4 #import "keychain/TrustedPeersHelper/TrustedPeersHelperProtocol.h"
5 #import "keychain/ot/categories/OTAccountMetadataClassC+KeychainSupport.h"
7 #import <CloudKit/CloudKit_Private.h>
9 #import "keychain/ckks/CloudKitCategories.h"
11 #import "keychain/ot/ObjCImprovements.h"
13 #import "keychain/ot/OTCuttlefishAccountStateHolder.h"
14 #import "keychain/ot/OTOperationDependencies.h"
15 #import "keychain/ot/OTStates.h"
16 #import "keychain/ot/OTUpdateTPHOperation.h"
18 @interface OTUpdateTPHOperation ()
19 @property OTOperationDependencies* deps;
21 @property OctagonState* peerUnknownState;
23 @property NSOperation* finishedOp;
25 @property (nullable) OctagonFlag* retryFlag;
28 @implementation OTUpdateTPHOperation
29 @synthesize nextState = _nextState;
30 @synthesize intendedState = _intendedState;
32 - (instancetype)initWithDependencies:(OTOperationDependencies*)dependencies
33 intendedState:(OctagonState*)intendedState
34 peerUnknownState:(OctagonState*)peerUnknownState
35 errorState:(OctagonState*)errorState
36 retryFlag:(OctagonFlag* _Nullable)retryFlag
38 if((self = [super init])) {
41 _intendedState = intendedState;
42 _nextState = errorState;
43 _peerUnknownState = peerUnknownState;
45 _retryFlag = retryFlag;
53 self.finishedOp = [NSBlockOperation blockOperationWithBlock:^{
54 // If we errored in some unknown way, ask to try again!
58 if(self.retryFlag == nil) {
59 secerror("octagon: Received an error updating TPH, but no retry flag present.");
63 // Is this a very scary error?
66 OctagonPendingFlag* pendingFlag = nil;
68 if([self.deps.lockStateTracker isLockedError:self.error]) {
69 secnotice("octagon", "Updating trust state failed because locked, retry once unlocked: %@", self.error);
70 self.nextState = OctagonStateWaitForUnlock;
71 pendingFlag = [[OctagonPendingFlag alloc] initWithFlag:self.retryFlag
72 conditions:OctagonPendingConditionsDeviceUnlocked];
75 // more CloudKit errors should trigger a retry here
76 secnotice("octagon", "Error is currently unknown, aborting: %@", self.error);
81 NSTimeInterval baseDelay = SecCKKSTestsEnabled() ? 2 : 30;
82 NSTimeInterval ckDelay = CKRetryAfterSecondsForError(self.error);
83 NSTimeInterval cuttlefishDelay = [self.error cuttlefishRetryAfter];
84 NSTimeInterval delay = MAX(ckDelay, cuttlefishDelay);
89 pendingFlag = [[OctagonPendingFlag alloc] initWithFlag:self.retryFlag
90 delayInSeconds:delay];
92 secnotice("octagon", "Updating trust state no fatal: requesting retry: %@",
94 [self.deps.flagHandler handlePendingFlag:pendingFlag];
98 [self dependOnBeforeGroupFinished:self.finishedOp];
101 [self.deps.cuttlefishXPCWrapper updateWithContainer:self.deps.containerName
102 context:self.deps.contextID
103 deviceName:self.deps.deviceInformationAdapter.deviceName
104 serialNumber:self.deps.deviceInformationAdapter.serialNumber
105 osVersion:self.deps.deviceInformationAdapter.osVersion
108 syncUserControllableViews:nil
109 reply:^(TrustedPeersHelperPeerState* peerState, TPSyncingPolicy* syncingPolicy, NSError* error) {
111 if(error || !peerState) {
112 secerror("octagon: update errored: %@", error);
115 if ([error isCuttlefishError:CuttlefishErrorUpdateTrustPeerNotFound]) {
116 secnotice("octagon-ckks", "Cuttlefish reports we no longer exist.");
117 self.nextState = self.peerUnknownState;
119 // On an error, for now, go back to the intended state
120 // <rdar://problem/50190005> Octagon: handle lock state errors in update()
121 self.nextState = self.intendedState;
123 [self runBeforeGroupFinished:self.finishedOp];
127 secnotice("octagon", "update complete: %@, %@", peerState, syncingPolicy);
129 NSError* localError = nil;
130 BOOL persisted = [self.deps.stateHolder persistAccountChanges:^OTAccountMetadataClassC * _Nonnull(OTAccountMetadataClassC * _Nonnull metadata) {
131 [metadata setTPSyncingPolicy:syncingPolicy];
133 } error:&localError];
134 if(!persisted || localError) {
135 secerror("octagon: Unable to save new syncing state: %@", localError);
138 // After an update(), we're sure that we have a fresh policy
139 BOOL viewSetChanged = [self.deps.viewManager setCurrentSyncingPolicy:syncingPolicy policyIsFresh:YES];
141 [self.deps.flagHandler handleFlag:OctagonFlagCKKSViewSetChanged];
145 if(peerState.identityIsPreapproved) {
146 secnotice("octagon-sos", "Self peer is now preapproved!");
147 [self.deps.flagHandler handleFlag:OctagonFlagEgoPeerPreapproved];
149 if (peerState.memberChanges) {
150 secnotice("octagon", "Member list changed");
151 [self.deps.octagonAdapter sendTrustedPeerSetChangedUpdate];
154 if (peerState.unknownMachineIDsPresent) {
155 secnotice("octagon-authkit", "Unknown machine IDs are present; requesting fetch");
156 [self.deps.flagHandler handleFlag:OctagonFlagFetchAuthKitMachineIDList];
159 if (peerState.peerStatus & TPPeerStatusExcluded) {
160 secnotice("octagon", "Self peer (%@) is excluded; moving to untrusted", peerState.peerID);
161 self.nextState = OctagonStateBecomeUntrusted;
162 } else if(peerState.peerStatus & TPPeerStatusUnknown) {
163 if (peerState.identityIsPreapproved) {
164 secnotice("octagon", "Self peer (%@) is excluded but is preapproved, moving to sosuprade", peerState.peerID);
165 self.nextState = OctagonStateAttemptSOSUpgrade;
167 secnotice("octagon", "Self peer (%@) is unknown; moving to '%@''", peerState.peerID, self.peerUnknownState);
168 self.nextState = self.peerUnknownState;
171 self.nextState = self.intendedState;
174 [self runBeforeGroupFinished:self.finishedOp];
projects / apple / security.git / blob