From 7dde783029c297894c09d0c85bc0c4ecbd5be78a Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Mon, 29 Sep 2014 14:42:33 +0200 Subject: [PATCH] Add access control API stub Change-Id: I16c26eff6f6d272d1a7a51cba48053d8ff7f35fa --- src/include/ckm/ckm-control.h | 11 ++++++ src/include/ckm/ckm-manager.h | 4 ++ src/include/ckm/ckm-type.h | 5 +++ src/include/ckmc/ckmc-control.h | 62 ++++++++++++++++++++++++++++++ src/include/ckmc/ckmc-manager.h | 55 ++++++++++++++++++++++++++ src/include/ckmc/ckmc-type.h | 9 +++++ src/manager/client-capi/ckmc-control.cpp | 60 ++++++++++++++++++++--------- src/manager/client-capi/ckmc-manager.cpp | 23 +++++++++++ src/manager/client/client-control.cpp | 17 ++++++++ src/manager/client/client-manager-impl.cpp | 12 ++++++ src/manager/client/client-manager-impl.h | 3 ++ 11 files changed, 243 insertions(+), 18 deletions(-) diff --git a/src/include/ckm/ckm-control.h b/src/include/ckm/ckm-control.h index 5006dac..89c402e 100644 --- a/src/include/ckm/ckm-control.h +++ b/src/include/ckm/ckm-control.h @@ -64,6 +64,17 @@ public: virtual int setCCMode(CCModeState mode) = 0; + virtual int allowAccess(uid_t user, + const std::string &owner, + const std::string &alias, + const std::string &accessor, + AccessRight granted) = 0; + + virtual int denyAccess(uid_t user, + const std::string &owner, + const std::string &alias, + const std::string &accessor) = 0; + virtual ~Control(){} static ControlShPtr create(); diff --git a/src/include/ckm/ckm-manager.h b/src/include/ckm/ckm-manager.h index 9a20ae4..24185ec 100644 --- a/src/include/ckm/ckm-manager.h +++ b/src/include/ckm/ckm-manager.h @@ -117,6 +117,10 @@ public: // if application does not have permission to use network. virtual int ocspCheck(const CertificateShPtrVector &certificateChainVector, int &ocspStatus) = 0; + virtual int allowAccess(const std::string &alias, const std::string &accessor, AccessRight granted) = 0; + virtual int denyAccess(const std::string &alias, const std::string &accessor) = 0; + + static ManagerShPtr create(); // static ManagerShPtr getManager(int uid); // TODO }; diff --git a/src/include/ckm/ckm-type.h b/src/include/ckm/ckm-type.h index 169978d..efde2ab 100644 --- a/src/include/ckm/ckm-type.h +++ b/src/include/ckm/ckm-type.h @@ -97,6 +97,11 @@ enum class CCModeState : int { CC_MODE_ON }; +enum class AccessRight: int { + AR_READ = 0, + AR_READ_REMOVE +}; + const char * ErrorToString(int error); } // namespace CKM diff --git a/src/include/ckmc/ckmc-control.h b/src/include/ckmc/ckmc-control.h index ca06412..8a962ef 100644 --- a/src/include/ckmc/ckmc-control.h +++ b/src/include/ckmc/ckmc-control.h @@ -169,6 +169,68 @@ int ckmc_change_user_password(uid_t user, const char *old_password, const char * */ int ckmc_reset_user_password(uid_t user, const char *new_password); +/** + * @brief Allows another application to access client's application data + * + * @since_tizen 2.3 + * @privlevel platform + * @privilege %http://tizen.org/privilege/keymanager.admin + * + * @remarks Data identified by @a alias should exist + * + * @param[in] user User ID of a user whose data will be affected + * @param[in] owner Package id (smack label) of the data owner + * @param[in] alias Data alias for which access will be granted + * @param[in] accessor Package id (smack label) of the application that will gain access rights + * @param[in] granted Rights granted for @a accessor application + * + * @return @c 0 on success, otherwise a negative error value + * + * @retval #CKMC_ERROR_NONE Successful + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid + * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in) + * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * + * @pre User is already logged in and the user key is already loaded into memory in plain text form. + * + * @see ckmc_allow_access() + * @see ckmc_deny_access() + * @see ckmc_deny_access_by_adm() + */ +int ckmc_allow_access_by_adm(uid_t user, const char *owner, const char *alias, const char *accessor, ckmc_access_right_e granted); + +/** + * @brief Revokes another application's access to client's application data + * + * @since_tizen 2.3 + * @privlevel platform + * @privilege %http://tizen.org/privilege/keymanager.admin + * + * @remarks Data identified by @a alias should exist + * @remarks Only access previously granted with ckmc_allow_access can be revoked. + * + * @param[in] user User ID of a user whose data will be affected + * @param[in] owner Package id (smack label) of the data owner + * @param[in] alias Data alias for which access will be revoked + * @param[in] accessor Package id (smack label) of the application that will lose access rights + * + * @return @c 0 on success, otherwise a negative error value + * + * @retval #CKMC_ERROR_NONE Successful + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid or the @a accessor doesn't + * have access to @a alias + * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in) + * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * + * @pre User is already logged in and the user key is already loaded into memory in plain text form. + * + * @see ckmc_allow_access() + * @see ckmc_deny_access() + * @see ckmc_allow_access_by_adm() + */ +int ckmc_deny_access_by_adm(uid_t user, const char *owner, const char *alias, const char *accessor); /** * @} diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h index df56bf6..a7b5c24 100644 --- a/src/include/ckmc/ckmc-manager.h +++ b/src/include/ckmc/ckmc-manager.h @@ -670,6 +670,61 @@ int ckmc_get_cert_chain(const ckmc_cert_s *cert, const ckmc_cert_list_s *untrust */ int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert, const ckmc_alias_list_s *untrustedcerts, ckmc_cert_list_s **ppcert_chain_list); +/** + * @brief Allows another application to access client's application data + * + * @since_tizen 2.3 + * @privlevel public + * @privilege %http://tizen.org/privilege/keymanager + * + * @remarks Data identified by @a alias should exist + * + * @param[in] alias Data alias for which access will be granted + * @param[in] accessor Package id (smack label) of the application that will gain access rights + * @param[in] granted Rights granted for @a accessor application + * + * @return @c 0 on success, otherwise a negative error value + * + * @retval #CKMC_ERROR_NONE Successful + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid + * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in) + * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * + * @pre User is already logged in and the user key is already loaded into memory in plain text form. + * + * @see ckmc_deny_access() + */ +int ckmc_allow_access(const char *alias, const char *accessor, ckmc_access_right_e granted); + +/** + * @brief Revokes another application's access to client's application data + * + * @since_tizen 2.3 + * @privlevel public + * @privilege %http://tizen.org/privilege/keymanager + * + * @remarks Data identified by @a alias should exist + * @remarks Only access previously granted with ckmc_allow_access can be revoked. + * + * @param[in] alias Data alias for which access will be revoked + * @param[in] accessor Package id (smack label) of the application that will lose access rights + * + * @return @c 0 on success, otherwise a negative error value + * + * @retval #CKMC_ERROR_NONE Successful + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid or the @a accessor doesn't + * have access to @a alias + * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in) + * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * + * @pre User is already logged in and the user key is already loaded into memory in plain text form. + * + * @see ckmc_allow_access() + */ +int ckmc_deny_access(const char *alias, const char *accessor); + #ifdef __cplusplus } diff --git a/src/include/ckmc/ckmc-type.h b/src/include/ckmc/ckmc-type.h index f8f59d1..7d5b807 100644 --- a/src/include/ckmc/ckmc-type.h +++ b/src/include/ckmc/ckmc-type.h @@ -95,6 +95,15 @@ typedef enum __ckmc_rsa_padding_algo { } ckmc_rsa_padding_algo_e; /** + * @brief Enumeration for database access rights. + * @since_tizen 2.3 + */ +typedef enum __ckmc_access_right{ + CKMC_AR_READ = 0, /**< access right for read*/ + CKMC_AR_READ_REMOVE /**< access right for read and remove*/ +} ckmc_access_right_e; + +/** * @brief the structure for binary buffer used in key manager CAPI. * @since_tizen 2.3 */ diff --git a/src/manager/client-capi/ckmc-control.cpp b/src/manager/client-capi/ckmc-control.cpp index f990a30..4e057b4 100644 --- a/src/manager/client-capi/ckmc-control.cpp +++ b/src/manager/client-capi/ckmc-control.cpp @@ -28,48 +28,72 @@ CKM::Password _toPasswordStr(const char *str) { - if(str == NULL) - return CKM::Password(); - return CKM::Password(str); + if (str == NULL) + return CKM::Password(); + return CKM::Password(str); } KEY_MANAGER_CAPI int ckmc_unlock_user_key(uid_t user, const char *password) { - auto control = CKM::Control::create(); - int ret = control->unlockUserKey(user, _toPasswordStr(password)); - return to_ckmc_error(ret); + auto control = CKM::Control::create(); + int ret = control->unlockUserKey(user, _toPasswordStr(password)); + return to_ckmc_error(ret); } KEY_MANAGER_CAPI int ckmc_lock_user_key(uid_t user) { - auto control = CKM::Control::create(); - int ret = control->lockUserKey(user); - return to_ckmc_error(ret); + auto control = CKM::Control::create(); + int ret = control->lockUserKey(user); + return to_ckmc_error(ret); } KEY_MANAGER_CAPI int ckmc_remove_user_data(uid_t user) { - auto control = CKM::Control::create(); - int ret = control->removeUserData(user); - return to_ckmc_error(ret); + auto control = CKM::Control::create(); + int ret = control->removeUserData(user); + return to_ckmc_error(ret); } KEY_MANAGER_CAPI int ckmc_change_user_password(uid_t user, const char *oldPassword, const char *newPassword) { - auto control = CKM::Control::create(); - int ret = control->changeUserPassword(user, _toPasswordStr(oldPassword), _toPasswordStr(newPassword)); - return to_ckmc_error(ret); + auto control = CKM::Control::create(); + int ret = control->changeUserPassword(user, + _toPasswordStr(oldPassword), + _toPasswordStr(newPassword)); + return to_ckmc_error(ret); } KEY_MANAGER_CAPI int ckmc_reset_user_password(uid_t user, const char *newPassword) { - auto control = CKM::Control::create(); - int ret = control->resetUserPassword(user, _toPasswordStr(newPassword)); - return to_ckmc_error(ret); + auto control = CKM::Control::create(); + int ret = control->resetUserPassword(user, _toPasswordStr(newPassword)); + return to_ckmc_error(ret); } +KEY_MANAGER_CAPI +int ckmc_allow_access_by_adm(uid_t user, const char* owner, const char *alias, const char *accessor, ckmc_access_right_e granted) +{ + if (!owner || !alias || !accessor) + return CKMC_ERROR_INVALID_PARAMETER; + + auto control = CKM::Control::create(); + + CKM::AccessRight ar = static_cast(static_cast(granted)); + return to_ckmc_error(control->allowAccess(user, owner, alias, accessor, ar)); +} + +KEY_MANAGER_CAPI +int ckmc_deny_access_by_adm(uid_t user, const char* owner, const char *alias, const char *accessor) +{ + if (!owner || !alias || !accessor) + return CKMC_ERROR_INVALID_PARAMETER; + + auto control = CKM::Control::create(); + + return to_ckmc_error(control->denyAccess(user, owner, alias, accessor)); +} diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp index a8f89fd..e641c80 100644 --- a/src/manager/client-capi/ckmc-manager.cpp +++ b/src/manager/client-capi/ckmc-manager.cpp @@ -604,3 +604,26 @@ int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert, const ckmc_alias_lis return CKMC_ERROR_NONE; } + +KEY_MANAGER_CAPI +int ckmc_allow_access(const char *alias, const char *accessor, ckmc_access_right_e granted) +{ + if (!alias || !accessor) + return CKMC_ERROR_INVALID_PARAMETER; + + CKM::ManagerShPtr mgr = CKM::Manager::create(); + + CKM::AccessRight ar = static_cast(static_cast(granted)); + return to_ckmc_error(mgr->allowAccess(alias, accessor, ar)); +} + +KEY_MANAGER_CAPI +int ckmc_deny_access(const char *alias, const char *accessor) +{ + if (!alias || !accessor) + return CKMC_ERROR_INVALID_PARAMETER; + + CKM::ManagerShPtr mgr = CKM::Manager::create(); + + return to_ckmc_error(mgr->denyAccess(alias, accessor)); +} diff --git a/src/manager/client/client-control.cpp b/src/manager/client/client-control.cpp index 3048fad..2938a56 100644 --- a/src/manager/client/client-control.cpp +++ b/src/manager/client/client-control.cpp @@ -217,6 +217,23 @@ public: }); } + virtual int allowAccess(uid_t /*user*/, + const std::string &/*owner*/, + const std::string &/*alias*/, + const std::string &/*accessor*/, + AccessRight /*granted*/) + { + return CKM_API_ERROR_UNKNOWN; + } + + virtual int denyAccess(uid_t /*user*/, + const std::string &/*owner*/, + const std::string &/*alias*/, + const std::string &/*accessor*/) + { + return CKM_API_ERROR_UNKNOWN; + } + virtual ~ControlImpl(){} }; diff --git a/src/manager/client/client-manager-impl.cpp b/src/manager/client/client-manager-impl.cpp index 27a5705..25eb8af 100644 --- a/src/manager/client/client-manager-impl.cpp +++ b/src/manager/client/client-manager-impl.cpp @@ -657,6 +657,18 @@ int ManagerImpl::ocspCheck(const CertificateShPtrVector &certChain, int &ocspSta }); } +int ManagerImpl::allowAccess(const std::string &/*alias*/, + const std::string &/*accessor*/, + AccessRight /*granted*/) +{ + return CKM_API_ERROR_UNKNOWN; +} + +int ManagerImpl::denyAccess(const std::string &/*alias*/, const std::string &/*accessor*/) +{ + return CKM_API_ERROR_UNKNOWN; +} + ManagerShPtr Manager::create() { try { return std::make_shared(); diff --git a/src/manager/client/client-manager-impl.h b/src/manager/client/client-manager-impl.h index 07b405d..8153535 100644 --- a/src/manager/client/client-manager-impl.h +++ b/src/manager/client/client-manager-impl.h @@ -97,6 +97,9 @@ public: int ocspCheck(const CertificateShPtrVector &certificateChain, int &ocspCheck); + int allowAccess(const std::string &alias, const std::string &accessor, AccessRight granted); + int denyAccess(const std::string &alias, const std::string &accessor); + protected: int saveBinaryData( const Alias &alias, -- 2.7.4