[platform/core/security/key-manager.git] / src / manager / service / access-control.cpp

/*
 *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License
 *
 *
 * @file        access-control.cpp
 * @author      Maciej Karpiuk (m.karpiuk2@samsung.com)
 * @version     1.0
 * @brief       DB access control layer implementation.
 */
#include <access-control.h>
#include <dpl/log/log.h>
#include <ckm/ckm-error.h>
#include <ckm/ckm-type.h>
#include <openssl/crypto.h>

namespace {
const uid_t SYSTEM_SVC_MAX_UID = (5000 - 1);
} // anonymous namespace

namespace CKM {

void AccessControl::updateCCMode()
{
        /* newMode should be extracted from global property like buxton in product */
        int newMode = 0;

        if ((newMode == 1) == m_ccMode)
                return;

        if (FIPS_mode_set(newMode) == 0) {
                LogError("Error to FIPS_mode_set with param " << newMode);
                return;
        }

        m_ccMode = (newMode == 1);
}

bool AccessControl::isCCMode() const
{
        return m_ccMode;
}

bool AccessControl::isSystemService(const uid_t uid) const
{
        return uid <= SYSTEM_SVC_MAX_UID;
}

bool AccessControl::isSystemService(const CKM::Credentials &cred) const
{
        return isSystemService(cred.clientUid);
}


int AccessControl::canSave(
        const CKM::Credentials &accessorCred,
        const ClientId &owner) const
{
        if (isSystemService(accessorCred))
                return CKM_API_SUCCESS;

        if (owner != accessorCred.client)
                return CKM_API_ERROR_ACCESS_DENIED;

        return CKM_API_SUCCESS;
}

int AccessControl::canModify(
        const CKM::Credentials &accessorCred,
        const ClientId &owner) const
{
        return canSave(accessorCred, owner);
}

int AccessControl::canRead(
        const CKM::Credentials &accessorCred,
        const PermissionMask &existingPermission) const
{
        if (isSystemService(accessorCred))
                return CKM_API_SUCCESS;

        if (existingPermission & Permission::READ)
                return CKM_API_SUCCESS;

        return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}

int AccessControl::canExport(
        const CKM::Credentials &accessorCred,
        const DB::Row &row,
        const PermissionMask &existingPermission) const
{
        int ec;

        if (CKM_API_SUCCESS != (ec = canRead(accessorCred, existingPermission)))
                return ec;

        // check if can export
        if (row.exportable == 0)
                return CKM_API_ERROR_NOT_EXPORTABLE;

        // prevent extracting private keys during cc-mode on
        if (isCCMode() && row.dataType.isKeyPrivate())
                return CKM_API_ERROR_BAD_REQUEST;

        return CKM_API_SUCCESS;
}

int AccessControl::canDelete(
        const CKM::Credentials &accessorCred,
        const PermissionMask &existingPermission) const
{
        if (isSystemService(accessorCred))
                return CKM_API_SUCCESS;

        if (existingPermission & Permission::REMOVE)
                return CKM_API_SUCCESS;

        if (existingPermission & Permission::READ)
                return CKM_API_ERROR_ACCESS_DENIED;

        return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}



} // namespace CKM