• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef KEYSTORE_GRANT_STORE_H_
18 #define KEYSTORE_GRANT_STORE_H_
19 
20 #include <mutex>
21 #include <set>
22 #include <shared_mutex>
23 #include <string>
24 #include <unordered_map>
25 
26 #include <keystore/keystore_concurrency.h>
27 
28 #include "blob.h"
29 
30 namespace keystore {
31 
32 class Grant;
33 
34 using ReadLockedGrant =
35     ProxyLock<MutexProxyLockHelper<const Grant, std::shared_mutex, std::shared_lock>>;
36 
37 /**
38  * Grant represents a mapping from an alias to a key file.
39  * Normally, key file names are derived from the alias chosen by the client
40  * and the clients UID, to generate a per client name space.
41  * Grants allow assotiating a key file with a new name, thereby making
42  * it visible in another client's - the grantee's - namespace.
43  */
44 class Grant {
45 public:
46   Grant(const KeyBlobEntry& entry, const uint64_t grant_no);
47   KeyBlobEntry entry_;
48 
49   uint64_t grant_no_;  ///< numeric grant identifier - randomly assigned
50 
51   // NOLINTNEXTLINE(google-explicit-constructor)
52   operator const uint64_t&() const { return grant_no_; }
53 };
54 
55 /**
56  * The GrantStore holds a set of sets of Grants. One set of Grants for each grantee.
57  * The uid parameter to each of the GrantStore function determines the grantee's
58  * name space. The methods put, get, and removeByAlias/ByFileName create, lookup, and
59  * remove a Grant, respectively.
60  * put also returns a new alias for the newly granted key which has to be returned
61  * to the granter. The grantee, and only the grantee, can use the granted key
62  * by this new alias.
63  */
64 class GrantStore {
65 public:
GrantStore()66     GrantStore() : grants_() {}
67     std::string put(const uid_t uid, const LockedKeyBlobEntry& blobfile);
68     ReadLockedGrant get(const uid_t uid, const std::string& alias) const;
69     bool removeByFileAlias(const uid_t granteeUid, const LockedKeyBlobEntry& lockedEntry);
70     void removeAllGrantsToKey(const uid_t granterUid, const std::string& alias);
71     void removeAllGrantsToUid(const uid_t granteeUid);
72 
73     // GrantStore is neither copyable nor movable.
74     GrantStore(const GrantStore&) = delete;
75     GrantStore& operator=(const GrantStore&) = delete;
76 private:
77     std::unordered_map<uid_t, std::set<Grant, std::less<>>> grants_;
78     mutable std::shared_mutex mutex_;
79 };
80 
81 }  // namespace keystore
82 
83 #endif  // KEYSTORE_GRANT_STORE_H_
84