1058 secnotice("octagon-analytics", "Error fetching 'mid on list': %@", midOnListError);
1060 values[OctagonAnalyticsMIDOnMemoizedList] = @(midOnList);
1063 NSError* peersWithMIDError = nil;
1064 NSNumber* peersWithMID = [cuttlefishContext numberOfPeersInModelWithMachineID:machineID error:&peersWithMIDError];
1065 if(peersWithMID && peersWithMIDError == nil) {
1066 values[OctagonAnalyticsPeersWithMID] = peersWithMID;
1068 secnotice("octagon-analytics", "Error fetching how many peers have our MID: %@", midOnListError);
1073 // Track CFU usage and success/failure metrics
1074 // 1. Users in a good state will have no outstanding CFU, and will not have done a CFU
1075 // 2. Users in a bad state who have not repsonded to the CFU (repaired) will have a pending CFU.
1076 // 3. Users in a bad state who have acted on the CFU will have no pending CFU, but will have CFU failures.
1078 // We also record the time window between the last followup completion and invocation.
1079 NSDate* dateOfLastFollowup = [[CKKSAnalytics logger] datePropertyForKey: OctagonAnalyticsLastCoreFollowup];
1080 values[OctagonAnalyticsLastCoreFollowup] = @([CKKSAnalytics fuzzyDaysSinceDate:dateOfLastFollowup]);
1081 // We used to report this, but it was never set
1082 //values[OctagonAnalyticsCoreFollowupStatus] = @(followupHandler.followupStatus);
1084 for (NSString *type in [self cdpContextTypes]) {
1085 NSString *metricName = [NSString stringWithFormat:@"%@%@", OctagonAnalyticsCDPStateRun, type];
1086 NSString *countName = [NSString stringWithFormat:@"%@%@Tries", OctagonAnalyticsCDPStateRun, type];
1088 NSDate *lastFailure = [[CKKSAnalytics logger] datePropertyForKey:metricName];
1090 values[metricName] = @([CKKSAnalytics fuzzyDaysSinceDate:lastFailure]);
1091 values[countName] = [[CKKSAnalytics logger] numberPropertyForKey:countName];
1096 id<SecEscrowRequestable> request = [self.escrowRequestClass request:&error];
1098 values[OctagonAnalyticsPrerecordPending] = @([request pendingEscrowUpload:&error]);
1100 secnotice("octagon-analytics", "Error fetching pendingEscrowUpload status: %@", error);
1103 secnotice("octagon-analytics", "Error fetching escrowRequestClass: %@", error);
1107 ACAccountStore *store = [[ACAccountStore alloc] init];
1108 ACAccount* primaryAccount = [store aa_primaryAppleAccount];
1109 if(primaryAccount) {
1110 values[OctagonAnalyticsKVSProvisioned] = @([primaryAccount isProvisionedForDataclass:ACAccountDataclassKeyValue]);
1111 values[OctagonAnalyticsKVSEnabled] = @([primaryAccount isEnabledForDataclass:ACAccountDataclassKeyValue]);
1112 values[OctagonAnalyticsKeychainSyncProvisioned] = @([primaryAccount isProvisionedForDataclass:ACAccountDataclassKeychainSync]);
1113 values[OctagonAnalyticsKeychainSyncEnabled] = @([primaryAccount isEnabledForDataclass:ACAccountDataclassKeychainSync]);
1114 values[OctagonAnalyticsCloudKitProvisioned] = @([primaryAccount isProvisionedForDataclass:ACAccountDataclassCKDatabaseService]);
1115 values[OctagonAnalyticsCloudKitEnabled] = @([primaryAccount isEnabledForDataclass:ACAccountDataclassCKDatabaseService]);
1122 [[self.loggerClass logger] AddMultiSamplerForName:@"CFU-healthSummary"
1123 withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport
1124 block:^NSDictionary<NSString *,NSNumber *> *{
1125 OTCuttlefishContext* cuttlefishContext = [self contextForContainerName:OTCKContainerName contextID:OTDefaultContext];
1126 return [cuttlefishContext.followupHandler sfaStatus];
1130 - (NSArray<OTCliqueCDPContextType> *)cdpContextTypes
1132 static NSArray<OTCliqueCDPContextType> *contextTypes = nil;
1133 static dispatch_once_t onceToken;
1134 dispatch_once(&onceToken, ^{
1135 contextTypes = @[OTCliqueCDPContextTypeNone,
1136 OTCliqueCDPContextTypeSignIn,
1137 OTCliqueCDPContextTypeRepair,
1138 OTCliqueCDPContextTypeFinishPasscodeChange,
1139 OTCliqueCDPContextTypeRecoveryKeyGenerate,
1140 OTCliqueCDPContextTypeRecoveryKeyNew,
1141 OTCliqueCDPContextTypeUpdatePasscode,
1144 return contextTypes;
1148 // MARK: Recovery Key
1151 - (void) createRecoveryKey:(NSString* _Nullable)containerName
1152 contextID:(NSString *)contextID
1153 recoveryKey:(NSString *)recoveryKey
1154 reply:(void (^)( NSError *error))reply
1156 secnotice("octagon", "Setting recovery key for container: %@, context: %@", containerName, contextID);
1158 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivitySetRecoveryKey];
1160 if (!self.sosEnabledForPlatform) {
1161 secnotice("octagon-recovery", "Device does not participate in SOS; cannot enroll recovery key in Octagon");
1162 NSError* notFullPeerError = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorLimitedPeer userInfo:@{NSLocalizedDescriptionKey : @"Device is considered a limited peer, cannot enroll recovery key in Octagon"}];
1163 [tracker stopWithEvent:OctagonEventRecoveryKey result:notFullPeerError];
1164 reply(notFullPeerError);
1168 CFErrorRef validateError = NULL;
1169 bool res = SecPasswordValidatePasswordFormat(kSecPasswordTypeiCloudRecoveryKey, (__bridge CFStringRef)recoveryKey, &validateError);
1171 NSError *validateErrorWrapper = nil;
1172 NSMutableDictionary *userInfo = [NSMutableDictionary dictionary];
1173 userInfo[NSLocalizedDescriptionKey] = @"malformed recovery key";
1175 userInfo[NSUnderlyingErrorKey] = CFBridgingRelease(validateError);
1178 validateErrorWrapper = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorRecoveryKeyMalformed userInfo:userInfo];
1180 secerror("recovery failed validation with error:%@", validateError);
1182 [tracker stopWithEvent:OctagonEventSetRecoveryKeyValidationFailed result:validateErrorWrapper];
1183 reply(validateErrorWrapper);
1187 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1189 [cfshContext startOctagonStateMachine];
1191 [cfshContext rpcSetRecoveryKey:recoveryKey reply:^(NSError * _Nullable error) {
1192 [tracker stopWithEvent:OctagonEventRecoveryKey result:error];
1197 - (void) joinWithRecoveryKey:(NSString* _Nullable)containerName
1198 contextID:(NSString *)contextID
1199 recoveryKey:(NSString*)recoveryKey
1200 reply:(void (^)(NSError * _Nullable))reply
1202 secnotice("octagon", "join with recovery key invoked for container: %@, context: %@", containerName, contextID);
1204 SFAnalyticsActivityTracker *tracker = [[self.loggerClass logger] startLogSystemMetricsForActivityNamed:OctagonActivityJoinWithRecoveryKey];
1206 CFErrorRef validateError = NULL;
1207 bool res = SecPasswordValidatePasswordFormat(kSecPasswordTypeiCloudRecoveryKey, (__bridge CFStringRef)recoveryKey, &validateError);
1209 NSError *validateErrorWrapper = nil;
1210 NSMutableDictionary *userInfo = [NSMutableDictionary dictionary];
1211 userInfo[NSLocalizedDescriptionKey] = @"malformed recovery key";
1213 userInfo[NSUnderlyingErrorKey] = CFBridgingRelease(validateError);
1216 validateErrorWrapper = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorRecoveryKeyMalformed userInfo:userInfo];
1218 secerror("recovery failed validation with error:%@", validateError);
1220 [tracker stopWithEvent:OctagonEventJoinRecoveryKeyValidationFailed result:validateErrorWrapper];
1221 reply(validateErrorWrapper);
1225 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1227 [cfshContext startOctagonStateMachine];
1229 [cfshContext joinWithRecoveryKey:recoveryKey reply:^(NSError *error) {
1230 if ((error.code == TrustedPeersHelperErrorCodeNotEnrolled || error.code == TrustedPeersHelperErrorCodeUntrustedRecoveryKeys)
1231 && [error.domain isEqualToString:TrustedPeersHelperErrorDomain]){
1232 // If we hit either of these errors, and the local device thinks it should be able to set a recovery key,
1233 // let's reset and establish octagon then enroll this recovery key in the new circle
1235 if (!self.sosEnabledForPlatform) {
1236 secerror("octagon: recovery key is not enrolled in octagon, and current device can't set recovery keys");
1237 [tracker stopWithEvent:OctagonEventJoinRecoveryKeyCircleResetFailed result:error];
1242 secerror("octagon, recovery key is not enrolled in octagon, resetting octagon circle");
1243 [[self.loggerClass logger] logResultForEvent:OctagonEventJoinRecoveryKeyCircleReset hardFailure:NO result:error];
1245 [cfshContext rpcResetAndEstablish:CuttlefishResetReasonRecoveryKey reply:^(NSError *resetError) {
1247 secerror("octagon, failed to reset octagon");
1248 [tracker stopWithEvent:OctagonEventJoinRecoveryKeyCircleResetFailed result:resetError];
1252 // Now enroll the recovery key
1253 secnotice("octagon", "attempting enrolling recovery key");
1254 [self createRecoveryKey:containerName contextID:contextID recoveryKey:recoveryKey reply:^(NSError *enrollError) {
1256 secerror("octagon, failed to enroll new recovery key: %@", enrollError);
1257 [tracker stopWithEvent:OctagonEventJoinRecoveryKeyEnrollFailed result:enrollError];
1261 secnotice("octagon", "successfully enrolled recovery key");
1262 [tracker stopWithEvent:OctagonEventRecoveryKey result:nil];
1270 secerror("octagon, join with recovery key failed: %d", (int)[error code]);
1271 [tracker stopWithEvent:OctagonEventJoinRecoveryKeyFailed result:error];
1277 - (void)xpc24HrNotification
1279 secnotice("octagon-health", "Received 24hr xpc notification");
1281 [self healthCheck:OTCKContainerName context:OTDefaultContext skipRateLimitingCheck:NO reply:^(NSError * _Nullable error) {
1283 secerror("octagon: error attempting to check octagon health: %@", error);
1285 secnotice("octagon", "health check success");
1290 - (void)healthCheck:(NSString *)container context:(NSString *)context skipRateLimitingCheck:(BOOL)skipRateLimitingCheck reply:(void (^)(NSError *_Nullable error))reply
1292 OTCuttlefishContext* cfshContext = [self contextForContainerName:container contextID:context];
1294 secnotice("octagon", "notifying container of change");
1296 [cfshContext notifyContainerChange:nil];
1298 [cfshContext checkOctagonHealth:skipRateLimitingCheck reply:^(NSError *error) {
1307 - (void)setSOSEnabledForPlatformFlag:(bool) value
1309 self.sosEnabledForPlatform = value;
1312 - (void)allContextsHalt
1314 for(OTCuttlefishContext* context in self.contexts.allValues) {
1315 [context.stateMachine haltOperation];
1317 // Also, clear the viewManager strong pointer
1318 [context clearCKKSViewManager];
1322 - (void)allContextsDisablePendingFlags
1324 for(OTCuttlefishContext* context in self.contexts.allValues) {
1325 [context.stateMachine disablePendingFlags];
1329 - (bool)allContextsPause:(uint64_t)within
1331 for(OTCuttlefishContext* context in self.contexts.allValues) {
1332 if(context.stateMachine.currentState != OctagonStateMachineNotStarted) {
1333 if([context.stateMachine.paused wait:within] != 0) {
1341 - (void)waitForOctagonUpgrade:(NSString* _Nullable)containerName
1342 context:(NSString*)context
1343 reply:(void (^)(NSError* error))reply
1346 secnotice("octagon-sos", "Attempting wait for octagon upgrade");
1347 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:context];
1349 [cfshContext startOctagonStateMachine];
1351 [cfshContext waitForOctagonUpgrade:^(NSError * _Nonnull error) {
1356 - (OTFollowupContextType)cliqueCDPTypeToFollowupContextType:(OTCliqueCDPContextType)type
1358 if ([type isEqualToString:OTCliqueCDPContextTypeNone]) {
1359 return OTFollowupContextTypeNone;
1360 } else if ([type isEqualToString:OTCliqueCDPContextTypeSignIn]) {
1361 return OTFollowupContextTypeNone;
1362 } else if ([type isEqualToString:OTCliqueCDPContextTypeRepair]) {
1363 return OTFollowupContextTypeStateRepair;
1364 } else if ([type isEqualToString:OTCliqueCDPContextTypeFinishPasscodeChange]) {
1365 return OTFollowupContextTypeOfflinePasscodeChange;
1366 } else if ([type isEqualToString:OTCliqueCDPContextTypeRecoveryKeyGenerate]) {
1367 return OTFollowupContextTypeRecoveryKeyRepair;
1368 } else if ([type isEqualToString:OTCliqueCDPContextTypeRecoveryKeyNew]) {
1369 return OTFollowupContextTypeRecoveryKeyRepair;
1370 } else if ([type isEqualToString:OTCliqueCDPContextTypeUpdatePasscode]) {
1371 return OTFollowupContextTypeNone;
1373 return OTFollowupContextTypeNone;
1377 - (void)postCDPFollowupResult:(BOOL)success
1378 type:(OTCliqueCDPContextType)type
1379 error:(NSError * _Nullable)error
1380 containerName:(NSString* _Nullable)containerName
1381 contextName:(NSString *)contextName
1382 reply:(void (^)(NSError *error))reply
1384 NSString* metricName = [NSString stringWithFormat:@"%@%@", OctagonAnalyticsCDPStateRun, type];
1385 NSString* countName = [NSString stringWithFormat:@"%@%@Tries", OctagonAnalyticsCDPStateRun, type];
1387 [[CKKSAnalytics logger] logResultForEvent:metricName
1391 [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:metricName];
1392 [[CKKSAnalytics logger] incrementIntegerPropertyForKey:countName];
1394 [[CKKSAnalytics logger] setDateProperty:NULL forKey:metricName];
1395 [[CKKSAnalytics logger] setNumberProperty:NULL forKey:countName];
1398 // Always return without error
1402 - (void)tapToRadar:(NSString *)action
1403 description:(NSString *)description
1404 radar:(NSString *)radar
1405 reply:(void (^)(NSError * _Nullable))reply
1407 SecTapToRadar *ttr = [[SecTapToRadar alloc] initTapToRadar:action description:description radar:radar];
1412 - (void)refetchCKKSPolicy:(NSString * _Nullable)containerName
1413 contextID:(nonnull NSString *)contextID
1414 reply:(nonnull void (^)(NSError * _Nullable))reply {
1415 secnotice("octagon-ckks", "refetch-ckks-policy");
1417 if(!containerName) {
1418 containerName = OTCKContainerName;
1421 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1424 reply([NSError errorWithDomain:OctagonErrorDomain
1425 code:OTErrorNoSuchContext
1426 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1430 [cfshContext rpcRefetchCKKSPolicy:^(NSError* error) {
1431 secnotice("octagon-ckks", "refetch-ckks-policy result: %@", error ?: @"no error");
1436 - (void)getCDPStatus:(NSString * _Nullable)containerName
1437 contextID:(nonnull NSString *)contextID
1438 reply:(nonnull void (^)(OTCDPStatus, NSError * _Nullable))reply {
1439 secnotice("octagon-cdp", "get-cdp-status");
1441 if(!containerName) {
1442 containerName = OTCKContainerName;
1445 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1448 reply(OTCDPStatusUnknown, [NSError errorWithDomain:OctagonErrorDomain
1449 code:OTErrorNoSuchContext
1450 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1454 NSError* error = nil;
1455 OTCDPStatus status = [cfshContext getCDPStatus:&error];
1457 reply(status, error);
1461 - (void)setCDPEnabled:(NSString * _Nullable)containerName
1462 contextID:(nonnull NSString *)contextID
1463 reply:(nonnull void (^)(NSError * _Nullable))reply {
1464 secnotice("octagon-cdp", "set-cdp-enabled");
1465 if(!containerName) {
1466 containerName = OTCKContainerName;
1469 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1472 reply([NSError errorWithDomain:OctagonErrorDomain
1473 code:OTErrorNoSuchContext
1474 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1478 NSError* localError = nil;
1479 [cfshContext setCDPEnabled:&localError];
1484 - (void)fetchEscrowRecords:(NSString * _Nullable)containerName
1485 contextID:(NSString*)contextID
1486 forceFetch:(BOOL)forceFetch
1487 reply:(nonnull void (^)(NSArray<NSData *> * _Nullable records,
1488 NSError * _Nullable error))reply {
1490 secnotice("octagon-fetch-escrow-records", "fetching records");
1491 if(!containerName) {
1492 containerName = OTCKContainerName;
1495 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1498 reply(nil, [NSError errorWithDomain:OctagonErrorDomain
1499 code:OTErrorNoSuchContext
1500 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1504 [cfshContext rpcFetchAllViableEscrowRecords:forceFetch reply:^(NSArray<NSData *> * _Nullable records, NSError * _Nullable error) {
1506 secerror("octagon-fetch-escrow-records: error fetching records: %@", error);
1510 secnotice("octagon-fetch-escrow-records", "successfully fetched records");
1511 reply(records, nil);
1515 - (void)invalidateEscrowCache:(NSString * _Nullable)containerName
1516 contextID:(NSString*)contextID
1517 reply:(nonnull void (^)(NSError * _Nullable error))reply {
1519 secnotice("octagon-remove-escrow-cache", "beginning removing escrow cache!");
1520 if(!containerName) {
1521 containerName = OTCKContainerName;
1524 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1527 reply([NSError errorWithDomain:OctagonErrorDomain
1528 code:OTErrorNoSuchContext
1529 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1533 [cfshContext rpcInvalidateEscrowCache:^(NSError * _Nullable invalidateError) {
1534 if(invalidateError) {
1535 secerror("octagon-remove-escrow-cache: error invalidating escrow cache: %@", invalidateError);
1536 reply(invalidateError);
1539 secnotice("octagon-remove-escrow-caches", "successfully invalidated escrow cache");
1544 - (void)setUserControllableViewsSyncStatus:(NSString* _Nullable)containerName
1545 contextID:(NSString*)contextID
1546 enabled:(BOOL)enabled
1547 reply:(void (^)(BOOL nowSyncing, NSError* _Nullable error))reply
1549 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1552 reply(NO, [NSError errorWithDomain:OctagonErrorDomain
1553 code:OTErrorNoSuchContext
1554 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1558 [cfshContext rpcSetUserControllableViewsSyncingStatus:enabled reply:^(BOOL areSyncing, NSError * _Nullable error) {
1560 secerror("octagon-user-controllable-views: error setting status: %@", error);
1565 secnotice("octagon-user-controllable-views", "successfully set status to: %@", areSyncing ? @"enabled" : @"paused");
1566 reply(areSyncing, nil);
1570 - (void)fetchUserControllableViewsSyncStatus:(NSString* _Nullable)containerName
1571 contextID:(NSString*)contextID
1572 reply:(void (^)(BOOL nowSyncing, NSError* _Nullable error))reply
1574 OTCuttlefishContext* cfshContext = [self contextForContainerName:containerName contextID:contextID];
1577 reply(NO, [NSError errorWithDomain:OctagonErrorDomain
1578 code:OTErrorNoSuchContext
1579 description:[NSString stringWithFormat:@"No context for (%@,%@)", containerName, contextID]]);
1583 [cfshContext rpcFetchUserControllableViewsSyncingStatus:^(BOOL areSyncing, NSError * _Nullable error) {
1585 secerror("octagon-user-controllable-views: error fetching status: %@", error);
1590 secerror("octagon-user-controllable-views: succesfully fetched status as: %@", areSyncing ? @"enabled" : @"paused");
1591 reply(areSyncing, nil);