Home | History | Annotate | Download | only in keystore 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #ifndef KEYSTORE_GRANT_STORE_H_
     18 #define KEYSTORE_GRANT_STORE_H_
     19 
     20 #include <set>
     21 #include <string>
     22 #include <unordered_map>
     23 
     24 namespace keystore {
     25 
     26 /**
     27  * Grant represents a mapping from an alias to a key file.
     28  * Normally, key file names are derived from the alias chosen by the client
     29  * and the clients UID, to generate a per client name space.
     30  * Grants allow assotiating a key file with a new name, thereby making
     31  * it visible in another client's - the grantee's - namespace.
     32  */
     33 class Grant {
     34 public:
     35     Grant(const std::string& alias, const std::string& owner_dir_name, const uid_t owner_uid,
     36           const uint64_t grant_no);
     37     // the following three field are used to recover the key filename that the grant refers to
     38     std::string alias_;            ///< original/wrapped key alias
     39     std::string owner_dir_name_;   ///< key owner key directory
     40     uid_t owner_uid_;              ///< key owner uid
     41 
     42     uint64_t grant_no_;            ///< numeric grant identifier - randomly assigned
     43 
     44     operator const uint64_t&() const { return grant_no_; }
     45 };
     46 
     47 /**
     48  * The GrantStore holds a set of sets of Grants. One set of Grants for each grantee.
     49  * The uid parameter to each of the GrantStore function determines the grantee's
     50  * name space. The methods put, get, and removeByAlias/ByFileName create, lookup, and
     51  * remove a Grant, respectively.
     52  * put also returns a new alias for the newly granted key which has to be returned
     53  * to the granter. The grantee, and only the grantee, can use the granted key
     54  * by this new alias.
     55  */
     56 class GrantStore {
     57 public:
     58     GrantStore() : grants_() {}
     59     std::string put(const uid_t uid, const std::string& alias, const std::string& owner_dir_name,
     60                     const uid_t owner_uid);
     61     const Grant* get(const uid_t uid, const std::string& alias) const;
     62     bool removeByFileAlias(const uid_t granteeUid, const uid_t granterUid, const std::string& alias);
     63     void removeAllGrantsToKey(const uid_t granterUid, const std::string& alias);
     64     void removeAllGrantsToUid(const uid_t granteeUid);
     65 
     66     // GrantStore is neither copyable nor movable.
     67     GrantStore(const GrantStore&) = delete;
     68     GrantStore& operator=(const GrantStore&) = delete;
     69 private:
     70     std::unordered_map<uid_t, std::set<Grant, std::less<>>> grants_;
     71 };
     72 
     73 }  // namespace keystore
     74 
     75 #endif  // KEYSTORE_GRANT_STORE_H_
     76