84 lines
2.8 KiB
C++
84 lines
2.8 KiB
C++
/*
|
|
* Copyright (C) 2017 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef KEYSTORE_GRANT_STORE_H_
|
|
#define KEYSTORE_GRANT_STORE_H_
|
|
|
|
#include <mutex>
|
|
#include <set>
|
|
#include <shared_mutex>
|
|
#include <string>
|
|
#include <unordered_map>
|
|
|
|
#include <keystore/keystore_concurrency.h>
|
|
|
|
#include "blob.h"
|
|
|
|
namespace keystore {
|
|
|
|
class Grant;
|
|
|
|
using ReadLockedGrant =
|
|
ProxyLock<MutexProxyLockHelper<const Grant, std::shared_mutex, std::shared_lock>>;
|
|
|
|
/**
|
|
* Grant represents a mapping from an alias to a key file.
|
|
* Normally, key file names are derived from the alias chosen by the client
|
|
* and the clients UID, to generate a per client name space.
|
|
* Grants allow assotiating a key file with a new name, thereby making
|
|
* it visible in another client's - the grantee's - namespace.
|
|
*/
|
|
class Grant {
|
|
public:
|
|
Grant(const KeyBlobEntry& entry, const uint64_t grant_no);
|
|
KeyBlobEntry entry_;
|
|
|
|
uint64_t grant_no_; ///< numeric grant identifier - randomly assigned
|
|
|
|
// NOLINTNEXTLINE(google-explicit-constructor)
|
|
operator const uint64_t&() const { return grant_no_; }
|
|
};
|
|
|
|
/**
|
|
* The GrantStore holds a set of sets of Grants. One set of Grants for each grantee.
|
|
* The uid parameter to each of the GrantStore function determines the grantee's
|
|
* name space. The methods put, get, and removeByAlias/ByFileName create, lookup, and
|
|
* remove a Grant, respectively.
|
|
* put also returns a new alias for the newly granted key which has to be returned
|
|
* to the granter. The grantee, and only the grantee, can use the granted key
|
|
* by this new alias.
|
|
*/
|
|
class GrantStore {
|
|
public:
|
|
GrantStore() : grants_() {}
|
|
std::string put(const uid_t uid, const LockedKeyBlobEntry& blobfile);
|
|
ReadLockedGrant get(const uid_t uid, const std::string& alias) const;
|
|
bool removeByFileAlias(const uid_t granteeUid, const LockedKeyBlobEntry& lockedEntry);
|
|
void removeAllGrantsToKey(const uid_t granterUid, const std::string& alias);
|
|
void removeAllGrantsToUid(const uid_t granteeUid);
|
|
|
|
// GrantStore is neither copyable nor movable.
|
|
GrantStore(const GrantStore&) = delete;
|
|
GrantStore& operator=(const GrantStore&) = delete;
|
|
private:
|
|
std::unordered_map<uid_t, std::set<Grant, std::less<>>> grants_;
|
|
mutable std::shared_mutex mutex_;
|
|
};
|
|
|
|
} // namespace keystore
|
|
|
|
#endif // KEYSTORE_GRANT_STORE_H_
|