Google Git
Sign in
weave / weave / libweave / f9630fbb4aab7028af10600ef87be2e65df0ac91 / . / libweave / src / privet / security_manager.h
blob: 9876781f06dd181a9a1bb8f92694c03643de1e94 [file] [log] [blame]
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]1// Copyright 2014 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Vitaly Buka912b6982015-07-06 11:13:03 -0700[diff] [blame]5#ifndef LIBWEAVE_SRC_PRIVET_SECURITY_MANAGER_H_
6#define LIBWEAVE_SRC_PRIVET_SECURITY_MANAGER_H_
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]7
8#include <map>
9#include <memory>
10#include <set>
11#include <string>
12#include <vector>
13
14#include <base/callback.h>
15#include <base/files/file_path.h>
16#include <base/memory/weak_ptr.h>
17#include <chromeos/errors/error.h>
18#include <chromeos/secure_blob.h>
Vitaly Bukaf9630fb2015-08-12 21:15:40 -0700[diff] [blame^]19#include <weave/task_runner.h>
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]20
Vitaly Buka912b6982015-07-06 11:13:03 -0700[diff] [blame]21#include "libweave/src/privet/security_delegate.h"
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]22
23namespace crypto {
24class P224EncryptedKeyExchange;
25} // namespace crypto
26
Vitaly Bukab6f015a2015-07-09 14:59:23 -0700[diff] [blame]27namespace weave {
28namespace privet {
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]29
30class SecurityManager : public SecurityDelegate {
31 public:
32 using PairingStartListener =
33 base::Callback<void(const std::string& session_id,
34 PairingType pairing_type,
35 const std::vector<uint8_t>& code)>;
36 using PairingEndListener =
37 base::Callback<void(const std::string& session_id)>;
38
39 class KeyExchanger {
40 public:
41 virtual ~KeyExchanger() = default;
42
43 virtual const std::string& GetMessage() = 0;
44 virtual bool ProcessMessage(const std::string& message,
45 chromeos::ErrorPtr* error) = 0;
46 virtual const std::string& GetKey() const = 0;
47 };
48
49 SecurityManager(const std::set<PairingType>& pairing_modes,
50 const base::FilePath& embedded_code_path,
Vitaly Bukaf9630fb2015-08-12 21:15:40 -0700[diff] [blame^]51 TaskRunner* task_runner,
52 bool disable_security);
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]53 ~SecurityManager() override;
54
55 // SecurityDelegate methods
56 std::string CreateAccessToken(const UserInfo& user_info,
57 const base::Time& time) override;
58 UserInfo ParseAccessToken(const std::string& token,
59 base::Time* time) const override;
60 std::set<PairingType> GetPairingTypes() const override;
61 std::set<CryptoType> GetCryptoTypes() const override;
62 bool IsValidPairingCode(const std::string& auth_code) const override;
63
64 bool StartPairing(PairingType mode,
65 CryptoType crypto,
66 std::string* session_id,
67 std::string* device_commitment,
68 chromeos::ErrorPtr* error) override;
69
70 bool ConfirmPairing(const std::string& session_id,
71 const std::string& client_commitment,
72 std::string* fingerprint,
73 std::string* signature,
74 chromeos::ErrorPtr* error) override;
75 bool CancelPairing(const std::string& session_id,
76 chromeos::ErrorPtr* error) override;
77
78 void RegisterPairingListeners(const PairingStartListener& on_start,
79 const PairingEndListener& on_end);
80
81 void SetCertificateFingerprint(const chromeos::Blob& fingerprint) {
82 certificate_fingerprint_ = fingerprint;
83 }
84
85 private:
86 FRIEND_TEST_ALL_PREFIXES(SecurityManagerTest, ThrottlePairing);
87 // Allows limited number of new sessions without successful authorization.
88 bool CheckIfPairingAllowed(chromeos::ErrorPtr* error);
89 bool ClosePendingSession(const std::string& session_id);
90 bool CloseConfirmedSession(const std::string& session_id);
91
92 // If true allows unencrypted pairing and accepts any access code.
93 bool is_security_disabled_{false};
94 std::set<PairingType> pairing_modes_;
95 const base::FilePath embedded_code_path_;
96 std::string embedded_code_;
Vitaly Bukaf9630fb2015-08-12 21:15:40 -0700[diff] [blame^]97 // TODO(vitalybuka): Session cleanup can be done without posting tasks.
98 TaskRunner* task_runner_{nullptr};
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]99 std::map<std::string, std::unique_ptr<KeyExchanger>> pending_sessions_;
100 std::map<std::string, std::unique_ptr<KeyExchanger>> confirmed_sessions_;
101 mutable int pairing_attemts_{0};
102 mutable base::Time block_pairing_until_;
103 chromeos::SecureBlob secret_;
104 chromeos::Blob certificate_fingerprint_;
105 PairingStartListener on_start_;
106 PairingEndListener on_end_;
107
108 base::WeakPtrFactory<SecurityManager> weak_ptr_factory_{this};
109
110 DISALLOW_COPY_AND_ASSIGN(SecurityManager);
111};
112
Vitaly Bukab6f015a2015-07-09 14:59:23 -0700[diff] [blame]113} // namespace privet
114} // namespace weave
Vitaly Buka7ce499f2015-06-09 08:04:11 -0700[diff] [blame]115
Vitaly Buka912b6982015-07-06 11:13:03 -0700[diff] [blame]116#endif // LIBWEAVE_SRC_PRIVET_SECURITY_MANAGER_H_