keychain/SecureObjectSync/SOSControlServer.m

   1 #import <Foundation/Foundation.h>
   2 #import <Foundation/NSXPCConnection_Private.h>
   3 #import <Security/SecEntitlements.h>
   4 #import <ipc/securityd_client.h>
   5 #import "SOSAccount.h"
   6 #import "SOSControlHelper.h"
   7 #import "SOSControlServer.h"
   8
   9 @interface SOSControlServer : NSObject <NSXPCListenerDelegate>
  10 @end
  11
  12 @interface SOSClient ()
  13 @property (strong) SOSAccount * account;
  14 - (instancetype)initSOSClientWithAccount:(SOSAccount *)account;
  15 - (bool)checkEntitlement:(NSString *)entitlement;
  16 @end
  17
  18 @interface SOSClientRemote : SOSClient
  19 @property (weak) NSXPCConnection * connection;
  20 - (instancetype)initSOSConnectionWithConnection:(NSXPCConnection *)connection account:(SOSAccount *)account;
  21 @end
  22
  23 @implementation SOSControlServer
  24
  25 - (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection
  26 {
  27     NSNumber *num = [newConnection valueForEntitlement:(__bridge NSString *)kSecEntitlementKeychainCloudCircle];
  28     if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) {
  29         secerror("sos: Client pid: %d doesn't have entitlement: %@",
  30                 [newConnection processIdentifier], kSecEntitlementKeychainCloudCircle);
  31         return NO;
  32     }
  33
  34     SOSAccount *account = (__bridge SOSAccount *)SOSKeychainAccountGetSharedAccount();
  35     if (account == nil) {
  36         secerror("sos: SOS have not launched yet, come later, pid: %d",
  37                 [newConnection processIdentifier]);
  38         return NO;
  39     }
  40
  41     SOSClientRemote *sosClient = [[SOSClientRemote alloc] initSOSConnectionWithConnection:newConnection account:account];
  42
  43     newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)];
  44     _SOSControlSetupInterface(newConnection.exportedInterface);
  45     newConnection.exportedObject = sosClient;
  46
  47     [newConnection resume];
  48
  49     return YES;
  50 }
  51
  52 - (SOSClient *)internalSOSClient
  53 {
  54     return [[SOSClient alloc] initSOSClientWithAccount:(__bridge SOSAccount *)SOSKeychainAccountGetSharedAccount()];
  55 }
  56
  57 @end
  58
  59 @implementation SOSClient
  60
  61 @synthesize account = _account;
  62
  63 - (instancetype)initSOSClientWithAccount:(SOSAccount *)account
  64 {
  65     if ((self = [super init])) {
  66         _account = account;
  67     }
  68     return self;
  69 }
  70
  71 - (bool)checkEntitlement:(NSString *)entitlement
  72 {
  73     return true;
  74 }
  75
  76 - (void)userPublicKey:(void ((^))(BOOL trusted, NSData *spki, NSError *error))reply
  77 {
  78     [self.account userPublicKey:reply];
  79 }
  80
  81 - (void)kvsPerformanceCounters:(void(^)(NSDictionary <NSString *, NSNumber *> *))reply
  82 {
  83     [self.account kvsPerformanceCounters:reply];
  84 }
  85
  86 - (void)rateLimitingPerformanceCounters:(void(^)(NSDictionary <NSString *, NSString *> *))reply
  87 {
  88     [self.account rateLimitingPerformanceCounters:reply];
  89 }
  90
  91 - (void)stashedCredentialPublicKey:(void(^)(NSData *, NSError *error))reply
  92 {
  93     [self.account stashedCredentialPublicKey:reply];
  94 }
  95
  96 - (void)assertStashedAccountCredential:(void(^)(BOOL result, NSError *error))reply
  97 {
  98     [self.account assertStashedAccountCredential:reply];
  99 }
 100
 101 - (void)validatedStashedAccountCredential:(void(^)(NSData *credential, NSError *error))complete
 102 {
 103     [self.account validatedStashedAccountCredential:complete];
 104 }
 105
 106 - (void)stashAccountCredential:(NSData *)credential complete:(void(^)(bool success, NSError *error))complete
 107 {
 108     [self.account stashAccountCredential:credential complete:complete];
 109 }
 110
 111 - (void)myPeerInfo:(void (^)(NSData *, NSError *))complete
 112 {
 113     [self.account myPeerInfo:complete];
 114 }
 115
 116 - (void)circleHash:(void (^)(NSString *, NSError *))complete
 117 {
 118     [self.account circleHash:complete];
 119 }
 120
 121
 122 - (void)circleJoiningBlob:(NSData *)applicant complete:(void (^)(NSData *blob, NSError *))complete
 123 {
 124     [self.account circleJoiningBlob:applicant complete:complete];
 125 }
 126
 127 - (void)joinCircleWithBlob:(NSData *)blob version:(PiggyBackProtocolVersion)version complete:(void (^)(bool success, NSError *))complete
 128 {
 129     [self.account joinCircleWithBlob:blob version:version complete:complete];
 130 }
 131
 132 - (void)initialSyncCredentials:(uint32_t)flags complete:(void (^)(NSArray *, NSError *))complete
 133 {
 134     if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainInitialSync]) {
 135         complete(@[], [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]);
 136         return;
 137     }
 138
 139     [self.account initialSyncCredentials:flags complete:complete];
 140 }
 141
 142 - (void)importInitialSyncCredentials:(NSArray *)items complete:(void (^)(bool success, NSError *))complete
 143 {
 144     if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainInitialSync]) {
 145         complete(false, [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]);
 146         return;
 147     }
 148
 149     [self.account importInitialSyncCredentials:items complete:complete];
 150 }
 151
 152 - (void)triggerSync:(NSArray <NSString *> *)peers complete:(void(^)(bool success, NSError *))complete
 153 {
 154     if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainCloudCircle]) {
 155         complete(false, [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]);
 156         return;
 157     }
 158
 159     [self.account triggerSync:peers complete:complete];
 160 }
 161
 162 - (void)getWatchdogParameters:(void (^)(NSDictionary* parameters, NSError* error))complete
 163 {
 164     [self.account getWatchdogParameters:complete];
 165 }
 166
 167 - (void)setWatchdogParmeters:(NSDictionary*)parameters complete:(void (^)(NSError* error))complete
 168 {
 169     [self.account setWatchdogParmeters:parameters complete:complete];
 170 }
 171
 172 - (void) ghostBust:(SOSAccountGhostBustingOptions)options complete: (void(^)(bool ghostBusted, NSError *error))complete {
 173     [self.account ghostBust:options complete:complete];
 174 }
 175
 176 - (void)ghostBustTriggerTimed:(SOSAccountGhostBustingOptions)options complete: (void(^)(bool ghostBusted, NSError *error))complete {
 177     [self.account ghostBustTriggerTimed:options complete:complete];
 178 }
 179
 180 - (void) ghostBustPeriodic:(SOSAccountGhostBustingOptions)options complete: (void(^)(bool busted, NSError *error))complete {
 181     [self.account ghostBustPeriodic:options complete:complete];
 182 }
 183
 184 - (void) ghostBustInfo: (void(^)(NSData *json, NSError *error))complete {
 185     [self.account ghostBustInfo:complete];
 186 }
 187
 188 - (void)triggerBackup:(NSArray<NSString *>* _Nullable)backupPeers complete:(void (^)(NSError *error))complete
 189 {
 190     [self.account triggerBackup:backupPeers complete:complete];
 191 }
 192
 193
 194 @end
 195
 196 @implementation SOSClientRemote
 197
 198 - (instancetype)initSOSConnectionWithConnection:(NSXPCConnection *)connection account:(SOSAccount *)account
 199 {
 200     self = [super initSOSClientWithAccount:account];
 201     if (self) {
 202         self.connection = connection;
 203     }
 204     return self;
 205 }
 206
 207 - (bool)checkEntitlement:(NSString *)entitlement
 208 {
 209     NSXPCConnection *strongConnection = _connection;
 210
 211     NSNumber *num = [strongConnection valueForEntitlement:entitlement];
 212     if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) {
 213         secerror("sos: Client pid: %d doesn't have entitlement: %@",
 214                  [strongConnection processIdentifier], entitlement);
 215         return false;
 216     }
 217     return true;
 218 }
 219 @end
 220
 221 static SOSControlServer *sosServer;
 222
 223 void
 224 SOSControlServerInitialize(void)
 225 {
 226     static dispatch_once_t once;
 227     static NSXPCListener *listener;
 228
 229     dispatch_once(&once, ^{
 230         @autoreleasepool {
 231             sosServer = [SOSControlServer new];
 232
 233             listener = [[NSXPCListener alloc] initWithMachServiceName:@(kSecuritydSOSServiceName)];
 234             listener.delegate = sosServer;
 235             [listener resume];
 236         }
 237     });
 238 }
 239
 240 SOSClient *
 241 SOSControlServerInternalClient(void)
 242 {
 243     SOSControlServerInitialize();
 244     return [sosServer internalSOSClient];
 245 }