[platform/core/appfw/rpc-port.git] / src / ac-internal.cc

/*
 * Copyright (c) 2017 - 2021 Samsung Electronics Co., Ltd All Rights Reserved
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <aul.h>
#include <cynara-creds-socket.h>
#include <cynara-error.h>
#include <dlog.h>
#include <pkgmgr-info.h>

#include <utility>

#include "ac-internal.hh"
#include "aul-internal.hh"
#include "log-private.hh"

namespace rpc_port {
namespace internal {
namespace {

constexpr const uid_t kRegularUidMin = 5000;

}  // namespace

void AccessController::AddPrivilege(std::string privilege) {
  privileges_.push_back(std::move(privilege));
}

void AccessController::SetTrusted(const bool trusted) {
  trusted_ = trusted;
}

int AccessController::CheckPrivilege(const Cynara& c) {
  for (auto& privilege : privileges_) {
    if (c.Check(privilege) != 0) {
      return -1;
    }
  }

  return 0;
}

int AccessController::CheckTrusted(const std::string& sender_appid) {
  if (getuid() < kRegularUidMin)
    return 0;

  if (appid_.empty())
    appid_ = Aul::GetAppId(getpid());

  _D("CheckCertificate : %s :: %s", appid_.c_str(), sender_appid.c_str());
  pkgmgrinfo_cert_compare_result_type_e res;
  int ret = pkgmgrinfo_pkginfo_compare_usr_app_cert_info(appid_.c_str(),
      sender_appid.c_str(), getuid(), &res);
  if (ret < 0) {
    _E("CheckCertificate() Failed");
    return -1;
  }
  if (res != PMINFO_CERT_COMPARE_MATCH) {
    _E("CheckCertificate() Failed : Certificate Not Matched");
    return -1;
  }

  return 0;
}

int AccessController::Check(int fd, const std::string& sender_appid) {
  Cynara cynara;
  int ret = cynara.FetchCredsFromSocket(fd);
  if (ret != 0)
    return -1;

  if (!privileges_.empty()) {
    ret = CheckPrivilege(cynara);
    if (ret != 0)
      return ret;
  }

  if (trusted_)
    ret = CheckTrusted(sender_appid);

  return ret;
}

AccessController::Cynara::Cynara()
    : cynara_(nullptr, cynara_finish), client_(nullptr, std::free),
    user_(nullptr, std::free) {
  cynara* cynara_inst = nullptr;

  if (cynara_initialize(&cynara_inst, NULL) != CYNARA_API_SUCCESS) {
    _E("cynara_initialize() is failed");  // LCOV_EXL_LINE
  } else {
    cynara_.reset(cynara_inst);
  }
}

AccessController::Cynara::~Cynara() = default;

int AccessController::Cynara::FetchCredsFromSocket(int fd) {
  char* user = nullptr;
  int ret = cynara_creds_socket_get_user(fd, USER_METHOD_DEFAULT, &user);
  if (ret != CYNARA_API_SUCCESS) {
    char buf[128] = { 0, };
    cynara_strerror(ret, buf, sizeof(buf));
    _E("cynara_creds_socket_get_user() is failed. fd(%d), error(%d:%s)",
        fd, ret, buf);
    return -1;
  }
  user_.reset(user);

  char* client = nullptr;
  ret = cynara_creds_socket_get_client(fd, CLIENT_METHOD_DEFAULT, &client);
  if (ret != CYNARA_API_SUCCESS) {
    char buf[128] = { 0, };
    cynara_strerror(ret, buf, sizeof(buf));
    _E("cynara_creds_socket_get_client() is failed. fd(%d), error(%d:%s)",
        fd, ret, buf);
    return -1;
  }
  client_.reset(client);

  _D("Cred client(%s), user(%s)", client_.get(), user_.get());
  return 0;
}

int AccessController::Cynara::Check(const std::string& privilege) const {
  _D("check privilege %s", privilege.c_str());
  if (cynara_check(cynara_.get(), client_.get(), "", user_.get(),
      privilege.c_str()) != CYNARA_API_ACCESS_ALLOWED) {
    _E("cynara_check() is not allowed : %s", privilege.c_str());
    return -1;
  }

  return 0;
}

}  // namespace internal
}  // namespace rpc_port