session-ios/SignalServiceKit/src/Messages/UD/OWSUDManager.swift

//
//  Copyright (c) 2018 Open Whisper Systems. All rights reserved.
//

import Foundation
import PromiseKit
import SignalMetadataKit
import SignalCoreKit

public enum OWSUDError: Error {
    case assertionError(description: String)
    case invalidData(description: String)
}

@objc public protocol OWSUDManager: class {

    @objc func setup()

    // MARK: - Recipient state

    @objc func isUDRecipientId(_ recipientId: String) -> Bool

    // No-op if this recipient id is already marked as a "UD recipient".
    @objc func addUDRecipientId(_ recipientId: String)

    // No-op if this recipient id is already marked as _NOT_ a "UD recipient".
    @objc func removeUDRecipientId(_ recipientId: String)

    // Returns the UD access key for a given recipient if they are
    // a UD recipient and we have a valid profile key for them.
    @objc func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey?

    // MARK: - Sender Certificate

    // We use completion handlers instead of a promise so that message sending
    // logic can access the certificate data.
    @objc func ensureSenderCertificateObjC(success:@escaping (SMKSenderCertificate) -> Void,
                                            failure:@escaping (Error) -> Void)

    // MARK: - Unrestricted Access

    @objc func shouldAllowUnrestrictedAccess() -> Bool

    @objc func setShouldAllowUnrestrictedAccess(_ value: Bool)
}

// MARK: -

@objc
public class OWSUDManagerImpl: NSObject, OWSUDManager {

    private let dbConnection: YapDatabaseConnection

    private let kUDRecipientModeCollection = "kUDRecipientModeCollection"
    private let kUDCollection = "kUDCollection"
    private let kUDCurrentSenderCertificateKey = "kUDCurrentSenderCertificateKey"
    private let kUDUnrestrictedAccessKey = "kUDUnrestrictedAccessKey"

    @objc
    public required init(primaryStorage: OWSPrimaryStorage) {
        self.dbConnection = primaryStorage.newDatabaseConnection()

        super.init()

        SwiftSingletons.register(self)
    }

    @objc public func setup() {
        AppReadiness.runNowOrWhenAppIsReady {
            guard TSAccountManager.isRegistered() else {
                return
            }
            self.ensureSenderCertificate().retainUntilComplete()
        }
        NotificationCenter.default.addObserver(self,
                                               selector: #selector(registrationStateDidChange),
                                               name: .RegistrationStateDidChange,
                                               object: nil)
    }

    @objc
    func registrationStateDidChange() {
        AssertIsOnMainThread()

        ensureSenderCertificate().retainUntilComplete()
    }

    // MARK: - Dependencies

    private var profileManager: ProfileManagerProtocol {
        return SSKEnvironment.shared.profileManager
    }

    // MARK: - Recipient state

    @objc
    public func isUDRecipientId(_ recipientId: String) -> Bool {
        return dbConnection.bool(forKey: recipientId, inCollection: kUDRecipientModeCollection, defaultValue: false)
    }

    @objc
    public func addUDRecipientId(_ recipientId: String) {
        dbConnection.setBool(true, forKey: recipientId, inCollection: kUDRecipientModeCollection)
    }

    @objc
    public func removeUDRecipientId(_ recipientId: String) {
        dbConnection.removeObject(forKey: recipientId, inCollection: kUDRecipientModeCollection)
    }

    // Returns the UD access key for a given recipient if they are
    // a UD recipient and we have a valid profile key for them.
    @objc
    public func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey? {
        guard isUDRecipientId(recipientId) else {
            return nil
        }
        guard let profileKey = profileManager.profileKeyData(forRecipientId: recipientId) else {
            // Mark as "not a UD recipient".
            removeUDRecipientId(recipientId)
            return nil
        }
        do {
            let udAccessKey = try SMKUDAccessKey(profileKey: profileKey)
            return udAccessKey
        } catch {
            Logger.error("Could not determine udAccessKey: \(error)")
            removeUDRecipientId(recipientId)
            return nil
        }
    }

    // MARK: - Sender Certificate

    #if DEBUG
    @objc
    public func hasSenderCertificate() -> Bool {
        return senderCertificate() != nil
    }
    #endif

    private func senderCertificate() -> SMKSenderCertificate? {
        guard let certificateData = dbConnection.object(forKey: kUDCurrentSenderCertificateKey, inCollection: kUDCollection) as? Data else {
            return nil
        }

        do {
            let certificate = try SMKSenderCertificate.parse(data: certificateData)

            guard isValidCertificate(certificate: certificate) else {
                Logger.warn("Current sender certificate is not valid.")
                return nil
            }

            return certificate
        } catch {
            OWSLogger.error("Certificate could not be parsed: \(error)")
            return nil
        }
    }

    private func setSenderCertificate(_ certificateData: Data) {
        dbConnection.setObject(certificateData, forKey: kUDCurrentSenderCertificateKey, inCollection: kUDCollection)
    }

    @objc
    public func ensureSenderCertificateObjC(success:@escaping (SMKSenderCertificate) -> Void,
                                            failure:@escaping (Error) -> Void) {
        ensureSenderCertificate()
            .then(execute: { certificate in
                success(certificate)
            })
            .catch(execute: { (error) in
                failure(error)
            }).retainUntilComplete()
    }

    public func ensureSenderCertificate() -> Promise<SMKSenderCertificate> {
        // If there is a valid cached sender certificate, use that.
        if let certificate = senderCertificate() {
            return Promise(value: certificate)
        }
        // Try to obtain a new sender certificate.
        return requestSenderCertificate().then { (certificateData, certificate) in

            // Cache the current sender certificate.
            self.setSenderCertificate(certificateData)

            return Promise(value: certificate)
        }
    }

    private func requestSenderCertificate() -> Promise<(Data, SMKSenderCertificate)> {
        return SignalServiceRestClient().requestUDSenderCertificate().then { (certificateData) -> Promise<(Data, SMKSenderCertificate)> in
            let certificate = try SMKSenderCertificate.parse(data: certificateData)

            guard self.isValidCertificate(certificate: certificate) else {
                throw OWSUDError.invalidData(description: "Invalid sender certificate returned by server")
            }

            return Promise(value: (certificateData, certificate) )
        }
    }

    private func isValidCertificate(certificate: SMKSenderCertificate) -> Bool {
        let expirationMs = certificate.expirationTimestamp
        let nowMs = NSDate.ows_millisecondTimeStamp()
        // Ensure that the certificate will not expire in the next hour.
        // We want a threshold long enough to ensure that any outgoing message
        // sends will complete before the expiration.
        let isValid = nowMs + kHourInMs < expirationMs
        return isValid
    }

    // MARK: - Unrestricted Access

    @objc
    public func shouldAllowUnrestrictedAccess() -> Bool {
        return dbConnection.bool(forKey: kUDUnrestrictedAccessKey, inCollection: kUDRecipientModeCollection, defaultValue: false)
    }

    @objc
    public func setShouldAllowUnrestrictedAccess(_ value: Bool) {
        dbConnection.setBool(value, forKey: kUDUnrestrictedAccessKey, inCollection: kUDRecipientModeCollection)
    }
}
Add server certificate methods to UD manager. 7 years ago			`//`
			`// Copyright (c) 2018 Open Whisper Systems. All rights reserved.`
			`//`

			`import Foundation`
			`import PromiseKit`
Sketch out sender certificate validation. 7 years ago			`import SignalMetadataKit`
			`import SignalCoreKit`
Add server certificate methods to UD manager. 7 years ago
			`public enum OWSUDError: Error {`
			`case assertionError(description: String)`
Respond to CR. 7 years ago			`case invalidData(description: String)`
Add server certificate methods to UD manager. 7 years ago			`}`

			`@objc public protocol OWSUDManager: class {`

Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago			`@objc func setup()`

			`// MARK: - Recipient state`

Add server certificate methods to UD manager. 7 years ago			`@objc func isUDRecipientId(_ recipientId: String) -> Bool`

			`// No-op if this recipient id is already marked as a "UD recipient".`
			`@objc func addUDRecipientId(_ recipientId: String)`

			`// No-op if this recipient id is already marked as _NOT_ a "UD recipient".`
			`@objc func removeUDRecipientId(_ recipientId: String)`
Respond to CR. 7 years ago
UD send via REST. 7 years ago			`// Returns the UD access key for a given recipient if they are`
			`// a UD recipient and we have a valid profile key for them.`
			`@objc func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey?`

Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago			`// MARK: - Sender Certificate`

Respond to CR. 7 years ago			`// We use completion handlers instead of a promise so that message sending`
			`// logic can access the certificate data.`
UD send via REST. 7 years ago			`@objc func ensureSenderCertificateObjC(success:@escaping (SMKSenderCertificate) -> Void,`
Respond to CR. 7 years ago			`failure:@escaping (Error) -> Void)`
Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago
			`// MARK: - Unrestricted Access`

Respond to CR. 7 years ago			`@objc func shouldAllowUnrestrictedAccess() -> Bool`
Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago
Respond to CR. 7 years ago			`@objc func setShouldAllowUnrestrictedAccess(_ value: Bool)`
Add server certificate methods to UD manager. 7 years ago			`}`

			`// MARK: -`

			`@objc`
			`public class OWSUDManagerImpl: NSObject, OWSUDManager {`

			`private let dbConnection: YapDatabaseConnection`

			`private let kUDRecipientModeCollection = "kUDRecipientModeCollection"`
			`private let kUDCollection = "kUDCollection"`
Sketch out sender certificate validation. 7 years ago			`private let kUDCurrentSenderCertificateKey = "kUDCurrentSenderCertificateKey"`
Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago			`private let kUDUnrestrictedAccessKey = "kUDUnrestrictedAccessKey"`
Add server certificate methods to UD manager. 7 years ago
			`@objc`
			`public required init(primaryStorage: OWSPrimaryStorage) {`
			`self.dbConnection = primaryStorage.newDatabaseConnection()`

			`super.init()`

			`SwiftSingletons.register(self)`
			`}`

Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago			`@objc public func setup() {`
			`AppReadiness.runNowOrWhenAppIsReady {`
			`guard TSAccountManager.isRegistered() else {`
			`return`
			`}`
Sketch out sender certificate validation. 7 years ago			`self.ensureSenderCertificate().retainUntilComplete()`
Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago			`}`
			`NotificationCenter.default.addObserver(self,`
			`selector: #selector(registrationStateDidChange),`
			`name: .RegistrationStateDidChange,`
			`object: nil)`
			`}`

			`@objc`
			`func registrationStateDidChange() {`
			`AssertIsOnMainThread()`

Sketch out sender certificate validation. 7 years ago			`ensureSenderCertificate().retainUntilComplete()`
Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago			`}`

UD send via REST. 7 years ago			`// MARK: - Dependencies`

			`private var profileManager: ProfileManagerProtocol {`
			`return SSKEnvironment.shared.profileManager`
			`}`

Add server certificate methods to UD manager. 7 years ago			`// MARK: - Recipient state`

			`@objc`
			`public func isUDRecipientId(_ recipientId: String) -> Bool {`
			`return dbConnection.bool(forKey: recipientId, inCollection: kUDRecipientModeCollection, defaultValue: false)`
			`}`

			`@objc`
			`public func addUDRecipientId(_ recipientId: String) {`
			`dbConnection.setBool(true, forKey: recipientId, inCollection: kUDRecipientModeCollection)`
			`}`

			`@objc`
			`public func removeUDRecipientId(_ recipientId: String) {`
			`dbConnection.removeObject(forKey: recipientId, inCollection: kUDRecipientModeCollection)`
			`}`

UD send via REST. 7 years ago			`// Returns the UD access key for a given recipient if they are`
			`// a UD recipient and we have a valid profile key for them.`
			`@objc`
			`public func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey? {`
			`guard isUDRecipientId(recipientId) else {`
			`return nil`
			`}`
			`guard let profileKey = profileManager.profileKeyData(forRecipientId: recipientId) else {`
			`// Mark as "not a UD recipient".`
			`removeUDRecipientId(recipientId)`
			`return nil`
			`}`
			`do {`
			`let udAccessKey = try SMKUDAccessKey(profileKey: profileKey)`
			`return udAccessKey`
			`} catch {`
			`Logger.error("Could not determine udAccessKey: \(error)")`
			`removeUDRecipientId(recipientId)`
			`return nil`
			`}`
			`}`

Sketch out sender certificate validation. 7 years ago			`// MARK: - Sender Certificate`
Add server certificate methods to UD manager. 7 years ago
			`#if DEBUG`
			`@objc`
Sketch out sender certificate validation. 7 years ago			`public func hasSenderCertificate() -> Bool {`
			`return senderCertificate() != nil`
Add server certificate methods to UD manager. 7 years ago			`}`
			`#endif`

UD send via REST. 7 years ago			`private func senderCertificate() -> SMKSenderCertificate? {`
Sketch out sender certificate validation. 7 years ago			`guard let certificateData = dbConnection.object(forKey: kUDCurrentSenderCertificateKey, inCollection: kUDCollection) as? Data else {`
Add server certificate methods to UD manager. 7 years ago			`return nil`
			`}`
Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago
UD send via REST. 7 years ago			`do {`
			`let certificate = try SMKSenderCertificate.parse(data: certificateData)`

			`guard isValidCertificate(certificate: certificate) else {`
			`Logger.warn("Current sender certificate is not valid.")`
			`return nil`
			`}`

			`return certificate`
			`} catch {`
			`OWSLogger.error("Certificate could not be parsed: \(error)")`
Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago			`return nil`
			`}`
Add server certificate methods to UD manager. 7 years ago			`}`

Sketch out sender certificate validation. 7 years ago			`private func setSenderCertificate(_ certificateData: Data) {`
			`dbConnection.setObject(certificateData, forKey: kUDCurrentSenderCertificateKey, inCollection: kUDCollection)`
Add server certificate methods to UD manager. 7 years ago			`}`

			`@objc`
UD send via REST. 7 years ago			`public func ensureSenderCertificateObjC(success:@escaping (SMKSenderCertificate) -> Void,`
			`failure:@escaping (Error) -> Void) {`
Sketch out sender certificate validation. 7 years ago			`ensureSenderCertificate()`
UD send via REST. 7 years ago			`.then(execute: { certificate in`
			`success(certificate)`
Add server certificate methods to UD manager. 7 years ago			`})`
			`.catch(execute: { (error) in`
			`failure(error)`
			`}).retainUntilComplete()`
			`}`

UD send via REST. 7 years ago			`public func ensureSenderCertificate() -> Promise<SMKSenderCertificate> {`
Respond to CR. 7 years ago			`// If there is a valid cached sender certificate, use that.`
UD send via REST. 7 years ago			`if let certificate = senderCertificate() {`
			`return Promise(value: certificate)`
Add server certificate methods to UD manager. 7 years ago			`}`
Respond to CR. 7 years ago			`// Try to obtain a new sender certificate.`
UD send via REST. 7 years ago			`return requestSenderCertificate().then { (certificateData, certificate) in`

Respond to CR. 7 years ago			`// Cache the current sender certificate.`
			`self.setSenderCertificate(certificateData)`

UD send via REST. 7 years ago			`return Promise(value: certificate)`
Respond to CR. 7 years ago			`}`
Add server certificate methods to UD manager. 7 years ago			`}`

UD send via REST. 7 years ago			`private func requestSenderCertificate() -> Promise<(Data, SMKSenderCertificate)> {`
			`return SignalServiceRestClient().requestUDSenderCertificate().then { (certificateData) -> Promise<(Data, SMKSenderCertificate)> in`
			`let certificate = try SMKSenderCertificate.parse(data: certificateData)`

			`guard self.isValidCertificate(certificate: certificate) else {`
Respond to CR. 7 years ago			`throw OWSUDError.invalidData(description: "Invalid sender certificate returned by server")`
			`}`
Add server certificate methods to UD manager. 7 years ago
UD send via REST. 7 years ago			`return Promise(value: (certificateData, certificate) )`
Add server certificate methods to UD manager. 7 years ago			`}`
			`}`
Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago
UD send via REST. 7 years ago			`private func isValidCertificate(certificate: SMKSenderCertificate) -> Bool {`
			`let expirationMs = certificate.expirationTimestamp`
			`let nowMs = NSDate.ows_millisecondTimeStamp()`
			`// Ensure that the certificate will not expire in the next hour.`
			`// We want a threshold long enough to ensure that any outgoing message`
			`// sends will complete before the expiration.`
			`let isValid = nowMs + kHourInMs < expirationMs`
			`return isValid`
Add setup method to UD manager. Try to verify server certificate expiration. 7 years ago			`}`
Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago
			`// MARK: - Unrestricted Access`

			`@objc`
Respond to CR. 7 years ago			`public func shouldAllowUnrestrictedAccess() -> Bool {`
Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago			`return dbConnection.bool(forKey: kUDUnrestrictedAccessKey, inCollection: kUDRecipientModeCollection, defaultValue: false)`
			`}`

			`@objc`
Respond to CR. 7 years ago			`public func setShouldAllowUnrestrictedAccess(_ value: Bool) {`
Rework account attributes; persist manual message fetch; add "unrestricted UD" setting. 7 years ago			`dbConnection.setBool(value, forKey: kUDUnrestrictedAccessKey, inCollection: kUDRecipientModeCollection)`
			`}`
Add server certificate methods to UD manager. 7 years ago			`}`