common/AccessCondition.cpp

   1 /*
   2  * Copyright (c) 2012, 2013 Samsung Electronics Co., Ltd.
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  * http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /* standard library header */
  18 #include <stdio.h>
  19
  20 /* SLP library header */
  21
  22 /* local header */
  23 #include "Debug.h"
  24 #include "SimpleTLV.h"
  25 #include "AccessControlList.h"
  26 #include "AccessCondition.h"
  27
  28 namespace smartcard_service_api
  29 {
  30         void AccessRule::addAPDUAccessRule(const ByteArray &apdu,
  31                 const ByteArray &mask)
  32         {
  33                 pair<ByteArray, ByteArray> item(apdu, mask);
  34
  35                 listFilters.push_back(item);
  36         }
  37
  38         bool AccessRule::isAuthorizedAPDUAccess(const ByteArray &command) const
  39         {
  40                 bool result = false;
  41
  42                 if (command.size() < 4) /* apdu header size */
  43                         return false;
  44
  45                 if (command.getBuffer() == NULL)
  46                         return false;
  47
  48                 if (listFilters.size() > 0) {
  49                         unsigned int cmd, mask, rule;
  50                         vector<pair<ByteArray, ByteArray> >::const_iterator item;
  51
  52                         cmd = *(unsigned int *)command.getBuffer();
  53                         for (item = listFilters.begin(); item != listFilters.end(); item++) {
  54                                 unsigned int *temp1 = NULL;
  55                                 unsigned int *temp2 = NULL;
  56
  57                                 temp1 = (unsigned int *)item->second.getBuffer();
  58                                 temp2 = (unsigned int *)item->first.getBuffer();
  59
  60                                 if (temp1 == NULL || temp2 == NULL)
  61                                         continue;
  62
  63                                 mask = *temp1;
  64                                 rule = *temp2;
  65
  66                                 if ((cmd & mask) == rule) {
  67                                         result = true;
  68                                         break;
  69                                 }
  70                         }
  71                 } else {
  72                         /* no filter entry. if permission is true, all access will be granted, if not, all access will be denied */
  73                         result = apduRule;
  74                 }
  75
  76                 return result;
  77         }
  78
  79         void AccessRule::printAccessRules() const
  80         {
  81                 if (listFilters.size() > 0) {
  82                         vector<pair<ByteArray, ByteArray> >::const_iterator item;
  83
  84                         _DBG("         +---- Granted APDUs");
  85
  86                         for (item = listFilters.begin(); item != listFilters.end(); item++) {
  87                                 _DBG("         +----- APDU: %s, Mask: %s", item->first.toString().c_str(), item->second.toString().c_str());
  88                         }
  89                 } else {
  90                         _DBG("         +---- APDU Access ALLOW: %s", apduRule ? "ALWAYS": "NEVER");
  91                 }
  92
  93                 _DBG("         +---- NFC  Access ALLOW: %s", nfcRule ? "ALWAYS": "NEVER");
  94         }
  95
  96         bool AccessRule::isAuthorizedNFCAccess(void) const
  97         {
  98                 return nfcRule;
  99         }
 100
 101         AccessRule *AccessCondition::getAccessRule(const ByteArray &certHash)
 102         {
 103                 AccessRule *result = NULL;
 104                 map<ByteArray, AccessRule>::iterator item;
 105
 106                 item = mapRules.find(certHash);
 107                 if (item != mapRules.end()) {
 108                         result = &item->second;
 109                 }
 110
 111                 return result;
 112         }
 113
 114         const AccessRule *AccessCondition::getAccessRule(const ByteArray &certHash) const
 115         {
 116                 const AccessRule *result = NULL;
 117                 map<ByteArray, AccessRule>::const_iterator item;
 118
 119                 item = mapRules.find(certHash);
 120                 if (item != mapRules.end()) {
 121                         result = &item->second;
 122                 }
 123
 124                 return result;
 125         }
 126
 127         void AccessCondition::addAccessRule(const ByteArray &hash)
 128         {
 129                 AccessRule rule;
 130
 131                 pair<ByteArray, AccessRule> item(hash, rule);
 132
 133                 mapRules.insert(item);
 134         }
 135
 136         void AccessCondition::setAccessCondition(bool rule)
 137         {
 138                 AccessRule *result;
 139
 140                 result = getAccessRule(AccessControlList::ALL_DEVICE_APPS);
 141                 if (result == NULL) {
 142                         addAccessRule(AccessControlList::ALL_DEVICE_APPS);
 143                         result = getAccessRule(AccessControlList::ALL_DEVICE_APPS);
 144                         if (result == NULL)
 145                                 return;
 146                 }
 147
 148                 result->setAPDUAccessRule(rule);
 149                 result->setNFCAccessRule(rule);
 150         }
 151
 152         bool AccessCondition::isAuthorizedAccess(const ByteArray &certHash) const
 153         {
 154                 bool result = false;
 155                 const AccessRule *rule = getAccessRule(certHash);
 156
 157                 if (rule != NULL) {
 158                         result = rule->isAuthorizedAccess();
 159                 }
 160
 161                 return result;
 162         }
 163
 164         void AccessCondition::printAccessConditions() const
 165         {
 166                 _DBG("   +-- Access Condition");
 167
 168                 if (mapRules.size() > 0) {
 169                         map<ByteArray, AccessRule>::const_iterator item;
 170
 171                         for (item = mapRules.begin(); item != mapRules.end(); item++) {
 172                                 ByteArray temp = item->first;
 173
 174                                 _DBG("   +--- hash: %s", (temp == AccessControlList::ALL_DEVICE_APPS) ? "All device applications": temp.toString().c_str());
 175                                 item->second.printAccessRules();
 176                         }
 177                 } else {
 178                         _DBG("   +--- no rule found");
 179                 }
 180         }
 181
 182         void AccessCondition::setAPDUAccessRule(const ByteArray &certHash,
 183                 bool rule)
 184         {
 185                 AccessRule *access = getAccessRule(certHash);
 186
 187                 if (access != NULL) {
 188                         access->setAPDUAccessRule(rule);
 189                 }
 190         }
 191
 192         void AccessCondition::addAPDUAccessRule(const ByteArray &certHash,
 193                 const ByteArray &apdu, const ByteArray &mask)
 194         {
 195                 AccessRule *access = getAccessRule(certHash);
 196
 197                 if (access != NULL) {
 198                         access->addAPDUAccessRule(apdu, mask);
 199                 }
 200         }
 201
 202         void AccessCondition::addAPDUAccessRule(const ByteArray &certHash,
 203                 const ByteArray &rule)
 204         {
 205                 if (rule.size() != 8)
 206                         return;
 207
 208                 addAPDUAccessRule(certHash, rule.sub(0, 4), rule.sub(4, 4));
 209         }
 210
 211         void AccessCondition::setNFCAccessRule(const ByteArray &certHash,
 212                         bool rule)
 213         {
 214                 AccessRule *access = getAccessRule(certHash);
 215
 216                 if (access != NULL) {
 217                         access->setNFCAccessRule(rule);
 218                 }
 219         }
 220
 221         bool AccessCondition::isAuthorizedAPDUAccess(const ByteArray &certHash,
 222                 const ByteArray &command) const
 223         {
 224                 bool result = false;
 225                 const AccessRule *rule = getAccessRule(certHash);
 226
 227                 if (rule != NULL) {
 228                         result = rule->isAuthorizedAPDUAccess(command);
 229                 }
 230
 231                 return result;
 232         }
 233
 234         bool AccessCondition::isAuthorizedNFCAccess(const ByteArray &certHash) const
 235         {
 236                 bool result = false;
 237                 const AccessRule *rule = getAccessRule(certHash);
 238
 239                 if (rule != NULL) {
 240                         result = rule->isAuthorizedNFCAccess();
 241                 }
 242
 243                 return result;
 244         }
 245 } /* namespace smartcard_service_api */