cryptohome: Add AddAuthFactor API definition
This CL intends to add AddAuthFactor API proto and dbus call so that the
client side team can begin working on the API. The API will plumbed
later.
BUG=b:208357699
TEST=manual test using crytohome CLI client
Change-Id: Ifd5d544c4983ce0a5f3e16dedc63f4c626cb96f9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3319388
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Denis Kuznetsov <antrim@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Tested-by: Hardik Goyal <hardikgoyal@chromium.org>
Auto-Submit: Hardik Goyal <hardikgoyal@chromium.org>
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Commit-Queue: Hardik Goyal <hardikgoyal@chromium.org>
NOKEYCHECK=True
GitOrigin-RevId: a36f89d53bff17ff027e7853d834571e9bd61a95
diff --git a/BUILD.gn b/BUILD.gn
index 691e6de..ea956fb 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -131,6 +131,7 @@
proto_out_dir = "include/cryptohome/proto_bindings"
sources = [
"${proto_in_dir}/UserDataAuth.proto",
+ "${proto_in_dir}/auth_factor.proto",
"${proto_in_dir}/fido.proto",
"${proto_in_dir}/key.proto",
"${proto_in_dir}/rpc.proto",
diff --git a/build.rs b/build.rs
index a03fd80..cff03c6 100644
--- a/build.rs
+++ b/build.rs
@@ -61,6 +61,10 @@
// When adding additional protos, remember to include the source project and subtree in the
// ebuild. Otherwise, the source files will not be accessible when building dev-rust/system_api.
const PROTOS_TO_GENERATE: &[(&str, &str)] = &[
+ (
+ "auth_factor",
+ "system_api/dbus/cryptohome/auth_factor.proto",
+ ),
("fido", "system_api/dbus/cryptohome/fido.proto"),
("key", "system_api/dbus/cryptohome/key.proto"),
("rpc", "system_api/dbus/cryptohome/rpc.proto"),
diff --git a/dbus/cryptohome/UserDataAuth.proto b/dbus/cryptohome/UserDataAuth.proto
index 9a669b0..c8df7ad 100644
--- a/dbus/cryptohome/UserDataAuth.proto
+++ b/dbus/cryptohome/UserDataAuth.proto
@@ -14,6 +14,7 @@
package user_data_auth;
+import "auth_factor.proto";
import "fido.proto";
import "key.proto";
@@ -1086,3 +1087,25 @@
// Contains GetAssertionAuthenticatorResponse.
cryptohome.fido.GetAssertionAuthenticatorResponse get_assertion_response = 2;
}
+
+// AddAuthFactorRequest is built when a user is trying to add an AuthFactor
+// for a user. When the call is made, AuthSession should be authenticated. After
+// the operation the AuthSession would still be in the authenticated state.
+message AddAuthFactorRequest {
+ // AuthFactor cannot be added without an active AuthSession running. This id
+ // would be used to associate the AuthFactor to an AuthSession.
+ bytes auth_session_id = 1;
+ // The AuthFactor that will be added for a given user. This should be
+ // populated with any factor specific data and metadata.
+ // If AuthFactor in the request be constructed with an existing label, the
+ // call would return an error.
+ AuthFactor auth_factor = 2;
+ // In some cases, such as password, the secret would be user supplied. In
+ // those cases the secret can be passed here.
+ AuthInput auth_input = 3;
+}
+
+message AddAuthFactorReply {
+ // Return the status of the request.
+ CryptohomeErrorCode error = 1;
+}
\ No newline at end of file
diff --git a/dbus/cryptohome/auth_factor.proto b/dbus/cryptohome/auth_factor.proto
new file mode 100644
index 0000000..60870f4
--- /dev/null
+++ b/dbus/cryptohome/auth_factor.proto
@@ -0,0 +1,66 @@
+// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Provides wire-type for cryptohome Key objects. It does not
+// represent the entirety of the bookkeeping data needed by Cryptohome.
+//
+// Anything in this file may be persisted on disk. Update carefully!
+
+syntax = "proto3";
+
+option optimize_for = LITE_RUNTIME;
+
+package user_data_auth;
+
+// Enum to define all the available types of AuthFactor. This would be used for
+// identification of a given AuthFactor.
+enum AuthFactorType {
+ AUTH_FACTOR_TYPE_UNSPECIFIED = 0;
+ AUTH_FACTOR_TYPE_PASSWORD = 1;
+}
+
+// AuthFactorIdentifier provides some identificaiton information for a given
+// AuthFactor. This information would be used by the client to authenticate a
+// particular AuthFactor.
+message AuthFactorIdentifier {}
+
+// Password AuthFactor requires a secret to be passed for derivation and
+// creation of key.
+message PasswordAuthInput {
+ bytes secret = 1;
+}
+
+// AuthInput is a wrapper around any secret or input data that is required to
+// authenticate or create an AuthFactor on disk.
+message AuthInput {
+ // An AuthFactor could also carry with itself some input in some cases,
+ // such as password, the secret would be user supplied. In those cases the
+ // secret can be passed here.
+ oneof input { PasswordAuthInput password_input = 1; }
+}
+
+// Password AuthFactor does not store any special metadata. Although this could
+// change in the future and keeping that in mind, an empty proto is defined.
+message PasswordMetadata {}
+
+// AuthFactor is a backing store for any secret stored on Chrome OS in the USS
+// World. This proto definition is used to communicate with the client side.
+// Once it is received on cryptohome side, this proto definition is converted to
+// a flatbuffer for usage and storage.
+// A note: The intention is for client side to not know about the type of
+// backing store. So when any AuthFactor API is called, it is cryptohome that
+// decides what backing store would be used -- either VaultKeyset or AuthFactor.
+// This decion making does not have any effect on how the client uses the API.
+message AuthFactor {
+ // AuthFactorType will help us determine the type and subsequently help us
+ // create the right AuthBlock for derivation or authentication.
+ AuthFactorType type = 1;
+ // AuthFactor would be identified its label which would be unique across all
+ // the AuthFactors for a given user.
+ string label = 2;
+ // An AuthFactor could also carry with itself some metadata. Since an
+ // AuthFactor could only be one type, oneof is used to define the usage of
+ // metadata.
+ oneof metadata { PasswordMetadata password_metadata = 3; }
+}
diff --git a/dbus/cryptohome/dbus-constants.h b/dbus/cryptohome/dbus-constants.h
index df1d912..b9269bb 100644
--- a/dbus/cryptohome/dbus-constants.h
+++ b/dbus/cryptohome/dbus-constants.h
@@ -52,6 +52,7 @@
const char kPrepareEphemeralVault[] = "PrepareEphemeralVault";
const char kPreparePersistentVault[] = "PreparePersistentVault";
const char kPrepareVaultForMigration[] = "PrepareVaultForMigration";
+const char kAddAuthFactor[] = "AddAuthFactor";
// Methods of the |kArcQuotaInterface| interface:
const char kGetArcDiskFeatures[] = "GetArcDiskFeatures";