return;
}
+ LogDebug("[SecurityStatus] sock[" << sock <<
+ "] privilege[" << desc.cynaraPrivilege <<
+ "] allowed[" << allowed << "]");
+
GenericSocketService::SecurityEvent event;
event.connectionID.sock = sock;
event.connectionID.counter = counter;
if (event.counter != desc.counter)
return;
- std::string session = std::to_string(desc.counter);
-
- m_cynara->Request(desc.cynaraUser,
- desc.cynaraClient,
- session,
- desc.cynaraPrivilege,
- [this, event](bool allowed) {
- this->SecurityStatus(event.sock, event.counter, allowed);
- });
+ if (desc.cynaraPrivilege.empty()) {
+ this->SecurityStatus(event.sock, event.counter, true);
+ } else {
+ m_cynara->Request(desc.cynaraUser,
+ desc.cynaraClient,
+ std::to_string(desc.counter),
+ desc.cynaraPrivilege,
+ [this, event](bool allowed) {
+ this->SecurityStatus(event.sock, event.counter, allowed);
+ });
+ }
}
void SocketManager::CloseSocket(int sock)
GenericSocketService::ServiceDescriptionVector
CKMService::GetServiceDescription()
{
+ // empty string on privilege field means non-privileged
return ServiceDescriptionVector {
- {SERVICE_SOCKET_CKM_CONTROL, "http://tizen.org/privilege/keymanager.admin", SOCKET_ID_CONTROL},
- {SERVICE_SOCKET_CKM_STORAGE, "http://tizen.org/privilege/keymanager", SOCKET_ID_STORAGE}
+ {SERVICE_SOCKET_CKM_CONTROL, "http://tizen.org/privilege/internal/service", SOCKET_ID_CONTROL},
+ {SERVICE_SOCKET_CKM_STORAGE, "", SOCKET_ID_STORAGE}
};
}
Register(*manager);
}
-// CKMService does not support security check
-// so 3rd parameter is not used
bool CKMService::ProcessOne(
const ConnectionID &conn,
ConnectionInfo &info,
- bool /*allowed*/)
+ bool allowed)
{
LogDebug("process One");
RawBuffer response;
return false;
if (info.interfaceID == SOCKET_ID_CONTROL)
- response = ProcessControl(info.buffer);
+ response = ProcessControl(info.buffer, allowed);
else
response = ProcessStorage(info.credentials, info.buffer);
return false;
}
-RawBuffer CKMService::ProcessControl(MessageBuffer &buffer)
+RawBuffer CKMService::ProcessControl(MessageBuffer &buffer, bool allowed)
{
int command = 0;
uid_t user = 0;
LogDebug("Process control. Command: " << command);
+ std::function<RawBuffer(void)> logicFunc;
+
cc = static_cast<ControlCommand>(command);
switch (cc) {
case ControlCommand::UNLOCK_USER_KEY:
buffer.Deserialize(user, newPass);
- return m_logic->unlockUserKey(user, newPass);
+ logicFunc = [&]() {
+ return m_logic->unlockUserKey(user, newPass);
+ };
+ break;
case ControlCommand::LOCK_USER_KEY:
buffer.Deserialize(user);
- return m_logic->lockUserKey(user);
+ logicFunc = [&]() {
+ return m_logic->lockUserKey(user);
+ };
+ break;
case ControlCommand::REMOVE_USER_DATA:
buffer.Deserialize(user);
- return m_logic->removeUserData(user);
+ logicFunc = [&]() {
+ return m_logic->removeUserData(user);
+ };
+ break;
case ControlCommand::CHANGE_USER_PASSWORD:
buffer.Deserialize(user, oldPass, newPass);
- return m_logic->changeUserPassword(user, oldPass, newPass);
+ logicFunc = [&]() {
+ return m_logic->changeUserPassword(user, oldPass, newPass);
+ };
+ break;
case ControlCommand::RESET_USER_PASSWORD:
buffer.Deserialize(user, newPass);
- return m_logic->resetUserPassword(user, newPass);
+ logicFunc = [&]() {
+ return m_logic->resetUserPassword(user, newPass);
+ };
+ break;
case ControlCommand::REMOVE_APP_DATA:
buffer.Deserialize(smackLabel);
- return m_logic->removeApplicationData(smackLabel);
+ logicFunc = [&]() {
+ return m_logic->removeApplicationData(smackLabel);
+ };
+ break;
case ControlCommand::UPDATE_CC_MODE:
- return m_logic->updateCCMode();
+ logicFunc = [&]() {
+ return m_logic->updateCCMode();
+ };
+ break;
case ControlCommand::SET_PERMISSION: {
Name name;
buffer.Deserialize(user, name, label, accessorLabel, permissionMask);
Credentials cred(user, label);
- return m_logic->setPermission(
- cred,
- command,
- 0, // dummy
- name,
- label,
- accessorLabel,
- permissionMask);
+ logicFunc = [&, name, label, accessorLabel, permissionMask, cred]() {
+ return m_logic->setPermission(
+ cred,
+ command,
+ 0, // dummy
+ name,
+ label,
+ accessorLabel,
+ permissionMask);
+ };
+ break;
}
default:
Throw(Exception::BrokenProtocol);
}
+
+ if (!allowed) {
+ LogError("Access denied!");
+ return MessageBuffer::Serialize(CKM_API_ERROR_ACCESS_DENIED).Pop();
+ }
+
+ return logicFunc();
}
RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer)
m_logic->removeApplicationData(msg.pkgId);
}
-void CKMService::CustomHandle(const ReadEvent &event)
-{
- LogDebug("Read event");
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.buffer.Push(event.rawBuffer);
-
- while (ProcessOne(event.connectionID, info, true));
-}
-
-void CKMService::CustomHandle(const SecurityEvent & /*event*/)
-{
- LogError("This should not happend! SecurityEvent was called on CKMService!");
-}
-
} // namespace CKM
-
CKMService &operator=(const CKMService &) = delete;
CKMService &operator=(CKMService &&) = delete;
- // Custom add custom support for ReadEvent and SecurityEvent
- // because we want to bypass security check in CKMService
- virtual void Event(const ReadEvent &event)
- {
- CreateEvent([this, event]() {
- this->CustomHandle(event);
- });
- }
-
- virtual void Event(const SecurityEvent &event)
- {
- CreateEvent([this, event]() {
- this->CustomHandle(event);
- });
- }
-
virtual void Start(void);
virtual void Stop(void);
ServiceDescriptionVector GetServiceDescription();
-protected:
- // CustomHandle is used to bypass security check
- void CustomHandle(const ReadEvent &event);
- void CustomHandle(const SecurityEvent &event);
-
private:
virtual void SetCommManager(CommMgr *manager);
bool allowed);
RawBuffer ProcessControl(
- MessageBuffer &buffer);
+ MessageBuffer &buffer,
+ bool allowed);
RawBuffer ProcessStorage(
Credentials &cred,
projects / platform / core / security / key-manager.git / commitdiff