keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dev
voice-calls-2
voice-calls
authentication
2.5.0
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.14
2.2.13
2.2.12
2.2.11
2.2.10
2.2.9
2.2.6
2.2.4
2.2.2
2.2.1
2.2.0
2.1.1
2.0.3
2.0.2
2.0.1
2.0.0
1.0.0-alpha.1
audit-2
audit
2.8.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7.0
2.6.3
2.6.2
2.6.1
2.6.0
2.2.8
2.2.7
2.2.5
2.2.3
2.1.0
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.0
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1-beta
1.5.0-beta
1.5.0
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.0-beta
1.4.0
1.3.0-alpha.1
1.3.0
1.2.6
1.2.5
1.2.4
1.2.3
1.2.1
1.2.0-alpha.2
1.2.0-alpha.1
1.2.0
1.13.0
1.12.9
1.12.8
1.12.7
1.12.6
1.12.5
1.12.4
1.12.2
1.12.1
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.24
1.11.23
1.11.22
1.11.21
1.11.20
1.11.2
1.11.19
1.11.18
1.11.17
1.11.16
1.11.15
1.11.14
1.11.13
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.1.0-alpha.4
1.1.0-alpha.3
1.1.0-alpha.2
1.1.0-alpha.1
1.1.0
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0-alpha.3
1.0.0-alpha.2
1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '341782f255'
${ noResults }
session-ios/SignalUtilitiesKit/OWSUDManager.swift

434 lines
16 KiB
Swift
Raw Blame History

//
// Copyright (c) 2019 Open Whisper Systems. All rights reserved.
//
import Foundation
import PromiseKit
public enum OWSUDError: Error {
case assertionError(description: String)
case invalidData(description: String)
}
@objc
public enum OWSUDCertificateExpirationPolicy: Int {
// We want to try to rotate the sender certificate
// on a frequent basis, but we don't want to block
// sending on this.
case strict
case permissive
}
private func string(forUnidentifiedAccessMode mode: UnidentifiedAccessMode) -> String {
switch mode {
case .unknown:
return "unknown"
case .enabled:
return "enabled"
case .disabled:
return "disabled"
case .unrestricted:
return "unrestricted"
}
}
// MARK: -
@objc
public class OWSUDManagerImpl: NSObject, OWSUDManager {
private let dbConnection: YapDatabaseConnection
// MARK: Local Configuration State
private let kUDCollection = "kUDCollection"
private let kUDCurrentSenderCertificateKey_Production = "kUDCurrentSenderCertificateKey_Production"
private let kUDCurrentSenderCertificateKey_Staging = "kUDCurrentSenderCertificateKey_Staging"
private let kUDCurrentSenderCertificateDateKey_Production = "kUDCurrentSenderCertificateDateKey_Production"
private let kUDCurrentSenderCertificateDateKey_Staging = "kUDCurrentSenderCertificateDateKey_Staging"
private let kUDUnrestrictedAccessKey = "kUDUnrestrictedAccessKey"
// MARK: Recipient State
private let kUnidentifiedAccessCollection = "kUnidentifiedAccessCollection"
var certificateValidator: SMKCertificateValidator
@objc
public required init(primaryStorage: OWSPrimaryStorage) {
self.dbConnection = primaryStorage.newDatabaseConnection()
self.certificateValidator = SMKCertificateDefaultValidator(trustRoot: OWSUDManagerImpl.trustRoot())
super.init()
SwiftSingletons.register(self)
}
@objc public func setup() {
AppReadiness.runNowOrWhenAppDidBecomeReady {
guard self.tsAccountManager.isRegistered() else {
return
}
// Any error is silently ignored on startup.
self.ensureSenderCertificate(certificateExpirationPolicy: .strict).retainUntilComplete()
}
NotificationCenter.default.addObserver(self,
selector: #selector(registrationStateDidChange),
name: .RegistrationStateDidChange,
object: nil)
NotificationCenter.default.addObserver(self,
selector: #selector(didBecomeActive),
name: NSNotification.Name.OWSApplicationDidBecomeActive,
object: nil)
}
@objc
func registrationStateDidChange() {
AssertIsOnMainThread()
guard tsAccountManager.isRegisteredAndReady() else {
return
}
// Any error is silently ignored
ensureSenderCertificate(certificateExpirationPolicy: .strict).retainUntilComplete()
}
@objc func didBecomeActive() {
AssertIsOnMainThread()
AppReadiness.runNowOrWhenAppDidBecomeReady {
guard self.tsAccountManager.isRegistered() else {
return
}
// Any error is silently ignored on startup.
self.ensureSenderCertificate(certificateExpirationPolicy: .strict).retainUntilComplete()
}
}
// MARK: -
@objc
public func isUDVerboseLoggingEnabled() -> Bool {
return false
}
// MARK: - Dependencies
private var profileManager: ProfileManagerProtocol {
return SSKEnvironment.shared.profileManager
}
private var tsAccountManager: TSAccountManager {
return TSAccountManager.sharedInstance()
}
// MARK: - Recipient state
@objc
public func randomUDAccessKey() -> SMKUDAccessKey {
return SMKUDAccessKey(randomKeyData: ())
}
private func unidentifiedAccessMode(forRecipientId recipientId: String,
isLocalNumber: Bool,
transaction: YapDatabaseReadTransaction) -> UnidentifiedAccessMode {
let defaultValue: UnidentifiedAccessMode = isLocalNumber ? .enabled : .unknown
guard let existingRawValue = transaction.object(forKey: recipientId, inCollection: kUnidentifiedAccessCollection) as? Int else {
return defaultValue
}
guard let existingValue = UnidentifiedAccessMode(rawValue: existingRawValue) else {
owsFailDebug("Couldn't parse mode value.")
return defaultValue
}
return existingValue
}
@objc
public func unidentifiedAccessMode(forRecipientId recipientId: String) -> UnidentifiedAccessMode {
var isLocalNumber = false
if let localNumber = tsAccountManager.localNumber() {
isLocalNumber = recipientId == localNumber
}
var mode: UnidentifiedAccessMode = .unknown
dbConnection.read { (transaction) in
mode = self.unidentifiedAccessMode(forRecipientId: recipientId, isLocalNumber: isLocalNumber, transaction: transaction)
}
return mode
}
@objc
public func setUnidentifiedAccessMode(_ mode: UnidentifiedAccessMode, recipientId: String) {
var isLocalNumber = false
if let localNumber = tsAccountManager.localNumber() {
if recipientId == localNumber {
Logger.info("Setting local UD access mode: \(string(forUnidentifiedAccessMode: mode))")
isLocalNumber = true
}
}
Storage.writeSync { (transaction) in
let oldMode = self.unidentifiedAccessMode(forRecipientId: recipientId, isLocalNumber: isLocalNumber, transaction: transaction)
transaction.setObject(mode.rawValue as Int, forKey: recipientId, inCollection: self.kUnidentifiedAccessCollection)
if mode != oldMode {
Logger.info("Setting UD access mode for \(recipientId): \(string(forUnidentifiedAccessMode: oldMode)) -> \(string(forUnidentifiedAccessMode: mode))")
}
}
}
// Returns the UD access key for a given recipient
// if we have a valid profile key for them.
@objc
public func udAccessKey(forRecipientId recipientId: String) -> SMKUDAccessKey? {
guard let profileKey = profileManager.profileKeyData(forRecipientId: recipientId) else {
// Mark as "not a UD recipient".
return nil
}
do {
let udAccessKey = try SMKUDAccessKey(profileKey: profileKey)
return udAccessKey
} catch {
Logger.error("Could not determine udAccessKey: \(error)")
return nil
}
}
// Returns the UD access key for sending to a given recipient.
@objc
public func udAccess(forRecipientId recipientId: String,
requireSyncAccess: Bool) -> OWSUDAccess? {
if requireSyncAccess {
guard let localNumber = tsAccountManager.localNumber() else {
if isUDVerboseLoggingEnabled() {
Logger.info("UD disabled for \(recipientId), no local number.")
}
owsFailDebug("Missing local number.")
return nil
}
if localNumber != recipientId {
let selfAccessMode = unidentifiedAccessMode(forRecipientId: localNumber)
guard selfAccessMode != .disabled else {
if isUDVerboseLoggingEnabled() {
Logger.info("UD disabled for \(recipientId), UD disabled for sync messages.")
}
return nil
}
}
}
let accessMode = unidentifiedAccessMode(forRecipientId: recipientId)
switch accessMode {
case .unrestricted:
// Unrestricted users should use a random key.
if isUDVerboseLoggingEnabled() {
Logger.info("UD enabled for \(recipientId) with random key.")
}
let udAccessKey = randomUDAccessKey()
return OWSUDAccess(udAccessKey: udAccessKey, udAccessMode: accessMode, isRandomKey: true)
case .unknown:
// Unknown users should use a derived key if possible,
// and otherwise use a random key.
if let udAccessKey = udAccessKey(forRecipientId: recipientId) {
if isUDVerboseLoggingEnabled() {
Logger.info("UD unknown for \(recipientId); trying derived key.")
}
return OWSUDAccess(udAccessKey: udAccessKey, udAccessMode: accessMode, isRandomKey: false)
} else {
if isUDVerboseLoggingEnabled() {
Logger.info("UD unknown for \(recipientId); trying random key.")
}
let udAccessKey = randomUDAccessKey()
return OWSUDAccess(udAccessKey: udAccessKey, udAccessMode: accessMode, isRandomKey: true)
}
case .enabled:
guard let udAccessKey = udAccessKey(forRecipientId: recipientId) else {
if isUDVerboseLoggingEnabled() {
Logger.info("UD disabled for \(recipientId), no profile key for this recipient.")
}
if (!CurrentAppContext().isRunningTests) {
owsFailDebug("Couldn't find profile key for UD-enabled user.")
}
return nil
}
if isUDVerboseLoggingEnabled() {
Logger.info("UD enabled for \(recipientId).")
}
return OWSUDAccess(udAccessKey: udAccessKey, udAccessMode: accessMode, isRandomKey: false)
case .disabled:
if isUDVerboseLoggingEnabled() {
Logger.info("UD disabled for \(recipientId), UD not enabled for this recipient.")
}
return nil
}
}
// MARK: - Sender Certificate
#if DEBUG
@objc
public func hasSenderCertificate() -> Bool {
return senderCertificate(certificateExpirationPolicy: .permissive) != nil
}
#endif
private func senderCertificate(certificateExpirationPolicy: OWSUDCertificateExpirationPolicy) -> SMKSenderCertificate? {
if certificateExpirationPolicy == .strict {
guard let certificateDate = dbConnection.object(forKey: senderCertificateDateKey(), inCollection: kUDCollection) as? Date else {
return nil
}
guard certificateDate.timeIntervalSinceNow < kDayInterval else {
// Discard certificates that we obtained more than 24 hours ago.
return nil
}
}
guard let certificateData = dbConnection.object(forKey: senderCertificateKey(), inCollection: kUDCollection) as? Data else {
return nil
}
do {
let certificate = try SMKSenderCertificate.parse(data: certificateData)
guard isValidCertificate(certificate) else {
Logger.warn("Current sender certificate is not valid.")
return nil
}
return certificate
} catch {
owsFailDebug("Certificate could not be parsed: \(error)")
return nil
}
}
func setSenderCertificate(_ certificateData: Data) {
dbConnection.setObject(Date(), forKey: senderCertificateDateKey(), inCollection: kUDCollection)
dbConnection.setObject(certificateData, forKey: senderCertificateKey(), inCollection: kUDCollection)
}
private func senderCertificateKey() -> String {
return IsUsingProductionService() ? kUDCurrentSenderCertificateKey_Production : kUDCurrentSenderCertificateKey_Staging
}
private func senderCertificateDateKey() -> String {
return IsUsingProductionService() ? kUDCurrentSenderCertificateDateKey_Production : kUDCurrentSenderCertificateDateKey_Staging
}
@objc
public func ensureSenderCertificate(success:@escaping (SMKSenderCertificate) -> Void,
failure:@escaping (Error) -> Void) {
return ensureSenderCertificate(certificateExpirationPolicy: .permissive,
success: success,
failure: failure)
}
private func ensureSenderCertificate(certificateExpirationPolicy: OWSUDCertificateExpirationPolicy,
success:@escaping (SMKSenderCertificate) -> Void,
failure:@escaping (Error) -> Void) {
firstly {
ensureSenderCertificate(certificateExpirationPolicy: certificateExpirationPolicy)
}.map { certificate in
success(certificate)
}.catch { error in
failure(error)
}.retainUntilComplete()
}
public func ensureSenderCertificate(certificateExpirationPolicy: OWSUDCertificateExpirationPolicy) -> Promise<SMKSenderCertificate> {
// Try to obtain a new sender certificate.
return firstly {
generateSenderCertificate()
}.map { (certificateData: Data, certificate: SMKSenderCertificate) in
// Cache the current sender certificate.
self.setSenderCertificate(certificateData)
return certificate
}
}
private func generateSenderCertificate() -> Promise<(certificateData: Data, certificate: SMKSenderCertificate)> {
return Promise<(certificateData: Data, certificate: SMKSenderCertificate)> { seal in
// Loki: Generate a sender certificate locally
let sender = OWSIdentityManager.shared().identityKeyPair()!.hexEncodedPublicKey
let certificate = SMKSenderCertificate(senderDeviceId: 1, senderRecipientId: sender)
let certificateAsData = try certificate.serialized()
guard isValidCertificate(certificate) else {
throw OWSUDError.invalidData(description: "Invalid sender certificate.")
}
seal.fulfill((certificateData: certificateAsData, certificate: certificate))
}
}
@objc
public func getSenderCertificate() -> SMKSenderCertificate? {
do {
let sender = OWSIdentityManager.shared().identityKeyPair()!.hexEncodedPublicKey
let certificate = SMKSenderCertificate(senderDeviceId: 1, senderRecipientId: sender)
guard self.isValidCertificate(certificate) else {
throw OWSUDError.invalidData(description: "Invalid sender certificate returned by server")
}
return certificate
} catch {
SNLog("Couldn't get UD sender certificate due to error: \(error).")
return nil
}
}
private func isValidCertificate(_ certificate: SMKSenderCertificate) -> Bool {
// Ensure that the certificate will not expire in the next hour.
// We want a threshold long enough to ensure that any outgoing message
// sends will complete before the expiration.
let nowMs = NSDate.ows_millisecondTimeStamp()
let anHourFromNowMs = nowMs + kHourInMs
do {
try certificateValidator.throwswrapped_validate(senderCertificate: certificate, validationTime: anHourFromNowMs)
return true
} catch {
OWSLogger.error("Invalid certificate")
return false
}
}
@objc
public func trustRoot() -> ECPublicKey {
return OWSUDManagerImpl.trustRoot()
}
@objc
public class func trustRoot() -> ECPublicKey {
guard let trustRootData = NSData(fromBase64String: kUDTrustRoot) else {
// This exits.
owsFail("Invalid trust root data.")
}
do {
return try ECPublicKey(serializedKeyData: trustRootData as Data)
} catch {
// This exits.
owsFail("Invalid trust root.")
}
}
// MARK: - Unrestricted Access
@objc
public func shouldAllowUnrestrictedAccessLocal() -> Bool {
return dbConnection.bool(forKey: kUDUnrestrictedAccessKey, inCollection: kUDCollection, defaultValue: false)
}
@objc
public func setShouldAllowUnrestrictedAccessLocal(_ value: Bool) {
dbConnection.setBool(value, forKey: kUDUnrestrictedAccessKey, inCollection: kUDCollection)
// Try to update the account attributes to reflect this change.
tsAccountManager.updateAccountAttributes().retainUntilComplete()
}
}
Reference in New Issue View Git Blame Copy Permalink