keystore/grant_store.h - platform/system/security - Gitiles

 /*
  * Copyright (C) 2017 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #ifndef KEYSTORE_GRANT_STORE_H_
 #define KEYSTORE_GRANT_STORE_H_

 #include <mutex>
 #include <set>
 #include <shared_mutex>
 #include <string>
 #include <unordered_map>

 #include <keystore/keystore_concurrency.h>

 #include "blob.h"

 namespace keystore {

 class Grant;

 using ReadLockedGrant =
     ProxyLock<MutexProxyLockHelper<const Grant, std::shared_mutex, std::shared_lock>>;

 /**
  * Grant represents a mapping from an alias to a key file.
  * Normally, key file names are derived from the alias chosen by the client
  * and the clients UID, to generate a per client name space.
  * Grants allow assotiating a key file with a new name, thereby making
  * it visible in another client's - the grantee's - namespace.
  */
 class Grant {
 public:
   Grant(const KeyBlobEntry& entry, const uint64_t grant_no);
   KeyBlobEntry entry_;

   uint64_t grant_no_;  ///< numeric grant identifier - randomly assigned

   // NOLINTNEXTLINE(google-explicit-constructor)
   operator const uint64_t&() const { return grant_no_; }
 };

 /**
  * The GrantStore holds a set of sets of Grants. One set of Grants for each grantee.
  * The uid parameter to each of the GrantStore function determines the grantee's
  * name space. The methods put, get, and removeByAlias/ByFileName create, lookup, and
  * remove a Grant, respectively.
  * put also returns a new alias for the newly granted key which has to be returned
  * to the granter. The grantee, and only the grantee, can use the granted key
  * by this new alias.
  */
 class GrantStore {
 public:
     GrantStore() : grants_() {}
     std::string put(const uid_t uid, const LockedKeyBlobEntry& blobfile);
     ReadLockedGrant get(const uid_t uid, const std::string& alias) const;
     bool removeByFileAlias(const uid_t granteeUid, const LockedKeyBlobEntry& lockedEntry);
     void removeAllGrantsToKey(const uid_t granterUid, const std::string& alias);
     void removeAllGrantsToUid(const uid_t granteeUid);

     // GrantStore is neither copyable nor movable.
     GrantStore(const GrantStore&) = delete;
     GrantStore& operator=(const GrantStore&) = delete;
 private:
     std::unordered_map<uid_t, std::set<Grant, std::less<>>> grants_;
     mutable std::shared_mutex mutex_;
 };

 }  // namespace keystore

 #endif  // KEYSTORE_GRANT_STORE_H_
	/*
	* Copyright (C) 2017 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#ifndef KEYSTORE_GRANT_STORE_H_
	#define KEYSTORE_GRANT_STORE_H_

	#include <mutex>
	#include <set>
	#include <shared_mutex>
	#include <string>
	#include <unordered_map>

	#include <keystore/keystore_concurrency.h>

	#include "blob.h"

	namespace keystore {

	class Grant;

	using ReadLockedGrant =
	ProxyLock<MutexProxyLockHelper<const Grant, std::shared_mutex, std::shared_lock>>;

	/**
	* Grant represents a mapping from an alias to a key file.
	* Normally, key file names are derived from the alias chosen by the client
	* and the clients UID, to generate a per client name space.
	* Grants allow assotiating a key file with a new name, thereby making
	* it visible in another client's - the grantee's - namespace.
	*/
	class Grant {
	public:
	Grant(const KeyBlobEntry& entry, const uint64_t grant_no);
	KeyBlobEntry entry_;

	uint64_t grant_no_; ///< numeric grant identifier - randomly assigned

	// NOLINTNEXTLINE(google-explicit-constructor)
	operator const uint64_t&() const { return grant_no_; }
	};

	/**
	* The GrantStore holds a set of sets of Grants. One set of Grants for each grantee.
	* The uid parameter to each of the GrantStore function determines the grantee's
	* name space. The methods put, get, and removeByAlias/ByFileName create, lookup, and
	* remove a Grant, respectively.
	* put also returns a new alias for the newly granted key which has to be returned
	* to the granter. The grantee, and only the grantee, can use the granted key
	* by this new alias.
	*/
	class GrantStore {
	public:
	GrantStore() : grants_() {}
	std::string put(const uid_t uid, const LockedKeyBlobEntry& blobfile);
	ReadLockedGrant get(const uid_t uid, const std::string& alias) const;
	bool removeByFileAlias(const uid_t granteeUid, const LockedKeyBlobEntry& lockedEntry);
	void removeAllGrantsToKey(const uid_t granterUid, const std::string& alias);
	void removeAllGrantsToUid(const uid_t granteeUid);

	// GrantStore is neither copyable nor movable.
	GrantStore(const GrantStore&) = delete;
	GrantStore& operator=(const GrantStore&) = delete;
	private:
	std::unordered_map<uid_t, std::set<Grant, std::less<>>> grants_;
	mutable std::shared_mutex mutex_;
	};

	} // namespace keystore

	#endif // KEYSTORE_GRANT_STORE_H_