SecDbQuery.h
1 /* 2 * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 /*! 25 @header SecDbQuery.h - The thing that does the stuff with the gibli. 26 */ 27 28 #ifndef _SECURITYD_SECDBQUERY_H_ 29 #define _SECURITYD_SECDBQUERY_H_ 30 31 #include "keychain/securityd/SecKeybagSupport.h" 32 #include "keychain/securityd/SecDbItem.h" 33 #include "ipc/securityd_client.h" // be able to create queries which restrict API 34 35 __BEGIN_DECLS 36 37 typedef struct Pair *SecDbPairRef; 38 typedef struct Query *SecDbQueryRef; 39 40 /* Return types. */ 41 typedef uint32_t ReturnTypeMask; 42 enum 43 { 44 kSecReturnDataMask = 1 << 0, 45 kSecReturnAttributesMask = 1 << 1, 46 kSecReturnRefMask = 1 << 2, 47 kSecReturnPersistentRefMask = 1 << 3, 48 }; 49 50 /* Constant indicating there is no limit to the number of results to return. */ 51 enum 52 { 53 kSecMatchUnlimited = kCFNotFound 54 }; 55 56 typedef struct Pair 57 { 58 const void *key; 59 const void *value; 60 } Pair; 61 62 /* Nothing in this struct is retained since all the 63 values below are extracted from the dictionary passed in by the 64 caller. */ 65 typedef struct Query 66 { 67 /* Class of this query. */ 68 const SecDbClass *q_class; 69 70 /* Dictionary with all attributes and values in clear (to be encrypted). */ 71 CFMutableDictionaryRef q_item; 72 73 /* q_pairs is an array of Pair structs. Elements with indices 74 [0, q_attr_end) contain attribute key value pairs. Elements with 75 indices [q_match_begin, q_match_end) contain match key value pairs. 76 Thus q_attr_end is the number of attrs in q_pairs and 77 q_match_begin - q_match_end is the number of matches in q_pairs. */ 78 CFIndex q_match_begin; 79 CFIndex q_match_end; 80 CFIndex q_attr_end; 81 82 CFErrorRef q_error; 83 ReturnTypeMask q_return_type; 84 85 CFDataRef q_data; 86 CFTypeRef q_ref; 87 sqlite_int64 q_row_id; 88 89 CFArrayRef q_use_item_list; 90 CFBooleanRef q_use_tomb; 91 92 /* Value of kSecMatchLimit key if present. */ 93 CFIndex q_limit; 94 95 /* True if query contained a kSecAttrSynchronizable attribute, 96 * regardless of its actual value. If this is false, then we 97 * will add an explicit sync=0 to the query. */ 98 bool q_sync; 99 100 // Set to true if we modified any item as part of executing this query 101 bool q_changed; 102 103 // Set to true if we modified any synchronizable item as part of executing this query 104 bool q_sync_changed; 105 106 /* Keybag handle to use for this item. */ 107 keybag_handle_t q_keybag; 108 109 /* musr view to use when modifying the database */ 110 CFDataRef q_musrView; 111 112 /* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */ 113 SecAccessControlRef q_access_control; 114 CFDataRef q_use_cred_handle; 115 116 // Flag indicating that ui-protected items should be simply skipped 117 // instead of reporting them to the client as an error. 118 bool q_skip_acl_items; 119 120 // Some queries (e.g. backups) explicitly do not want to deal with clip-created items 121 bool q_skip_app_clip_items; 122 123 // Set to true if any UUIDs generated by this query should be generated from the SHA2 digest of the item in question 124 bool q_uuid_from_primary_key; 125 126 // Set to true if you'd like any Tombstones created by this query to have an mdat that is one second after the non-tombstone's mdat. 127 // This is used if you're deleting an item, but are unsure when the item deletion occurred (e.g., you receive an item delete via CloudKit). 128 bool q_tombstone_use_mdat_from_item; 129 130 // Set this to a callback that, on an add query, will get passed along with the CKKS subsystem and called when the item makes it off-device (or doesn't) 131 __unsafe_unretained SecBoolCFErrorCallback q_add_sync_callback; 132 133 // SHA1 digest of DER encoded primary key 134 CFDataRef q_primary_key_digest; 135 136 CFArrayRef q_match_issuer; 137 138 /* Caller acces groups for AKS */ 139 CFArrayRef q_caller_access_groups; 140 bool q_system_keychain; 141 int32_t q_sync_bubble; 142 bool q_spindump_on_failure; 143 144 //policy for filtering certs and identities 145 SecPolicyRef q_match_policy; 146 //date for filtering certs and identities 147 CFDateRef q_match_valid_on_date; 148 //trusted only certs and identities 149 CFBooleanRef q_match_trusted_only; 150 //token persistent reference for filtering items is represented by token ID (in attrs) and token object ID 151 CFDataRef q_token_object_id; 152 153 CFIndex q_pairs_count; 154 Pair q_pairs[]; 155 } Query; 156 157 Query *query_create(const SecDbClass *qclass, CFDataRef musr, CFDictionaryRef query, SecurityClient* client, CFErrorRef *error); 158 bool query_destroy(Query *q, CFErrorRef *error); 159 bool query_error(Query *q, CFErrorRef *error); 160 Query *query_create_with_limit(CFDictionaryRef query, CFDataRef musr, CFIndex limit, SecurityClient* client, CFErrorRef *error); 161 void query_add_attribute(const void *key, const void *value, Query *q); 162 void query_add_or_attribute(const void *key, const void *value, Query *q); 163 void query_add_not_attribute(const void *key, const void *value, Query *q); 164 void query_add_attribute_with_desc(const SecDbAttr *desc, const void *value, Query *q); 165 void query_ensure_access_control(Query *q, CFStringRef agrp); 166 void query_pre_add(Query *q, bool force_date); 167 bool query_notify_and_destroy(Query *q, bool ok, CFErrorRef *error); 168 CFIndex query_match_count(const Query *q); 169 CFIndex query_attr_count(const Query *q); 170 Pair query_attr_at(const Query *q, CFIndex ix); 171 bool query_update_parse(Query *q, CFDictionaryRef update, CFErrorRef *error); 172 const SecDbClass *kc_class_with_name(CFStringRef name); 173 void query_set_caller_access_groups(Query *q, CFArrayRef caller_access_groups); 174 void query_set_policy(Query *q, SecPolicyRef policy); 175 void query_set_valid_on_date(Query *q, CFDateRef policy); 176 void query_set_trusted_only(Query *q, CFBooleanRef trusted_only); 177 178 CFDataRef 179 SecMUSRCopySystemKeychainUUID(void); 180 181 CFDataRef 182 SecMUSRGetSystemKeychainUUID(void); 183 184 CFDataRef 185 SecMUSRGetSingleUserKeychainUUID(void); 186 187 bool 188 SecMUSRIsSingleUserView(CFDataRef uuid); 189 190 CFDataRef 191 SecMUSRGetAllViews(void); 192 193 bool 194 SecMUSRIsViewAllViews(CFDataRef musr); 195 196 #if TARGET_OS_IPHONE 197 CFDataRef 198 SecMUSRCreateActiveUserUUID(uid_t uid); 199 200 CFDataRef 201 SecMUSRCreateSyncBubbleUserUUID(uid_t uid); 202 203 CFDataRef 204 SecMUSRCreateBothUserAndSystemUUID(uid_t uid); 205 206 bool 207 SecMUSRGetBothUserAndSystemUUID(CFDataRef musr, uid_t *uid); 208 209 #endif 210 211 212 __END_DECLS 213 214 #endif /* _SECURITYD_SECDBQUERY_H_ */