mirror of
https://github.com/SideStore/SideStore.git
synced 2026-02-10 15:23:27 +01:00
Verifies app updates have same permissions as previously installed versions
This commit is contained in:
Riley Testut
@@ -985,12 +985,18 @@ private extension AppManager
|
||||
|
||||
switch operation
|
||||
{
|
||||
case .install(let app), .update(let app):
|
||||
let installProgress = self._install(app, operation: operation, group: group) { (result) in
|
||||
case .install(let app):
|
||||
let installProgress = self._install(app, operation: operation, group: group, reviewPermissions: .all) { (result) in
|
||||
self.finish(operation, result: result, group: group, progress: progress)
|
||||
}
|
||||
progress?.addChild(installProgress, withPendingUnitCount: 80)
|
||||
|
||||
case .update(let app):
|
||||
let updateProgress = self._install(app, operation: operation, group: group, reviewPermissions: .added) { (result) in
|
||||
self.finish(operation, result: result, group: group, progress: progress)
|
||||
}
|
||||
progress?.addChild(updateProgress, withPendingUnitCount: 80)
|
||||
|
||||
case .activate(let app) where UserDefaults.standard.isLegacyDeactivationSupported: fallthrough
|
||||
case .refresh(let app):
|
||||
// Check if backup app is installed in place of real app.
|
||||
@@ -1075,7 +1081,14 @@ private extension AppManager
|
||||
return group
|
||||
}
|
||||
|
||||
private func _install(_ app: AppProtocol, operation appOperation: AppOperation, group: RefreshGroup, context: InstallAppOperationContext? = nil, additionalEntitlements: [ALTEntitlement: Any]? = nil, cacheApp: Bool = true, completionHandler: @escaping (Result<InstalledApp, Error>) -> Void) -> Progress
|
||||
private func _install(_ app: AppProtocol,
|
||||
operation appOperation: AppOperation,
|
||||
group: RefreshGroup,
|
||||
context: InstallAppOperationContext? = nil,
|
||||
reviewPermissions permissionReviewMode: VerifyAppOperation.PermissionReviewMode = .none,
|
||||
additionalEntitlements: [ALTEntitlement: Any]? = nil,
|
||||
cacheApp: Bool = true,
|
||||
completionHandler: @escaping (Result<InstalledApp, Error>) -> Void) -> Progress
|
||||
{
|
||||
let progress = Progress.discreteProgress(totalUnitCount: 100)
|
||||
|
||||
@@ -1122,11 +1135,6 @@ private extension AppManager
|
||||
{
|
||||
let app = try result.get()
|
||||
context.app = app
|
||||
|
||||
if cacheApp
|
||||
{
|
||||
try FileManager.default.copyItem(at: app.fileURL, to: InstalledApp.fileURL(for: app), shouldReplace: true)
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
@@ -1137,12 +1145,21 @@ private extension AppManager
|
||||
|
||||
|
||||
/* Verify App */
|
||||
let verifyOperation = VerifyAppOperation(context: context)
|
||||
let verifyOperation = VerifyAppOperation(permissionsMode: permissionReviewMode, context: context)
|
||||
verifyOperation.resultHandler = { (result) in
|
||||
switch result
|
||||
do
|
||||
{
|
||||
case .failure(let error): context.error = error
|
||||
case .success: break
|
||||
try result.get()
|
||||
|
||||
// Wait until we've finished verifying app before caching it.
|
||||
if let app = context.app, cacheApp
|
||||
{
|
||||
try FileManager.default.copyItem(at: app.fileURL, to: InstalledApp.fileURL(for: app), shouldReplace: true)
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
context.error = error
|
||||
}
|
||||
}
|
||||
verifyOperation.addDependency(downloadOperation)
|
||||
|
||||
@@ -25,6 +25,7 @@ extension VerificationError
|
||||
case mismatchedVersion = 4
|
||||
|
||||
case undeclaredPermissions = 6
|
||||
case addedPermissions = 7
|
||||
}
|
||||
|
||||
static func mismatchedBundleIdentifiers(sourceBundleID: String, app: ALTApplication) -> VerificationError {
|
||||
@@ -46,6 +47,10 @@ extension VerificationError
|
||||
static func undeclaredPermissions(_ permissions: [any ALTAppPermission], app: AppProtocol) -> VerificationError {
|
||||
VerificationError(code: .undeclaredPermissions, app: app, permissions: permissions)
|
||||
}
|
||||
|
||||
static func addedPermissions(_ permissions: [any ALTAppPermission], app: AppProtocol) -> VerificationError {
|
||||
VerificationError(code: .addedPermissions, app: app, permissions: permissions)
|
||||
}
|
||||
}
|
||||
|
||||
struct VerificationError: ALTLocalizedError
|
||||
@@ -142,6 +147,10 @@ struct VerificationError: ALTLocalizedError
|
||||
case .undeclaredPermissions:
|
||||
let appName = self.$app.name ?? NSLocalizedString("The app", comment: "")
|
||||
return String(format: NSLocalizedString("%@ requires additional permissions not specified by the source.", comment: ""), appName)
|
||||
|
||||
case .addedPermissions:
|
||||
let appName = self.$app.name ?? NSLocalizedString("The app", comment: "")
|
||||
return String(format: NSLocalizedString("%@ requires more permissions than the version that is already installed.", comment: ""), appName)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -23,14 +23,27 @@ private extension ALTEntitlement
|
||||
]
|
||||
}
|
||||
|
||||
extension VerifyAppOperation
|
||||
{
|
||||
enum PermissionReviewMode
|
||||
{
|
||||
case none
|
||||
case all
|
||||
case added
|
||||
}
|
||||
}
|
||||
|
||||
@objc(VerifyAppOperation)
|
||||
class VerifyAppOperation: ResultOperation<Void>
|
||||
{
|
||||
let permissionsMode: PermissionReviewMode
|
||||
let context: InstallAppOperationContext
|
||||
|
||||
var verificationHandler: ((VerificationError) -> Bool)?
|
||||
|
||||
init(context: InstallAppOperationContext)
|
||||
init(permissionsMode: PermissionReviewMode, context: InstallAppOperationContext)
|
||||
{
|
||||
self.permissionsMode = permissionsMode
|
||||
self.context = context
|
||||
|
||||
super.init()
|
||||
@@ -71,11 +84,7 @@ class VerifyAppOperation: ResultOperation<Void>
|
||||
|
||||
try await self.verifyHash(of: app, at: ipaURL, matches: appVersion)
|
||||
try await self.verifyDownloadedVersion(of: app, matches: appVersion)
|
||||
|
||||
if let storeApp = await self.context.$appVersion.app
|
||||
{
|
||||
try await self.verifyPermissions(of: app, match: storeApp)
|
||||
}
|
||||
try await self.verifyPermissions(of: app, match: appVersion)
|
||||
|
||||
self.finish(.success(()))
|
||||
}
|
||||
@@ -115,6 +124,33 @@ private extension VerifyAppOperation
|
||||
guard version == app.version else { throw VerificationError.mismatchedVersion(app.version, expectedVersion: version, app: app) }
|
||||
}
|
||||
|
||||
func verifyPermissions(of app: ALTApplication, @AsyncManaged match appVersion: AppVersion) async throws
|
||||
{
|
||||
guard self.permissionsMode != .none else { return }
|
||||
guard let storeApp = await $appVersion.app else { throw OperationError.invalidParameters }
|
||||
|
||||
// Verify source permissions match first.
|
||||
let allPermissions = try await self.verifyPermissions(of: app, match: storeApp)
|
||||
|
||||
switch self.permissionsMode
|
||||
{
|
||||
case .none, .all: break
|
||||
case .added:
|
||||
let installedAppURL = InstalledApp.fileURL(for: app)
|
||||
guard let previousApp = ALTApplication(fileURL: installedAppURL) else { throw OperationError.appNotFound(name: app.name) }
|
||||
|
||||
var previousEntitlements = Set(previousApp.entitlements.keys)
|
||||
for appExtension in previousApp.appExtensions
|
||||
{
|
||||
previousEntitlements.formUnion(appExtension.entitlements.keys)
|
||||
}
|
||||
|
||||
// Make sure all entitlements already exist in previousApp.
|
||||
let addedEntitlements = Array(allPermissions.lazy.compactMap { $0 as? ALTEntitlement }.filter { !previousEntitlements.contains($0) })
|
||||
guard addedEntitlements.isEmpty else { throw VerificationError.addedPermissions(addedEntitlements, app: appVersion) }
|
||||
}
|
||||
}
|
||||
|
||||
@discardableResult
|
||||
func verifyPermissions(of app: ALTApplication, @AsyncManaged match storeApp: StoreApp) async throws -> [any ALTAppPermission]
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user