Rename shasum to identifier in database (#643)

google · Oct 18, 2021 · fa6630a · fa6630a
1 parent 1f2b82f
commit fa6630a
Show file tree

Hide file tree

Showing 13 changed files with 113 additions and 102 deletions.
diff --git a/Fuzzing/santad/src/databaseRuleAddRules.mm b/Fuzzing/santad/src/databaseRuleAddRules.mm
@@ -46,7 +46,7 @@
   SNTRule *newRule = [[SNTRule alloc] init];
   newRule.state = (SNTRuleState)input_data.state;
   newRule.type = (SNTRuleType)input_data.type;
-  newRule.shasum = @(input_data.hash);
+  newRule.identifier = @(input_data.hash);
   newRule.customMsg = @"";
 
   MOLXPCConnection *daemonConn = [SNTXPCControlInterface configuredConnection];
@@ -62,9 +62,9 @@
                    reply:^(NSError *error) {
                      if (!error) {
                        if (newRule.state == SNTRuleStateRemove) {
-                         printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+                         printf("Removed rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
                        } else {
-                         printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+                         printf("Added rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
                        }
                      }
                    }];

diff --git a/Source/common/SNTRule.h b/Source/common/SNTRule.h
@@ -24,7 +24,7 @@
 ///
 ///  The hash of the object this rule is for
 ///
-@property(copy) NSString *shasum;
+@property(copy) NSString *identifier;
 
 ///
 ///  The state of this rule
@@ -50,7 +50,7 @@
 ///
 ///  Designated initializer.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
+- (instancetype)initWithIdentifier:(NSString *)identifier
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
                      customMsg:(NSString *)customMsg
@@ -59,7 +59,7 @@
 ///
 ///  Initialize with a default timestamp: current time if rule state is transitive, 0 otherwise.
 ///
-- (instancetype)initWithShasum:(NSString *)shasum
+- (instancetype)initWithIdentifier:(NSString *)identifier
                          state:(SNTRuleState)state
                           type:(SNTRuleType)type
                      customMsg:(NSString *)customMsg;

diff --git a/Source/common/SNTRule.m b/Source/common/SNTRule.m
@@ -20,14 +20,14 @@ @interface SNTRule ()
 
 @implementation SNTRule
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg
-                     timestamp:(NSUInteger)timestamp {
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg
+                         timestamp:(NSUInteger)timestamp {
   self = [super init];
   if (self) {
-    _shasum = shasum;
+    _identifier = identifier;
     _state = state;
     _type = type;
     _customMsg = customMsg;
@@ -36,11 +36,11 @@ - (instancetype)initWithShasum:(NSString *)shasum
   return self;
 }
 
-- (instancetype)initWithShasum:(NSString *)shasum
-                         state:(SNTRuleState)state
-                          type:(SNTRuleType)type
-                     customMsg:(NSString *)customMsg {
-  self = [self initWithShasum:shasum state:state type:type customMsg:customMsg timestamp:0];
+- (instancetype)initWithIdentifier:(NSString *)identifier
+                             state:(SNTRuleState)state
+                              type:(SNTRuleType)type
+                         customMsg:(NSString *)customMsg {
+  self = [self initWithIdentifier:identifier state:state type:type customMsg:customMsg timestamp:0];
   // Initialize timestamp to current time if rule is transitive.
   if (self && state == SNTRuleStateAllowTransitive) {
     [self resetTimestamp];
@@ -61,7 +61,7 @@ + (BOOL)supportsSecureCoding {
 }
 
 - (void)encodeWithCoder:(NSCoder *)coder {
-  ENCODE(self.shasum, @"shasum");
+  ENCODE(self.identifier, @"identifier");
   ENCODE(@(self.state), @"state");
   ENCODE(@(self.type), @"type");
   ENCODE(self.customMsg, @"custommsg");
@@ -71,7 +71,7 @@ - (void)encodeWithCoder:(NSCoder *)coder {
 - (instancetype)initWithCoder:(NSCoder *)decoder {
   self = [super init];
   if (self) {
-    _shasum = DECODE(NSString, @"shasum");
+    _identifier = DECODE(NSString, @"identifier");
     _state = [DECODE(NSNumber, @"state") intValue];
     _type = [DECODE(NSNumber, @"type") intValue];
     _customMsg = DECODE(NSString, @"custommsg");
@@ -88,22 +88,22 @@ - (BOOL)isEqual:(id)other {
   if (other == self) return YES;
   if (![other isKindOfClass:[SNTRule class]]) return NO;
   SNTRule *o = other;
-  return ([self.shasum isEqual:o.shasum] && self.state == o.state && self.type == o.type);
+  return ([self.identifier isEqual:o.identifier] && self.state == o.state && self.type == o.type);
 }
 
 - (NSUInteger)hash {
   NSUInteger prime = 31;
   NSUInteger result = 1;
-  result = prime * result + [self.shasum hash];
+  result = prime * result + [self.identifier hash];
   result = prime * result + self.state;
   result = prime * result + self.type;
   return result;
 }
 
 - (NSString *)description {
-  return
-    [NSString stringWithFormat:@"SNTRule: SHA-256: %@, State: %ld, Type: %ld, Timestamp: %lu",
-                               self.shasum, self.state, self.type, (unsigned long)self.timestamp];
+  return [NSString
+    stringWithFormat:@"SNTRule: Identifier: %@, State: %ld, Type: %ld, Timestamp: %lu",
+                     self.identifier, self.state, self.type, (unsigned long)self.timestamp];
 }
 
 #pragma mark Last-access Timestamp

diff --git a/Source/santactl/Commands/SNTCommandRule.m b/Source/santactl/Commands/SNTCommandRule.m
@@ -60,10 +60,11 @@ + (NSString *)longHelpText {
           @"                   Will add the hash of the file currently at that path.\n"
           @"                   Does not work with --check. Use the fileinfo verb to check.\n"
           @"                   the rule state of a file.\n"
-          @"    --sha256 {sha256}: hash to add/remove/check\n"
+          @"    --identifier {sha256|teamID}: identifier to add/remove/check\n"
+          @"    --sha256 {sha256}: hash to add/remove/check [deprecated]\n"
           @"\n"
           @"  Optionally:\n"
-          @"    --teamid: add or check a team ID rule instead of binary\n"
+          @"    --teamid {teamid}: add or check a team ID rule instead of binary\n"
           @"    --certificate: add or check a certificate sha256 rule instead of binary\n"
 #ifdef DEBUG
           @"    --force: allow manual changes even when SyncBaseUrl is set\n"
@@ -119,12 +120,17 @@ - (void)runWithArguments:(NSArray *)arguments {
         [self printErrorUsageAndExit:@"--path requires an argument"];
       }
       path = arguments[i];
+    } else if ([arg caseInsensitiveCompare:@"--identifier"] == NSOrderedSame) {
+      if (++i > arguments.count - 1) {
+        [self printErrorUsageAndExit:@"--identifier requires an argument"];
+      }
+      newRule.identifier = arguments[i];
     } else if ([arg caseInsensitiveCompare:@"--sha256"] == NSOrderedSame) {
       if (++i > arguments.count - 1) {
         [self printErrorUsageAndExit:@"--sha256 requires an argument"];
       }
-      newRule.shasum = arguments[i];
-      if (newRule.shasum.length != 64) {
+      newRule.identifier = arguments[i];
+      if (newRule.identifier.length != 64) {
         [self printErrorUsageAndExit:@"--sha256 requires a valid SHA-256 as the argument"];
       }
     } else if ([arg caseInsensitiveCompare:@"--message"] == NSOrderedSame) {
@@ -142,7 +148,7 @@ - (void)runWithArguments:(NSArray *)arguments {
   }
 
   if (check) {
-    if (!newRule.shasum) return [self printErrorUsageAndExit:@"--check requires --sha256"];
+    if (!newRule.identifier) return [self printErrorUsageAndExit:@"--check requires --sha256"];
     return [self printStateOfRule:newRule daemonConnection:self.daemonConn];
   }
 
@@ -153,16 +159,17 @@ - (void)runWithArguments:(NSArray *)arguments {
     }
 
     if (newRule.type == SNTRuleTypeBinary) {
-      newRule.shasum = fi.SHA256;
+      newRule.identifier = fi.SHA256;
     } else if (newRule.type == SNTRuleTypeCertificate) {
       MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
-      newRule.shasum = cs.leafCertificate.SHA256;
+      newRule.identifier = cs.leafCertificate.SHA256;
+    } else if (newRule.type == SNTRuleTypeTeamID) {
     }
   }
 
   if (newRule.state == SNTRuleStateUnknown) {
     [self printErrorUsageAndExit:@"No state specified"];
-  } else if (!newRule.shasum) {
+  } else if (!newRule.identifier) {
     [self printErrorUsageAndExit:@"Either SHA-256 or path to file must be specified"];
   }
 
@@ -177,19 +184,19 @@ - (void)runWithArguments:(NSArray *)arguments {
                        exit(1);
                      } else {
                        if (newRule.state == SNTRuleStateRemove) {
-                         printf("Removed rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+                         printf("Removed rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
                        } else {
-                         printf("Added rule for SHA-256: %s.\n", [newRule.shasum UTF8String]);
+                         printf("Added rule for SHA-256: %s.\n", [newRule.identifier UTF8String]);
                        }
                        exit(0);
                      }
                    }];
 }
 
 - (void)printStateOfRule:(SNTRule *)rule daemonConnection:(MOLXPCConnection *)daemonConn {
-  NSString *fileSHA256 = (rule.type == SNTRuleTypeBinary) ? rule.shasum : nil;
-  NSString *certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.shasum : nil;
-  NSString *teamID = (rule.type == SNTRuleTypeTeamID) ? rule.shasum : nil;
+  NSString *fileSHA256 = (rule.type == SNTRuleTypeBinary) ? rule.identifier : nil;
+  NSString *certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.identifier : nil;
+  NSString *teamID = (rule.type == SNTRuleTypeTeamID) ? rule.identifier : nil;
   dispatch_group_t group = dispatch_group_create();
   dispatch_group_enter(group);
   __block NSMutableString *output;

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m b/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m
@@ -136,8 +136,7 @@ - (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
   if (![dict isKindOfClass:[NSDictionary class]]) return nil;
 
   SNTRule *newRule = [[SNTRule alloc] init];
-  newRule.shasum = dict[kRuleSHA256];
-  if (newRule.shasum.length != 64) return nil;
+  newRule.identifier = dict[kRuleSHA256];
 
   NSString *policyString = dict[kRulePolicy];
   if ([policyString isEqual:kRulePolicyAllowlist] ||
@@ -178,7 +177,7 @@ - (SNTRule *)ruleFromDictionary:(NSDictionary *)dict {
     // it is simply the binary hash.
     NSString *primaryHash = dict[kFileBundleHash];
     if (primaryHash.length != 64) {
-      primaryHash = newRule.shasum;
+      primaryHash = newRule.identifier;
     }
 
     // As we read in rules, we update the "remaining count" information stored in

diff --git a/Source/santactl/Commands/sync/SNTCommandSyncTest.m b/Source/santactl/Commands/sync/SNTCommandSyncTest.m
@@ -407,20 +407,20 @@ - (void)testRuleDownload {
 
   NSArray *rules = @[
     [[SNTRule alloc]
-      initWithShasum:@"ee382e199f7eda58863a93a7854b930ade35798bc6856ee8e6ab6ce9277f0eab"
-               state:SNTRuleStateBlock
-                type:SNTRuleTypeBinary
-           customMsg:@""],
+      initWithIdentifier:@"ee382e199f7eda58863a93a7854b930ade35798bc6856ee8e6ab6ce9277f0eab"
+                   state:SNTRuleStateBlock
+                    type:SNTRuleTypeBinary
+               customMsg:@""],
     [[SNTRule alloc]
-      initWithShasum:@"46f8c706d0533a54554af5fc163eea704f10c08b30f8a5db12bfdc04fb382fc3"
-               state:SNTRuleStateAllow
-                type:SNTRuleTypeCertificate
-           customMsg:@""],
+      initWithIdentifier:@"46f8c706d0533a54554af5fc163eea704f10c08b30f8a5db12bfdc04fb382fc3"
+                   state:SNTRuleStateAllow
+                    type:SNTRuleTypeCertificate
+               customMsg:@""],
     [[SNTRule alloc]
-      initWithShasum:@"7846698e47ef41be80b83fb9e2b98fa6dc46c9188b068bff323c302955a00142"
-               state:SNTRuleStateBlock
-                type:SNTRuleTypeCertificate
-           customMsg:@"Hi There"],
+      initWithIdentifier:@"7846698e47ef41be80b83fb9e2b98fa6dc46c9188b068bff323c302955a00142"
+                   state:SNTRuleStateBlock
+                    type:SNTRuleTypeCertificate
+               customMsg:@"Hi There"],
   ];
 
   OCMVerify([self.daemonConnRop databaseRuleAddRules:rules cleanSlate:NO reply:OCMOCK_ANY]);

diff --git a/Source/santad/BUILD b/Source/santad/BUILD
@@ -243,22 +243,21 @@ santa_unit_test(
 santa_unit_test(
     name = "SNTApplicationBenchmark",
     srcs = [
-        "SNTApplicationBenchmark.m"
+        "SNTApplicationBenchmark.m",
     ],
     data = [
         "//Source/santad/testdata:binaryrules_testdata",
     ],
-
+    minimum_os_version = "10.15",
+    sdk_dylibs = [
+        "EndpointSecurity",
+        "bsm",
+    ],
     deps = [
-        ":santad_lib",
         ":EndpointSecurityTestLib",
+        ":santad_lib",
         "@MOLCodesignChecker",
         "@MOLXPCConnection",
         "@OCMock",
     ],
-    minimum_os_version = "10.15",
-    sdk_dylibs = [
-        "EndpointSecurity",
-        "bsm",
-    ],
 )