+++ /dev/null
-/* Copyright (c) 2012 Apple Inc. All rights reserved. */
-
-#include "authdb.h"
-#include "mechanism.h"
-#include "rule.h"
-#include "debugging.h"
-#include "authitems.h"
-#include "server.h"
-
-#include <sqlite3.h>
-#include <sqlite3_private.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include "rule.h"
-#include "authutilities.h"
-#include <libgen.h>
-#include <sys/stat.h>
-
-#define AUTHDB "/var/db/auth.db"
-#define AUTHDB_DATA "/System/Library/Security/authorization.plist"
-
-#define AUTH_STR(x) #x
-#define AUTH_STRINGIFY(x) AUTH_STR(x)
-
-#define AUTHDB_VERSION 1
-#define AUTHDB_VERSION_STRING AUTH_STRINGIFY(AUTHDB_VERSION)
-
-#define AUTHDB_BUSY_DELAY 1
-#define AUTHDB_MAX_HANDLES 3
-
-struct _authdb_connection_s {
- __AUTH_BASE_STRUCT_HEADER__;
-
- authdb_t db;
- sqlite3 * handle;
-};
-
-struct _authdb_s {
- __AUTH_BASE_STRUCT_HEADER__;
-
- char * db_path;
- dispatch_queue_t queue;
- CFMutableArrayRef connections;
-};
-
-static const char * const authdb_upgrade_sql[] = {
- /* 0 */
- /* current scheme */
- "CREATE TABLE delegates_map ("
- "r_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,"
- "d_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,"
- "ord INTEGER NOT NULL"
- ");"
- "CREATE INDEX d_map_d_id ON delegates_map(d_id);"
- "CREATE INDEX d_map_r_id ON delegates_map(r_id);"
- "CREATE INDEX d_map_r_id_ord ON delegates_map (r_id, ord);"
- "CREATE TABLE mechanisms ("
- "id INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE,"
- "plugin TEXT NOT NULL,"
- "param TEXT NOT NULL,"
- "privileged INTEGER CHECK (privileged = 0 OR privileged = 1) NOT NULL DEFAULT (0)"
- ");"
- "CREATE UNIQUE INDEX mechanisms_lookup ON mechanisms (plugin,param,privileged);"
- "CREATE TABLE mechanisms_map ("
- "r_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,"
- "m_id INTEGER NOT NULL REFERENCES mechanisms(id) ON DELETE CASCADE,"
- "ord INTEGER NOT NULL"
- ");"
- "CREATE INDEX m_map_m_id ON mechanisms_map (m_id);"
- "CREATE INDEX m_map_r_id ON mechanisms_map (r_id);"
- "CREATE INDEX m_map_r_id_ord ON mechanisms_map (r_id, ord);"
- "CREATE TABLE rules ("
- "id INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE,"
- "name TEXT NOT NULL UNIQUE,"
- "type INTEGER CHECK (type = 1 OR type = 2) NOT NULL,"
- "class INTEGER CHECK (class > 0),"
- "'group' TEXT,"
- "kofn INTEGER,"
- "timeout INTEGER,"
- "flags INTEGER,"
- "tries INTEGER,"
- "version INTEGER NOT NULL DEFAULT (0),"
- "created REAL NOT NULL DEFAULT (0),"
- "modified REAL NOT NULL DEFAULT (0),"
- "hash BLOB,"
- "identifier TEXT,"
- "requirement BLOB,"
- "comment TEXT"
- ");"
- "CREATE INDEX a_type ON rules (type);"
- "CREATE TABLE config ("
- "'key' TEXT PRIMARY KEY NOT NULL UNIQUE,"
- "value"
- ");"
- "CREATE TABLE prompts ("
- "r_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,"
- "lang TEXT NOT NULL,"
- "value TEXT NOT NULL"
- ");"
- "CREATE INDEX p_r_id ON prompts(r_id);"
- "CREATE TABLE buttons ("
- "r_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,"
- "lang TEXT NOT NULL,"
- "value TEXT NOT NULL"
- ");"
- "CREATE INDEX b_r_id ON buttons(r_id);"
- "INSERT INTO config VALUES('version', "AUTHDB_VERSION_STRING");"
-};
-
-static int32_t
-_sqlite3_exec(sqlite3 * handle, const char * query)
-{
- int32_t rc = SQLITE_ERROR;
- require(query != NULL, done);
-
- char * errmsg = NULL;
- rc = sqlite3_exec(handle, query, NULL, NULL, &errmsg);
- if (errmsg) {
- LOGE("authdb: exec, (%i) %s", rc, errmsg);
- sqlite3_free(errmsg);
- }
-
-done:
- return rc;
-}
-
-struct _db_upgrade_stages {
- int pre;
- int main;
- int post;
-};
-
-static struct _db_upgrade_stages auth_upgrade_script[] = {
- { .pre = -1, .main = 0, .post = -1 } // Create version AUTHDB_VERSION databse.
-};
-
-static int32_t _db_run_script(authdb_connection_t dbconn, int number)
-{
- int32_t s3e;
-
- /* Script -1 == skip this step. */
- if (number < 0)
- return SQLITE_OK;
-
- /* If we are attempting to run a script we don't have, fail. */
- if ((size_t)number >= sizeof(authdb_upgrade_sql) / sizeof(char*))
- return SQLITE_CORRUPT;
-
- s3e = _sqlite3_exec(dbconn->handle, authdb_upgrade_sql[number]);
-
- return s3e;
-}
-
-static int32_t _db_upgrade_from_version(authdb_connection_t dbconn, int32_t version)
-{
- int32_t s3e;
-
- /* If we are attempting to upgrade to a version greater than what we have
- an upgrade script for, fail. */
- if (version < 0 ||
- (size_t)version >= sizeof(auth_upgrade_script) / sizeof(struct _db_upgrade_stages))
- return SQLITE_CORRUPT;
-
- struct _db_upgrade_stages *script = &auth_upgrade_script[version];
- s3e = _db_run_script(dbconn, script->pre);
- if (s3e == SQLITE_OK)
- s3e = _db_run_script(dbconn, script->main);
- if (s3e == SQLITE_OK)
- s3e = _db_run_script(dbconn, script->post);
-
- return s3e;
-}
-
-static void _printCFError(const char * errmsg, CFErrorRef err)
-{
- CFStringRef errString = NULL;
- errString = CFErrorCopyDescription(err);
- char * tmp = _copy_cf_string(errString, NULL);
- LOGV("%s, %s", errmsg, tmp);
- free_safe(tmp);
- CFReleaseSafe(errString);
-}
-
-static void _db_load_data(authdb_connection_t dbconn, auth_items_t config)
-{
- CFURLRef authURL = NULL;
- CFPropertyListRef plist = NULL;
- CFDataRef data = NULL;
- int32_t rc = 0;
- CFErrorRef err = NULL;
- CFTypeRef value = NULL;
- CFAbsoluteTime ts = 0;
- CFAbsoluteTime old_ts = 0;
-
- authURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, CFSTR(AUTHDB_DATA), kCFURLPOSIXPathStyle, false);
- require_action(authURL != NULL, done, LOGE("authdb: file not found %s", AUTHDB_DATA));
-
- CFURLCopyResourcePropertyForKey(authURL, kCFURLContentModificationDateKey, &value, &err);
- require_action(err == NULL, done, _printCFError("authdb: failed to get modification date", err));
-
- if (CFGetTypeID(value) == CFDateGetTypeID()) {
- ts = CFDateGetAbsoluteTime(value);
- }
-
- old_ts = auth_items_get_double(config, "data_ts");
- if (ts > old_ts) {
- LOGV("authdb: %s modified old=%f, new=%f", AUTHDB_DATA, old_ts, ts);
- CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault, authURL, &data, NULL, NULL, (SInt32*)&rc);
- require_noerr_action(rc, done, LOGE("authdb: failed to load %s", AUTHDB_DATA));
-
- plist = CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListImmutable, NULL, &err);
- require_action(err == NULL, done, _printCFError("authdb: failed to read plist", err));
-
- if (authdb_import_plist(dbconn, plist, true)) {
- LOGD("authdb: updating data_ts");
- auth_items_t update = auth_items_create();
- auth_items_set_double(update, "data_ts", ts);
- authdb_set_key_value(dbconn, "config", update);
- CFReleaseSafe(update);
- }
- }
-
-done:
- CFReleaseSafe(value);
- CFReleaseSafe(authURL);
- CFReleaseSafe(plist);
- CFReleaseSafe(err);
- CFReleaseSafe(data);
-}
-
-static bool _truncate_db(authdb_connection_t dbconn)
-{
- int32_t rc = SQLITE_ERROR;
- int32_t flags = SQLITE_TRUNCATE_JOURNALMODE_WAL | SQLITE_TRUNCATE_AUTOVACUUM_FULL;
- rc = sqlite3_file_control(dbconn->handle, NULL, SQLITE_TRUNCATE_DATABASE, &flags);
- if (rc != SQLITE_OK) {
- LOGV("Failed to delete db handle! SQLite error %i.\n", rc);
- if (rc == SQLITE_IOERR) {
- // Unable to recover successfully if we can't truncate
- abort();
- }
- }
-
- return rc == SQLITE_OK;
-}
-
-static void _handle_corrupt_db(authdb_connection_t dbconn)
-{
- int32_t rc = SQLITE_ERROR;
- char buf[PATH_MAX+1];
- sqlite3 *corrupt_db = NULL;
-
- snprintf(buf, sizeof(buf), "%s-corrupt", dbconn->db->db_path);
- if (sqlite3_open(buf, &corrupt_db) == SQLITE_OK) {
-
- int on = 1;
- sqlite3_file_control(corrupt_db, 0, SQLITE_FCNTL_PERSIST_WAL, &on);
-
- rc = sqlite3_file_control(corrupt_db, NULL, SQLITE_REPLACE_DATABASE, (void *)dbconn->handle);
- if (SQLITE_OK == rc) {
- LOGE("Database at path %s is corrupt. Copying it to %s for further investigation.", dbconn->db->db_path, buf);
- } else {
- LOGE("Tried to copy corrupt database at path %s, but we failed with SQLite error %i.", dbconn->db->db_path, rc);
- }
- sqlite3_close(corrupt_db);
- }
-
- _truncate_db(dbconn);
-}
-
-static int32_t _db_maintenance(authdb_connection_t dbconn)
-{
- __block int32_t s3e = SQLITE_OK;
- __block auth_items_t config = NULL;
-
- authdb_transaction(dbconn, AuthDBTransactionNormal, ^bool(void) {
-
- authdb_get_key_value(dbconn, "config", &config);
-
- // We don't have a config table
- if (NULL == config) {
- LOGV("authdb: initializing database");
- s3e = _db_upgrade_from_version(dbconn, 0);
- require_noerr_action(s3e, done, LOGE("authdb: failed to initialize database %i", s3e));
-
- s3e = authdb_get_key_value(dbconn, "config", &config);
- require_noerr_action(s3e, done, LOGE("authdb: failed to get config %i", s3e));
- }
-
- int64_t currentVersion = auth_items_get_int64(config, "version");
- LOGV("authdb: current db ver=%lli", currentVersion);
- if (currentVersion < AUTHDB_VERSION) {
- LOGV("authdb: upgrading schema");
- s3e = _db_upgrade_from_version(dbconn, (int32_t)currentVersion);
-
- auth_items_set_int64(config, "version", AUTHDB_VERSION);
- authdb_set_key_value(dbconn, "config", config);
- }
-
- done:
- return true;
- });
-
- CFReleaseSafe(config);
- return s3e;
-}
-
-//static void unlock_notify_cb(void **apArg, int nArg AUTH_UNUSED){
-// dispatch_semaphore_t semaphore = (dispatch_semaphore_t)apArg[0];
-// dispatch_semaphore_signal(semaphore);
-//}
-//
-//static int32_t _wait_for_unlock_notify(authdb_connection_t dbconn, sqlite3_stmt * stmt)
-//{
-// int32_t rc;
-// dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
-//
-// rc = sqlite3_unlock_notify(dbconn->handle, unlock_notify_cb, semaphore);
-// require(!rc, done);
-//
-// if (dispatch_semaphore_wait(semaphore, 5*NSEC_PER_SEC) != 0) {
-// LOGV("authdb: timeout occurred!");
-// sqlite3_unlock_notify(dbconn->handle, NULL, NULL);
-// rc = SQLITE_LOCKED;
-// } else if (stmt){
-// sqlite3_reset(stmt);
-// }
-//
-//done:
-// dispatch_release(semaphore);
-// return rc;
-//}
-
-static bool _is_busy(int32_t rc)
-{
- return SQLITE_BUSY == rc || SQLITE_LOCKED == rc;
-}
-
-static void _checkResult(authdb_connection_t dbconn, int32_t rc, const char * fn_name, sqlite3_stmt * stmt)
-{
- bool isCorrupt = (SQLITE_CORRUPT == rc) || (SQLITE_NOTADB == rc) || (SQLITE_IOERR == rc);
-
- if (isCorrupt) {
- _handle_corrupt_db(dbconn);
- authdb_maintenance(dbconn);
- } else if (SQLITE_CONSTRAINT == rc || SQLITE_READONLY == rc) {
- if (stmt) {
- LOGV("authdb: %s %s for %s", fn_name, sqlite3_errmsg(dbconn->handle), sqlite3_sql(stmt));
- } else {
- LOGV("authdb: %s %s", fn_name, sqlite3_errmsg(dbconn->handle));
- }
- }
-}
-
-char * authdb_copy_sql_string(sqlite3_stmt * sql,int32_t col)
-{
- char * result = NULL;
- const char * sql_str = (const char *)sqlite3_column_text(sql, col);
- if (sql_str) {
- size_t len = strlen(sql_str) + 1;
- result = (char*)calloc(1u, len);
- check(result != NULL);
-
- strlcpy(result, sql_str, len);
- }
- return result;
-}
-
-#pragma mark -
-#pragma mark authdb_t
-
-static void
-_authdb_finalize(CFTypeRef value)
-{
- authdb_t db = (authdb_t)value;
-
- CFReleaseSafe(db->connections);
- dispatch_release(db->queue);
- free_safe(db->db_path);
-}
-
-AUTH_TYPE_INSTANCE(authdb,
- .init = NULL,
- .copy = NULL,
- .finalize = _authdb_finalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL
- );
-
-static CFTypeID authdb_get_type_id() {
- static CFTypeID type_id = _kCFRuntimeNotATypeID;
- static dispatch_once_t onceToken;
-
- dispatch_once(&onceToken, ^{
- type_id = _CFRuntimeRegisterClass(&_auth_type_authdb);
- });
-
- return type_id;
-}
-
-authdb_t
-authdb_create()
-{
- authdb_t db = NULL;
-
- db = (authdb_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, authdb_get_type_id(), AUTH_CLASS_SIZE(authdb), NULL);
- require(db != NULL, done);
-
- db->queue = dispatch_queue_create(NULL, DISPATCH_QUEUE_SERIAL);
- db->connections = CFArrayCreateMutable(kCFAllocatorDefault, 0, NULL);
-
- if (getenv("__OSINSTALL_ENVIRONMENT") != NULL) {
- LOGV("authdb: running from installer");
- db->db_path = _copy_string("file::memory:?cache=shared");
- } else {
- db->db_path = _copy_string(AUTHDB);
- }
-
-done:
- return db;
-}
-
-authdb_connection_t authdb_connection_acquire(authdb_t db)
-{
- __block authdb_connection_t dbconn = NULL;
-#if DEBUG
- static int32_t total = 0;
-#endif
- dispatch_sync(db->queue, ^{
- CFIndex count = CFArrayGetCount(db->connections);
- if (count) {
- dbconn = (authdb_connection_t)CFArrayGetValueAtIndex(db->connections, 0);
- CFArrayRemoveValueAtIndex(db->connections, 0);
- } else {
- dbconn = authdb_connection_create(db);
-#if DEBUG
- total++;
- LOGV("authdb: no handles available total: %i", total);
-#endif
- }
- });
-
- return dbconn;
-}
-
-void authdb_connection_release(authdb_connection_t * dbconn)
-{
- if (!dbconn || !(*dbconn))
- return;
-
- authdb_connection_t tmp = *dbconn;
- *dbconn = NULL;
-
- dispatch_async(tmp->db->queue, ^{
- CFIndex count = CFArrayGetCount(tmp->db->connections);
- if (count <= AUTHDB_MAX_HANDLES) {
- CFArrayAppendValue(tmp->db->connections, tmp);
- } else {
- LOGD("authdb: freeing extra connection");
- CFRelease(tmp);
- }
- });
-}
-
-static bool _db_check_corrupted(authdb_connection_t dbconn)
-{
- bool isCorrupted = true;
- sqlite3_stmt *stmt = NULL;
- int32_t rc;
-
- rc = sqlite3_prepare_v2(dbconn->handle, "PRAGMA integrity_check;", -1, &stmt, NULL);
- if (rc == SQLITE_LOCKED || rc == SQLITE_BUSY) {
- LOGV("authdb: warning error %i when running integrity check", rc);
- isCorrupted = false;
-
- } else if (rc == SQLITE_OK) {
- rc = sqlite3_step(stmt);
-
- if (rc == SQLITE_LOCKED || rc == SQLITE_BUSY) {
- LOGV("authdb: warning error %i when running integrity check", rc);
- isCorrupted = false;
- } else if (rc == SQLITE_ROW) {
- const char * result = (const char*)sqlite3_column_text(stmt, 0);
-
- if (result && strncasecmp(result, "ok", 3) == 0) {
- isCorrupted = false;
- }
- }
- }
-
- sqlite3_finalize(stmt);
- return isCorrupted;
-}
-
-bool authdb_maintenance(authdb_connection_t dbconn)
-{
- LOGD("authdb: starting maintenance");
- int32_t rc = SQLITE_ERROR;
- auth_items_t config = NULL;
-
- bool isCorrupted = _db_check_corrupted(dbconn);
- LOGD("authdb: integrity check=%s", isCorrupted ? "fail" : "pass");
-
- if (isCorrupted) {
- _handle_corrupt_db(dbconn);
- }
-
- _db_maintenance(dbconn);
-
- rc = authdb_get_key_value(dbconn, "config", &config);
- require_noerr_action(rc, done, LOGV("authdb: maintenance failed %i", rc));
-
- _db_load_data(dbconn, config);
-
-done:
- CFReleaseSafe(config);
- LOGD("authdb: finished maintenance");
- return rc == SQLITE_OK;
-}
-
-int32_t
-authdb_exec(authdb_connection_t dbconn, const char * query)
-{
- int32_t rc = SQLITE_ERROR;
- require(query != NULL, done);
-
- rc = _sqlite3_exec(dbconn->handle, query);
- _checkResult(dbconn, rc, __FUNCTION__, NULL);
-
-done:
- return rc;
-}
-
-static int32_t _prepare(authdb_connection_t dbconn, const char * sql, sqlite3_stmt ** out_stmt)
-{
- int32_t rc;
- sqlite3_stmt * stmt = NULL;
-
- require_action(sql != NULL, done, rc = SQLITE_ERROR);
- require_action(out_stmt != NULL, done, rc = SQLITE_ERROR);
-
- rc = sqlite3_prepare_v2(dbconn->handle, sql, -1, &stmt, NULL);
- require_noerr_action(rc, done, LOGV("authdb: prepare (%i) %s", rc, sqlite3_errmsg(dbconn->handle)));
-
- *out_stmt = stmt;
-
-done:
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
- return rc;
-}
-
-static void _parseItemsAtIndex(sqlite3_stmt * stmt, int32_t col, auth_items_t items, const char * key)
-{
- switch (sqlite3_column_type(stmt, col)) {
- case SQLITE_FLOAT:
- auth_items_set_double(items, key, sqlite3_column_double(stmt, col));
- break;
- case SQLITE_INTEGER:
- auth_items_set_int64(items, key, sqlite3_column_int64(stmt, col));
- break;
- case SQLITE_BLOB:
- auth_items_set_data(items,
- key,
- sqlite3_column_blob(stmt, col),
- (size_t)sqlite3_column_bytes(stmt, col));
- break;
- case SQLITE_NULL:
- break;
- case SQLITE_TEXT:
- default:
- auth_items_set_string(items, key, (const char *)sqlite3_column_text(stmt, col));
- break;
- }
-
-// LOGD("authdb: col=%s, val=%s, type=%i", sqlite3_column_name(stmt, col), sqlite3_column_text(stmt, col), sqlite3_column_type(stmt,col));
-}
-
-static int32_t _bindItemsAtIndex(sqlite3_stmt * stmt, int col, auth_items_t items, const char * key)
-{
- int32_t rc;
- switch (auth_items_get_type(items, key)) {
- case AI_TYPE_INT:
- rc = sqlite3_bind_int64(stmt, col, auth_items_get_int(items, key));
- break;
- case AI_TYPE_UINT:
- rc = sqlite3_bind_int64(stmt, col, auth_items_get_uint(items, key));
- break;
- case AI_TYPE_INT64:
- rc = sqlite3_bind_int64(stmt, col, auth_items_get_int64(items, key));
- break;
- case AI_TYPE_UINT64:
- rc = sqlite3_bind_int64(stmt, col, (int64_t)auth_items_get_uint64(items, key));
- break;
- case AI_TYPE_DOUBLE:
- rc = sqlite3_bind_double(stmt, col, auth_items_get_double(items, key));
- break;
- case AI_TYPE_BOOL:
- rc = sqlite3_bind_int64(stmt, col, auth_items_get_bool(items, key));
- break;
- case AI_TYPE_DATA:
- {
- size_t blobLen = 0;
- const void * blob = auth_items_get_data(items, key, &blobLen);
- rc = sqlite3_bind_blob(stmt, col, blob, (int32_t)blobLen, NULL);
- }
- break;
- case AI_TYPE_STRING:
- rc = sqlite3_bind_text(stmt, col, auth_items_get_string(items, key), -1, NULL);
- break;
- default:
- rc = sqlite3_bind_null(stmt, col);
- break;
- }
- if (rc != SQLITE_OK) {
- LOGV("authdb: auth_items bind failed (%i)", rc);
- }
- return rc;
-}
-
-int32_t authdb_get_key_value(authdb_connection_t dbconn, const char * table, auth_items_t * out_items)
-{
- int32_t rc = SQLITE_ERROR;
- char * query = NULL;
- sqlite3_stmt * stmt = NULL;
- auth_items_t items = NULL;
-
- require(table != NULL, done);
- require(out_items != NULL, done);
-
- asprintf(&query, "SELECT * FROM %s", table);
-
- rc = _prepare(dbconn, query, &stmt);
- require_noerr(rc, done);
-
- items = auth_items_create();
- while ((rc = sqlite3_step(stmt)) != SQLITE_DONE) {
- switch (rc) {
- case SQLITE_ROW:
- _parseItemsAtIndex(stmt, 1, items, (const char*)sqlite3_column_text(stmt, 0));
- break;
- default:
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
- if (_is_busy(rc)) {
- sleep(AUTHDB_BUSY_DELAY);
- } else {
- require_noerr_action(rc, done, LOGV("authdb: get_key_value (%i) %s", rc, sqlite3_errmsg(dbconn->handle)));
- }
- break;
- }
- }
-
- rc = SQLITE_OK;
- CFRetain(items);
- *out_items = items;
-
-done:
- CFReleaseSafe(items);
- free_safe(query);
- sqlite3_finalize(stmt);
- return rc;
-}
-
-int32_t authdb_set_key_value(authdb_connection_t dbconn, const char * table, auth_items_t items)
-{
- __block int32_t rc = SQLITE_ERROR;
- char * query = NULL;
- sqlite3_stmt * stmt = NULL;
-
- require(table != NULL, done);
- require(items != NULL, done);
-
- asprintf(&query, "INSERT OR REPLACE INTO %s VALUES (?,?)", table);
-
- rc = _prepare(dbconn, query, &stmt);
- require_noerr(rc, done);
-
- auth_items_iterate(items, ^bool(const char *key) {
- sqlite3_reset(stmt);
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
-
- sqlite3_bind_text(stmt, 1, key, -1, NULL);
- _bindItemsAtIndex(stmt, 2, items, key);
-
- rc = sqlite3_step(stmt);
- if (rc != SQLITE_DONE) {
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
- LOGV("authdb: set_key_value, step (%i) %s", rc, sqlite3_errmsg(dbconn->handle));
- }
-
- return true;
- });
-
-done:
- free_safe(query);
- sqlite3_finalize(stmt);
- return rc;
-}
-
-static int32_t _begin_transaction_type(authdb_connection_t dbconn, AuthDBTransactionType type)
-{
- int32_t result = SQLITE_ERROR;
-
- const char * query = NULL;
- switch (type) {
- case AuthDBTransactionImmediate:
- query = "BEGIN IMMEDATE;";
- break;
- case AuthDBTransactionExclusive:
- query = "BEGIN EXCLUSIVE;";
- break;
- case AuthDBTransactionNormal:
- query = "BEGIN;";
- break;
- default:
- break;
- }
-
- result = SQLITE_OK;
-
- if (query != NULL && sqlite3_get_autocommit(dbconn->handle) != 0) {
- result = _sqlite3_exec(dbconn->handle, query);
- }
-
- return result;
-}
-
-static int32_t _end_transaction(authdb_connection_t dbconn, bool commit)
-{
- if (commit) {
- return _sqlite3_exec(dbconn->handle, "END;");
- } else {
- return _sqlite3_exec(dbconn->handle, "ROLLBACK;");
- }
-}
-
-bool authdb_transaction(authdb_connection_t dbconn, AuthDBTransactionType type, bool (^t)(void))
-{
- int32_t result = SQLITE_ERROR;
- bool commit = false;
-
- result = _begin_transaction_type(dbconn, type);
- require_action(result == SQLITE_OK, done, LOGV("authdb: transaction begin failed %i", result));
-
- commit = t();
-
- result = _end_transaction(dbconn, commit);
- require_action(result == SQLITE_OK, done, commit = false; LOGV("authdb: transaction end failed %i", result));
-
-done:
- return commit;
-}
-
-bool authdb_step(authdb_connection_t dbconn, const char * sql, void (^bind_stmt)(sqlite3_stmt*), authdb_iterator_t iter)
-{
- bool result = false;
- sqlite3_stmt * stmt = NULL;
- int32_t rc = SQLITE_ERROR;
-
- require_action(sql != NULL, done, rc = SQLITE_ERROR);
-
- rc = _prepare(dbconn, sql, &stmt);
- require_noerr(rc, done);
-
- if (bind_stmt) {
- bind_stmt(stmt);
- }
-
- int32_t count = sqlite3_column_count(stmt);
-
- auth_items_t items = NULL;
- while ((rc = sqlite3_step(stmt)) != SQLITE_DONE) {
- switch (rc) {
- case SQLITE_ROW:
- {
- if (iter) {
- items = auth_items_create();
- for (int i = 0; i < count; i++) {
- _parseItemsAtIndex(stmt, i, items, sqlite3_column_name(stmt, i));
- }
- result = iter(items);
- CFReleaseNull(items);
- if (!result) {
- goto done;
- }
- }
- }
- break;
- default:
- if (_is_busy(rc)) {
- LOGV("authdb: %s", sqlite3_errmsg(dbconn->handle));
- sleep(AUTHDB_BUSY_DELAY);
- sqlite3_reset(stmt);
- } else {
- require_noerr_action(rc, done, LOGV("authdb: step (%i) %s", rc, sqlite3_errmsg(dbconn->handle)));
- }
- break;
- }
- }
-
-done:
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
- sqlite3_finalize(stmt);
- return rc == SQLITE_DONE;
-}
-
-void authdb_checkpoint(authdb_connection_t dbconn)
-{
- int32_t rc = sqlite3_wal_checkpoint(dbconn->handle, NULL);
- if (rc != SQLITE_OK) {
- LOGV("authdb: checkpoit failed %i", rc);
- }
-}
-
-static CFMutableArrayRef
-_copy_rules_dict(RuleType type, CFDictionaryRef plist, authdb_connection_t dbconn)
-{
- CFMutableArrayRef result = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- require(result != NULL, done);
-
- _cf_dictionary_iterate(plist, ^bool(CFTypeRef key, CFTypeRef value) {
- if (CFGetTypeID(key) != CFStringGetTypeID()) {
- return true;
- }
-
- if (CFGetTypeID(value) != CFDictionaryGetTypeID()) {
- return true;
- }
-
- rule_t rule = rule_create_with_plist(type, key, value, dbconn);
- if (rule) {
- CFArrayAppendValue(result, rule);
- CFReleaseSafe(rule);
- }
-
- return true;
- });
-
-done:
- return result;
-}
-
-static void
-_import_rules(authdb_connection_t dbconn, CFMutableArrayRef rules, bool version_check, CFAbsoluteTime now)
-{
- CFMutableArrayRef notcommited = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- CFIndex count = CFArrayGetCount(rules);
-
- for (CFIndex i = 0; i < count; i++) {
- rule_t rule = (rule_t)CFArrayGetValueAtIndex(rules, i);
-
- bool update = false;
- if (version_check) {
- if (rule_get_id(rule) != 0) { // rule already exists see if we need to update
- rule_t current = rule_create_with_string(rule_get_name(rule), dbconn);
- if (rule_get_version(rule) > rule_get_version(current)) {
- update = true;
- }
- CFReleaseSafe(current);
-
- if (!update) {
- continue;
- }
- }
- }
-
- __block bool delayCommit = false;
-
- switch (rule_get_type(rule)) {
- case RT_RULE:
- rule_delegates_iterator(rule, ^bool(rule_t delegate) {
- if (rule_get_id(delegate) == 0) {
- // fetch the rule from the database if it was previously committed
- rule_sql_fetch(delegate, dbconn);
- }
- if (rule_get_id(delegate) == 0) {
- LOGD("authdb: delaying %s waiting for delegate %s", rule_get_name(rule), rule_get_name(delegate));
- delayCommit = true;
- return false;
- }
- return true;
- });
- break;
- default:
- break;
- }
-
- if (!delayCommit) {
- bool success = rule_sql_commit(rule, dbconn, now, NULL);
- LOGV("authdb: %s %s %s %s",
- update ? "updating" : "importing",
- rule_get_type(rule) == RT_RULE ? "rule" : "right",
- rule_get_name(rule), success ? "success" : "FAIL");
- if (!success) {
- CFArrayAppendValue(notcommited, rule);
- }
- } else {
- CFArrayAppendValue(notcommited, rule);
- }
- }
- CFArrayRemoveAllValues(rules);
- CFArrayAppendArray(rules, notcommited, CFRangeMake(0, CFArrayGetCount(notcommited)));
- CFReleaseSafe(notcommited);
-}
-
-bool
-authdb_import_plist(authdb_connection_t dbconn, CFDictionaryRef plist, bool version_check)
-{
- bool result = false;
-
- LOGV("authdb: starting import");
-
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
- CFMutableArrayRef rights = NULL;
- CFMutableArrayRef rules = NULL;
- require(plist != NULL, done);
-
- CFTypeRef rightsDict = CFDictionaryGetValue(plist, CFSTR("rights"));
- if (rightsDict && CFGetTypeID(rightsDict) == CFDictionaryGetTypeID()) {
- rights = _copy_rules_dict(RT_RIGHT, rightsDict, dbconn);
- }
-
- CFTypeRef rulesDict = CFDictionaryGetValue(plist, CFSTR("rules"));
- if (rulesDict && CFGetTypeID(rulesDict) == CFDictionaryGetTypeID()) {
- rules = _copy_rules_dict(RT_RULE, rulesDict, dbconn);
- }
-
- LOGV("authdb: rights = %li", CFArrayGetCount(rights));
- LOGV("authdb: rules = %li", CFArrayGetCount(rules));
-
- CFIndex count;
- // first pass import base rules without delegations
- // remaining import rules that delegate to other rules
- // loop upto 3 times to commit dependent rules first
- for (int32_t j = 0; j < 3; j++) {
- count = CFArrayGetCount(rules);
- if (!count)
- break;
-
- _import_rules(dbconn, rules, version_check, now);
- }
-
- _import_rules(dbconn, rights, version_check, now);
-
- if (CFArrayGetCount(rights) == 0) {
- result = true;
- }
-
- authdb_checkpoint(dbconn);
-
-done:
- CFReleaseSafe(rights);
- CFReleaseSafe(rules);
-
- LOGV("authdb: finished import, %s", result ? "succeeded" : "failed");
-
- return result;
-}
-
-#pragma mark -
-#pragma mark authdb_connection_t
-
-static bool _sql_profile_enabled(void)
-{
- static bool profile_enabled = false;
-
-#if DEBUG
- static dispatch_once_t onceToken;
-
- //sudo defaults write /Library/Preferences/com.apple.security.auth profile -bool true
- dispatch_once(&onceToken, ^{
- CFTypeRef profile = (CFNumberRef)CFPreferencesCopyValue(CFSTR("profile"), CFSTR(SECURITY_AUTH_NAME), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
-
- if (profile && CFGetTypeID(profile) == CFBooleanGetTypeID()) {
- profile_enabled = CFBooleanGetValue((CFBooleanRef)profile);
- }
-
- LOGV("authdb: sql profile: %s", profile_enabled ? "enabled" : "disabled");
-
- CFReleaseSafe(profile);
- });
-#endif
-
- return profile_enabled;
-}
-
-static void _profile(void *context AUTH_UNUSED, const char *sql, sqlite3_uint64 ns) {
- LOGV("==\nauthdb: %s\nTime: %llu ms\n", sql, ns >> 20);
-}
-
-static sqlite3 * _create_handle(authdb_t db)
-{
- bool dbcreated = false;
- sqlite3 * handle = NULL;
- int32_t rc = sqlite3_open_v2(db->db_path, &handle, SQLITE_OPEN_READWRITE, NULL);
-
- if (rc != SQLITE_OK) {
- char * tmp = dirname(db->db_path);
- if (tmp) {
- mkpath_np(tmp, 0700);
- }
- rc = sqlite3_open_v2(db->db_path, &handle, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
- dbcreated = true;
- }
- require_noerr_action(rc, done, LOGE("authdb: open %s (%i) %s", db->db_path, rc, sqlite3_errmsg(handle)));
-
- if (_sql_profile_enabled()) {
- sqlite3_profile(handle, _profile, NULL);
- }
-
- _sqlite3_exec(handle, "PRAGMA foreign_keys = ON");
- _sqlite3_exec(handle, "PRAGMA temp_store = MEMORY");
-
- if (dbcreated) {
- _sqlite3_exec(handle, "PRAGMA auto_vacuum = FULL");
- _sqlite3_exec(handle, "PRAGMA journal_mode = WAL");
-
- int on = 1;
- sqlite3_file_control(handle, 0, SQLITE_FCNTL_PERSIST_WAL, &on);
-
- chmod(db->db_path, S_IRUSR | S_IWUSR);
- }
-
-done:
- return handle;
-}
-
-static void
-_authdb_connection_finalize(CFTypeRef value)
-{
- authdb_connection_t dbconn = (authdb_connection_t)value;
-
- if (dbconn->handle) {
- sqlite3_close(dbconn->handle);
- }
- CFReleaseSafe(dbconn->db);
-}
-
-AUTH_TYPE_INSTANCE(authdb_connection,
- .init = NULL,
- .copy = NULL,
- .finalize = _authdb_connection_finalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL
- );
-
-static CFTypeID authdb_connection_get_type_id() {
- static CFTypeID type_id = _kCFRuntimeNotATypeID;
- static dispatch_once_t onceToken;
-
- dispatch_once(&onceToken, ^{
- type_id = _CFRuntimeRegisterClass(&_auth_type_authdb_connection);
- });
-
- return type_id;
-}
-
-authdb_connection_t
-authdb_connection_create(authdb_t db)
-{
- authdb_connection_t dbconn = NULL;
-
- dbconn = (authdb_connection_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, authdb_connection_get_type_id(), AUTH_CLASS_SIZE(authdb_connection), NULL);
- require(dbconn != NULL, done);
-
- dbconn->db = (authdb_t)CFRetain(db);
- dbconn->handle = _create_handle(dbconn->db);
-
-done:
- return dbconn;
-}
projects / apple / security.git / blobdiff