• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef KEYSTORE_GRANT_STORE_H_
18 #define KEYSTORE_GRANT_STORE_H_
19 
20 #include <set>
21 #include <string>
22 #include <unordered_map>
23 
24 namespace keystore {
25 
26 /**
27  * Grant represents a mapping from an alias to a key file.
28  * Normally, key file names are derived from the alias chosen by the client
29  * and the clients UID, to generate a per client name space.
30  * Grants allow assotiating a key file with a new name, thereby making
31  * it visible in another client's - the grantee's - namespace.
32  */
33 class Grant {
34 public:
35     Grant(const std::string& alias, const std::string& owner_dir_name, const uid_t owner_uid,
36           const uint64_t grant_no);
37     // the following three field are used to recover the key filename that the grant refers to
38     std::string alias_;            ///< original/wrapped key alias
39     std::string owner_dir_name_;   ///< key owner key directory
40     uid_t owner_uid_;              ///< key owner uid
41 
42     uint64_t grant_no_;            ///< numeric grant identifier - randomly assigned
43 
44     operator const uint64_t&() const { return grant_no_; }
45 };
46 
47 /**
48  * The GrantStore holds a set of sets of Grants. One set of Grants for each grantee.
49  * The uid parameter to each of the GrantStore function determines the grantee's
50  * name space. The methods put, get, and removeByAlias/ByFileName create, lookup, and
51  * remove a Grant, respectively.
52  * put also returns a new alias for the newly granted key which has to be returned
53  * to the granter. The grantee, and only the grantee, can use the granted key
54  * by this new alias.
55  */
56 class GrantStore {
57 public:
GrantStore()58     GrantStore() : grants_() {}
59     std::string put(const uid_t uid, const std::string& alias, const std::string& owner_dir_name,
60                     const uid_t owner_uid);
61     const Grant* get(const uid_t uid, const std::string& alias) const;
62     bool removeByFileAlias(const uid_t granteeUid, const uid_t granterUid, const std::string& alias);
63     void removeAllGrantsToKey(const uid_t granterUid, const std::string& alias);
64     void removeAllGrantsToUid(const uid_t granteeUid);
65 
66     // GrantStore is neither copyable nor movable.
67     GrantStore(const GrantStore&) = delete;
68     GrantStore& operator=(const GrantStore&) = delete;
69 private:
70     std::unordered_map<uid_t, std::set<Grant, std::less<>>> grants_;
71 };
72 
73 }  // namespace keystore
74 
75 #endif  // KEYSTORE_GRANT_STORE_H_
76