OSX/sec/securityd/Regressions/secd-21-transmogrify.m

   1 /*
   2  * Copyright (c) 2015 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25  * This is to fool os services to not provide the Keychain manager
  26  * interface tht doens't work since we don't have unified headers
  27  * between iOS and OS X. rdar://23405418/
  28  */
  29 #define __KEYCHAINCORE__ 1
  30
  31
  32 #import <Foundation/Foundation.h>
  33 #import <CoreFoundation/CoreFoundation.h>
  34 #import <Security/SecBase.h>
  35 #import <Security/SecItem.h>
  36 #import <Security/SecItemPriv.h>
  37 #import <Security/SecInternal.h>
  38 #import <utilities/SecCFWrappers.h>
  39 #import <utilities/SecFileLocations.h>
  40 #import <securityd/SecItemServer.h>
  41
  42 #import <stdlib.h>
  43
  44 #include "secd_regressions.h"
  45 #include "SecdTestKeychainUtilities.h"
  46
  47 void SecAccessGroupsSetCurrent(CFArrayRef accessGroups);
  48 CFArrayRef SecAccessGroupsGetCurrent();
  49
  50 int
  51 secd_21_transmogrify(int argc, char *const *argv)
  52 {
  53     plan_tests(kSecdTestSetupTestCount + 14);
  54
  55 #if TARGET_OS_IOS
  56     CFErrorRef error = NULL;
  57     CFDictionaryRef result = NULL;
  58     OSStatus res;
  59
  60     CFArrayRef currentACL = SecAccessGroupsGetCurrent();
  61
  62     NSMutableArray *newACL = [NSMutableArray arrayWithArray:(__bridge NSArray *)currentACL];
  63     [newACL addObjectsFromArray:@[
  64                                   @"com.apple.private.system-keychain",
  65                                   @"com.apple.private.syncbubble-keychain",
  66                                   @"com.apple.private.migrate-musr-system-keychain",
  67                                   @"com.apple.ProtectedCloudStorage",
  68                                   ]];
  69
  70     SecAccessGroupsSetCurrent((__bridge CFArrayRef)newACL);
  71
  72
  73     secd_test_setup_temp_keychain("secd_21_transmogrify", NULL);
  74
  75     /*
  76      * Add to user keychain
  77      */
  78
  79     res = SecItemAdd((CFDictionaryRef)@{
  80         (id)kSecClass :  (id)kSecClassGenericPassword,
  81         (id)kSecAttrAccount :  @"user-label-me",
  82     }, NULL);
  83     is(res, 0, "SecItemAdd(user)");
  84
  85     SecurityClient client = {
  86         .task = NULL,
  87         .accessGroups = (__bridge CFArrayRef)@[
  88             @"com.apple.ProtectedCloudStorage"
  89         ],
  90         .allowSystemKeychain = true,
  91         .allowSyncBubbleKeychain = true,
  92         .uid = 502,
  93         .inMultiUser = false,
  94         .activeUser = 502,
  95     };
  96
  97     is(_SecServerTransmogrifyToSystemKeychain(&client, &error), true, "_SecServerTransmogrifyToSystemKeychain: %@", error);
  98
  99     CFDataRef musr = SecMUSRCreateActiveUserUUID(502);
 100
 101     client.inMultiUser = true;
 102     client.musr = musr;
 103
 104     SecSecuritySetMusrMode(true, 502, 502);
 105
 106     res = SecItemCopyMatching((CFDictionaryRef)@{
 107         (id)kSecClass :  (id)kSecClassGenericPassword,
 108         (id)kSecAttrAccount :  @"user-label-me",
 109         (id)kSecUseSystemKeychain : (id)kCFBooleanTrue,
 110         (id)kSecReturnAttributes : (id)kCFBooleanTrue,
 111     }, (CFTypeRef *)&result);
 112     is(res, 0, "SecItemCopyMatching(system)");
 113
 114     ok(isDictionary(result), "found item");
 115     if (isDictionary(result)) {
 116         NSData *data = ((NSDictionary *)result)[@"musr"];
 117         ok([data isEqual:(id)SecMUSRGetSystemKeychainUUID()], "item is system keychain");
 118     } else {
 119         ok(0, "returned item is: %@", result);
 120     }
 121     CFReleaseNull(result);
 122
 123     /*
 124      * Check sync bubble
 125      */
 126
 127     res = _SecItemAdd((CFDictionaryRef)@{
 128         (id)kSecClass :  (id)kSecClassGenericPassword,
 129         (id)kSecAttrAccessGroup : @"com.apple.ProtectedCloudStorage",
 130         (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
 131         (id)kSecAttrAccount :  @"pcs-label-me",
 132     }, &client, NULL, NULL);
 133     is(res, true, "SecItemAdd(user)");
 134
 135     res = _SecItemCopyMatching((CFDictionaryRef)@{
 136          (id)kSecClass :  (id)kSecClassGenericPassword,
 137          (id)kSecAttrAccount :  @"pcs-label-me",
 138          (id)kSecReturnAttributes : (id)kCFBooleanTrue,
 139      }, &client, (CFTypeRef *)&result, &error);
 140     is(res, true, "SecItemCopyMatching(system): %@", error);
 141
 142     ok(isDictionary(result), "result is dictionary");
 143
 144     /* Check that data are in 502 active user keychain */
 145     ok (CFEqualSafe(((__bridge NSDictionary *)result)[@"musr"], musr), "not in msr 502");
 146
 147     CFReleaseNull(result);
 148
 149
 150     ok(_SecServerTransmogrifyToSyncBubble((__bridge CFArrayRef)@[@"com.apple.mailq.sync.xpc" ], client.uid, &client, &error),
 151        "_SecServerTransmogrifyToSyncBubble: %@", error);
 152
 153     CFReleaseNull(error);
 154
 155     /*
 156      * first check normal keychain
 157      */
 158
 159     res = _SecItemCopyMatching((CFDictionaryRef)@{
 160         (id)kSecClass :  (id)kSecClassGenericPassword,
 161         (id)kSecAttrAccount :  @"pcs-label-me",
 162         (id)kSecReturnAttributes : (id)kCFBooleanTrue,
 163     }, &client, (CFTypeRef *)&result, &error);
 164     is(res, true, "SecItemCopyMatching(active): %@", error);
 165
 166     ok(isDictionary(result), "result is dictionary");
 167     CFReleaseNull(result);
 168
 169     SecSecuritySetMusrMode(true, 503, 503);
 170
 171     /*
 172      * then syncbubble keychain
 173      */
 174
 175     res = _SecItemCopyMatching((CFDictionaryRef)@{
 176         (id)kSecClass :  (id)kSecClassGenericPassword,
 177         (id)kSecAttrAccount :  @"pcs-label-me",
 178         (id)kSecReturnAttributes : (id)kCFBooleanTrue,
 179         (id)kSecUseSyncBubbleKeychain : @502,
 180     }, &client, (CFTypeRef *)&result, &error);
 181     is(res, true, "SecItemCopyMatching(syncbubble): %@", error);
 182     ok(isDictionary(result), "result is dictionary");
 183
 184     CFReleaseNull(result);
 185
 186     SecSecuritySetMusrMode(false, 501, -1);
 187
 188     SecAccessGroupsSetCurrent((__bridge CFArrayRef)currentACL);
 189
 190     CFRelease(musr);
 191 #else
 192     plan_skip_all("not support on non TARGET_OS_IOS");
 193 #endif
 194     return 0;
 195 }