Move system db owner check to AccessControl

author Krzysztof Jackiewicz <k.jackiewicz@samsung.com>

Fri, 3 Feb 2023 09:05:55 +0000 (10:05 +0100)

committer Krzysztof Jackiewicz <k.jackiewicz@samsung.com>

Wed, 8 Feb 2023 08:47:12 +0000 (09:47 +0100)
author Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Fri, 3 Feb 2023 09:05:55 +0000 (10:05 +0100)
committer Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Wed, 8 Feb 2023 08:47:12 +0000 (09:47 +0100)
diff --git a/src/manager/service/access-control.cpp b/src/manager/service/access-control.cpp

index e57539b..7c08c03 100644 (file)
--- a/src/manager/service/access-control.cpp
+++ b/src/manager/service/access-control.cpp
@@ -71,8 +71,13 @@ int AccessControl::canSave(
         const CKM::Credentials &accessorCred,
         const ClientId &owner) const
  {
-       if (isSystemService(accessorCred))
+       if (isSystemService(accessorCred)) {
+               if (owner.compare(CLIENT_ID_SYSTEM) != 0) {
+                       LogError("System services can only use " << CLIENT_ID_SYSTEM << " as owner id");
+                       return CKM_API_ERROR_INPUT_PARAM;
+               }
                 return CKM_API_SUCCESS;
+       }
  
         if (owner != accessorCred.client)
                 return CKM_API_ERROR_ACCESS_DENIED;
diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp

index 2511868..928ed0d 100644 (file)
--- a/src/manager/service/ckm-logic.cpp
+++ b/src/manager/service/ckm-logic.cpp
@@ -1163,7 +1163,6 @@ int CKMLogic::importInitialData(
                         // check if save is possible
                         DB::Crypto::Transaction transaction(&handler.database);
                         int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
-
                         if (retCode != CKM_API_SUCCESS)
                                 return retCode;
  
@@ -1220,16 +1219,9 @@ int CKMLogic::saveDataHelper(
         // use client id if not explicitly provided
         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
  
-       if (m_accessControl.isSystemService(cred) &&
-                       owner.compare(CLIENT_ID_SYSTEM) != 0) {
-               LogError("System services can only use " << CLIENT_ID_SYSTEM << " as owner id") ;
-               return CKM_API_ERROR_INPUT_PARAM;
-       }
-
         // check if save is possible
         DB::Crypto::Transaction transaction(&handler.database);
         int retCode = checkSaveConditions(cred, handler, name, owner);
-
         if (retCode != CKM_API_SUCCESS)
                 return retCode;
  
@@ -1259,14 +1251,9 @@ int CKMLogic::saveDataHelper(
         // use client id if not explicitly provided
         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
  
-       if (m_accessControl.isSystemService(cred) &&
-                       owner.compare(CLIENT_ID_SYSTEM) != 0)
-               return CKM_API_ERROR_INPUT_PARAM;
-
         // check if save is possible
         DB::Crypto::Transaction transaction(&handler.database);
         int retCode = checkSaveConditions(cred, handler, name, owner);
-
         if (retCode != CKM_API_SUCCESS)
                 return retCode;
  
@@ -1298,14 +1285,9 @@ int CKMLogic::createKeyAESHelper(
         // use client id if not explicitly provided
         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
  
-       if (m_accessControl.isSystemService(cred) &&
-                       owner.compare(CLIENT_ID_SYSTEM) != 0)
-               return CKM_API_ERROR_INPUT_PARAM;
-
         // check if save is possible
         DB::Crypto::Transaction transaction(&handler.database);
         int retCode = checkSaveConditions(cred, handler, name, owner);
-
         if (retCode != CKM_API_SUCCESS)
                 return retCode;
  
@@ -1361,17 +1343,9 @@ int CKMLogic::createKeyPairHelper(
         const ClientId &ownerPrv = explicitOwnerPrivate.empty() ? cred.client :
                                                            explicitOwnerPrivate;
  
-       if (m_accessControl.isSystemService(cred) &&
-                       ownerPrv.compare(CLIENT_ID_SYSTEM) != 0)
-               return CKM_API_ERROR_INPUT_PARAM;
-
         const ClientId &ownerPub = explicitOwnerPublic.empty() ? cred.client :
                                                            explicitOwnerPublic;
  
-       if (m_accessControl.isSystemService(cred) &&
-                       ownerPub.compare(CLIENT_ID_SYSTEM) != 0)
-               return CKM_API_ERROR_INPUT_PARAM;
-
         bool exportable = policyPrivate.extractable || policyPublic.extractable;
         Policy lessRestricted(Password(), exportable, policyPrivate.backend);
  
@@ -1395,12 +1369,10 @@ int CKMLogic::createKeyPairHelper(
  
         int retCode;
         retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerPrv);
-
         if (CKM_API_SUCCESS != retCode)
                 return retCode;
  
         retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerPub);
-
         if (CKM_API_SUCCESS != retCode)
                 return retCode;
author	Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
	Fri, 3 Feb 2023 09:05:55 +0000 (10:05 +0100)
committer	Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
	Wed, 8 Feb 2023 08:47:12 +0000 (09:47 +0100)
src/manager/service/access-control.cpp		patch \| blob \| history
src/manager/service/ckm-logic.cpp		patch \| blob \| history