Implement PII Stripper, part 2
Implement EncodedBuffer that strip pii based on given privacy request.
The reason to implement another buffer is the length-delimited field's
size could change when its submessage gets stripped. It also intends to
keep the orignal data around for other requests to consume it.
In addition, the section implementation has adapted EncodedBuffer so
write out to each request's fd could be request-specific. The next step
is allow requests to set its privacy spec.
Notice the current design set the privacy spec of dropbox to AUTOMATIC,
this behavior might change in the future.
Bug: 64687253
Test: unit tests are writtern, see README.md for how to run unit tests.
Change-Id: I7ac236b8265ba9289dc6e17a8a5bf7f67ffb6bf5
diff --git a/cmds/incidentd/src/Privacy.h b/cmds/incidentd/src/Privacy.h
new file mode 100644
index 0000000..53b0325
--- /dev/null
+++ b/cmds/incidentd/src/Privacy.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PRIVACY_H
+#define PRIVACY_H
+
+#include <stdint.h>
+
+// This is the default value of DEST enum
+const uint8_t DEST_DEFAULT_VALUE = 1;
+
+/*
+ * In order not to depend on libprotobuf-cpp-full nor libplatformprotos in incidentd,
+ * privacy options's data structure are explicitly redefined in this file.
+ */
+struct Privacy {
+ uint32_t field_id;
+ uint8_t type;
+ // ignore parent's privacy flags if children are set, NULL-terminated
+ const Privacy** children;
+
+ // the following fields are identitical to
+ // frameworks/base/libs/incident/proto/android/privacy.proto
+ uint8_t dest;
+ const char** patterns; // only set when type is string
+
+ Privacy(uint32_t field_id, uint8_t type, uint8_t dest); // generic constructor
+ Privacy(uint32_t field_id, const Privacy** children); // used for message type
+ Privacy(uint32_t field_id, uint8_t dest, const char** patterns); // used for string type
+
+ bool IsMessageType() const;
+ bool IsStringType() const;
+ bool HasChildren() const;
+ const Privacy* lookup(uint32_t fieldId) const;
+};
+
+/**
+ * PrivacySpec defines the request has what level of privacy authorization.
+ * For example, a device without user consent should only be able to upload AUTOMATIC fields.
+ */
+class PrivacySpec {
+public:
+ const uint8_t dest;
+
+ PrivacySpec() : dest(DEST_DEFAULT_VALUE) {}
+ PrivacySpec(uint8_t dest) : dest(dest) {}
+
+ bool CheckPremission(const Privacy* privacy) const;
+ bool RequireAll() const;
+};
+
+PrivacySpec get_default_dropbox_spec();
+
+#endif // PRIVACY_H