kerberos/account_manager.h - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2019 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef KERBEROS_ACCOUNT_MANAGER_H_
 #define KERBEROS_ACCOUNT_MANAGER_H_

 #include <memory>
 #include <string>
 #include <vector>

 #include <base/callback.h>
 #include <base/compiler_specific.h>
 #include <base/files/file_path.h>
 #include <base/macros.h>
 #include <base/optional.h>

 #include "bindings/kerberos_containers.pb.h"
 #include "kerberos/proto_bindings/kerberos_service.pb.h"

 namespace kerberos {

 class Krb5Interface;

 // Manages Kerberos tickets for a set of accounts keyed by principal name
 // (user@REALM.COM).
 class AccountManager {
  public:
   using KerberosFilesChangedCallback =
       base::RepeatingCallback<void(const std::string& principal_name)>;

   // |storage_dir| is the path where configs and credential caches are stored.
   // |kerberos_files_changed| is a callback that gets called when either the
   // Kerberos credential cache or the configuration file changes for a specific
   // account. Use in combination with GetKerberosFiles() to get the latest
   // files. |krb5| interacts with lower level Kerberos libraries. It can be
   // overridden for tests.
   explicit AccountManager(base::FilePath storage_dir,
                           KerberosFilesChangedCallback kerberos_files_changed,
                           std::unique_ptr<Krb5Interface> krb5);
   ~AccountManager();

   // Saves all accounts to disk. Returns ERROR_LOCAL_IO and logs on error.
   ErrorType SaveAccounts() const;

   // Loads all accounts from disk. Returns ERROR_LOCAL_IO and logs on error.
   // Removes all old accounts before setting the new ones. Treats a non-existent
   // file on disk as if the file was empty, i.e. loading succeeds and the
   // account list is empty afterwards.
   ErrorType LoadAccounts();

   // Adds an account keyed by |principal_name| (user@REALM.COM) to the list of
   // accounts. |is_managed| indicates whether the account is managed by the
   // KerberosAccounts policy. Returns |ERROR_DUPLICATE_PRINCIPAL_NAME| if the
   // account is already present.
   ErrorType AddAccount(const std::string& principal_name,
                        bool is_managed) WARN_UNUSED_RESULT;

   // The following methods return |ERROR_UNKNOWN_PRINCIPAL_NAME| if
   // |principal_name| (user@REALM.COM) is not known.

   // Removes the account keyed by |principal_name| from the list of accounts.
   ErrorType RemoveAccount(const std::string& principal_name) WARN_UNUSED_RESULT;

   // Removes all accounts.
   ErrorType ClearAccounts() WARN_UNUSED_RESULT;

   // Returns a list of all existing accounts, including current status like
   // remaining Kerberos ticket lifetime. Does a best effort returning results.
   // See documentation of |Account| for more details.
   ErrorType ListAccounts(std::vector<Account>* accounts) const
       WARN_UNUSED_RESULT;

   // Sets the Kerberos configuration (krb5.conf) used for the given
   // |principal_name|.
   ErrorType SetConfig(const std::string& principal_name,
                       const std::string& krb5_conf) const WARN_UNUSED_RESULT;

   // Acquires a Kerberos ticket-granting-ticket for the account keyed by
   // |principal_name|.
   ErrorType AcquireTgt(const std::string& principal_name,
                        const std::string& password) const WARN_UNUSED_RESULT;

   // Retrieves the Kerberos credential cache and the configuration file for the
   // account keyed by |principal_name|. Returns ERROR_NONE if both files could
   // be retrieved or if the credential cache is missing. Returns ERROR_LOCAL_IO
   // if any of the files failed to read.
   ErrorType GetKerberosFiles(const std::string& principal_name,
                              KerberosFiles* files) const WARN_UNUSED_RESULT;

   const base::FilePath& GetStorageDirForTesting() { return storage_dir_; }

   // Returns the SHA1 hash of |principal_name| as hex string.
   static std::string HashPrincipalForTesting(const std::string& principal_name);

  private:
   // File path helpers. All paths are relative to |storage_dir_|.

   // File path of the Kerberos configuration for the given |principal_name|.
   base::FilePath GetKrb5ConfPath(const std::string& principal_name) const;

   // File path of the Kerberos credential cache for the given |principal_name|.
   base::FilePath GetKrb5CCPath(const std::string& principal_name) const;

   // File path where |accounts_| is stored.
   base::FilePath GetAccountsPath() const;

   // Deletes the Kerberos config and credential cache. Triggers
   // KerberosFilesChanged if the credential cache was deleted.
   void DeleteKerberosFiles(const std::string& principal_name);

   // Calls |kerberos_files_changed_| if set.
   void TriggerKerberosFilesChanged(const std::string& principal_name) const;

   // Directory where all account data is stored.
   const base::FilePath storage_dir_;

   // Gets called when the Kerberos configuration or credential cache changes for
   // a specific account.
   const KerberosFilesChangedCallback kerberos_files_changed_;

   // Interface for Kerberos methods (may be overridden for tests).
   const std::unique_ptr<Krb5Interface> krb5_;

   // Returns the index of the account for |principal_name| or |kInvalidIndex| if
   // the account does not exist.
   int GetAccountIndex(const std::string& principal_name) const;

   // Returns the AccountData for |principal_name| if available or nullptr
   // otherwise. The returned pointer may lose validity if |accounts_| gets
   // modified.
   const AccountData* GetAccountData(const std::string& principal_name) const;

   // List of all accounts. Stored in a vector to keep order of addition.
   std::vector<AccountData> accounts_;

   DISALLOW_COPY_AND_ASSIGN(AccountManager);
 };

 }  // namespace kerberos

 #endif  // KERBEROS_ACCOUNT_MANAGER_H_
	// Copyright 2019 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef KERBEROS_ACCOUNT_MANAGER_H_
	#define KERBEROS_ACCOUNT_MANAGER_H_

	#include <memory>
	#include <string>
	#include <vector>

	#include <base/callback.h>
	#include <base/compiler_specific.h>
	#include <base/files/file_path.h>
	#include <base/macros.h>
	#include <base/optional.h>

	#include "bindings/kerberos_containers.pb.h"
	#include "kerberos/proto_bindings/kerberos_service.pb.h"

	namespace kerberos {

	class Krb5Interface;

	// Manages Kerberos tickets for a set of accounts keyed by principal name
	// (user@REALM.COM).
	class AccountManager {
	public:
	using KerberosFilesChangedCallback =
	base::RepeatingCallback<void(const std::string& principal_name)>;

	// \|storage_dir\| is the path where configs and credential caches are stored.
	// \|kerberos_files_changed\| is a callback that gets called when either the
	// Kerberos credential cache or the configuration file changes for a specific
	// account. Use in combination with GetKerberosFiles() to get the latest
	// files. \|krb5\| interacts with lower level Kerberos libraries. It can be
	// overridden for tests.
	explicit AccountManager(base::FilePath storage_dir,
	KerberosFilesChangedCallback kerberos_files_changed,
	std::unique_ptr<Krb5Interface> krb5);
	~AccountManager();

	// Saves all accounts to disk. Returns ERROR_LOCAL_IO and logs on error.
	ErrorType SaveAccounts() const;

	// Loads all accounts from disk. Returns ERROR_LOCAL_IO and logs on error.
	// Removes all old accounts before setting the new ones. Treats a non-existent
	// file on disk as if the file was empty, i.e. loading succeeds and the
	// account list is empty afterwards.
	ErrorType LoadAccounts();

	// Adds an account keyed by \|principal_name\| (user@REALM.COM) to the list of
	// accounts. \|is_managed\| indicates whether the account is managed by the
	// KerberosAccounts policy. Returns \|ERROR_DUPLICATE_PRINCIPAL_NAME\| if the
	// account is already present.
	ErrorType AddAccount(const std::string& principal_name,
	bool is_managed) WARN_UNUSED_RESULT;

	// The following methods return \|ERROR_UNKNOWN_PRINCIPAL_NAME\| if
	// \|principal_name\| (user@REALM.COM) is not known.

	// Removes the account keyed by \|principal_name\| from the list of accounts.
	ErrorType RemoveAccount(const std::string& principal_name) WARN_UNUSED_RESULT;

	// Removes all accounts.
	ErrorType ClearAccounts() WARN_UNUSED_RESULT;

	// Returns a list of all existing accounts, including current status like
	// remaining Kerberos ticket lifetime. Does a best effort returning results.
	// See documentation of \|Account\| for more details.
	ErrorType ListAccounts(std::vector<Account>* accounts) const
	WARN_UNUSED_RESULT;

	// Sets the Kerberos configuration (krb5.conf) used for the given
	// \|principal_name\|.
	ErrorType SetConfig(const std::string& principal_name,
	const std::string& krb5_conf) const WARN_UNUSED_RESULT;

	// Acquires a Kerberos ticket-granting-ticket for the account keyed by
	// \|principal_name\|.
	ErrorType AcquireTgt(const std::string& principal_name,
	const std::string& password) const WARN_UNUSED_RESULT;

	// Retrieves the Kerberos credential cache and the configuration file for the
	// account keyed by \|principal_name\|. Returns ERROR_NONE if both files could
	// be retrieved or if the credential cache is missing. Returns ERROR_LOCAL_IO
	// if any of the files failed to read.
	ErrorType GetKerberosFiles(const std::string& principal_name,
	KerberosFiles* files) const WARN_UNUSED_RESULT;

	const base::FilePath& GetStorageDirForTesting() { return storage_dir_; }

	// Returns the SHA1 hash of \|principal_name\| as hex string.
	static std::string HashPrincipalForTesting(const std::string& principal_name);

	private:
	// File path helpers. All paths are relative to \|storage_dir_\|.

	// File path of the Kerberos configuration for the given \|principal_name\|.
	base::FilePath GetKrb5ConfPath(const std::string& principal_name) const;

	// File path of the Kerberos credential cache for the given \|principal_name\|.
	base::FilePath GetKrb5CCPath(const std::string& principal_name) const;

	// File path where \|accounts_\| is stored.
	base::FilePath GetAccountsPath() const;

	// Deletes the Kerberos config and credential cache. Triggers
	// KerberosFilesChanged if the credential cache was deleted.
	void DeleteKerberosFiles(const std::string& principal_name);

	// Calls \|kerberos_files_changed_\| if set.
	void TriggerKerberosFilesChanged(const std::string& principal_name) const;

	// Directory where all account data is stored.
	const base::FilePath storage_dir_;

	// Gets called when the Kerberos configuration or credential cache changes for
	// a specific account.
	const KerberosFilesChangedCallback kerberos_files_changed_;

	// Interface for Kerberos methods (may be overridden for tests).
	const std::unique_ptr<Krb5Interface> krb5_;

	// Returns the index of the account for \|principal_name\| or \|kInvalidIndex\| if
	// the account does not exist.
	int GetAccountIndex(const std::string& principal_name) const;

	// Returns the AccountData for \|principal_name\| if available or nullptr
	// otherwise. The returned pointer may lose validity if \|accounts_\| gets
	// modified.
	const AccountData* GetAccountData(const std::string& principal_name) const;

	// List of all accounts. Stored in a vector to keep order of addition.
	std::vector<AccountData> accounts_;

	DISALLOW_COPY_AND_ASSIGN(AccountManager);
	};

	} // namespace kerberos

	#endif // KERBEROS_ACCOUNT_MANAGER_H_