cryptohome/user_session/real_user_session.h - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2022 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CRYPTOHOME_USER_SESSION_REAL_USER_SESSION_H_
 #define CRYPTOHOME_USER_SESSION_REAL_USER_SESSION_H_

 #include <memory>
 #include <string>

 #include <base/timer/timer.h>
 #include <brillo/secure_blob.h>

 #include "cryptohome/auth_session.h"
 #include "cryptohome/cleanup/user_oldest_activity_timestamp_manager.h"
 #include "cryptohome/credential_verifier.h"
 #include "cryptohome/credentials.h"
 #include "cryptohome/error/cryptohome_mount_error.h"
 #include "cryptohome/keyset_management.h"
 #include "cryptohome/pkcs11/pkcs11_token.h"
 #include "cryptohome/pkcs11/pkcs11_token_factory.h"
 #include "cryptohome/storage/cryptohome_vault.h"
 #include "cryptohome/storage/homedirs.h"
 #include "cryptohome/storage/mount.h"
 #include "cryptohome/user_session/user_session.h"

 #include "cryptohome/dircrypto_data_migrator/migration_helper.h"

 namespace cryptohome {

 class RealUserSession : public UserSession {
  public:
   RealUserSession();
   RealUserSession(
       HomeDirs* homedirs,
       KeysetManagement* keyset_management,
       UserOldestActivityTimestampManager* user_activity_timestamp_manager,
       Pkcs11TokenFactory* pkcs11_token_factory,
       const scoped_refptr<Mount> mount);

   // Disallow Copy/Move/Assign
   RealUserSession(const RealUserSession&) = delete;
   RealUserSession(const RealUserSession&&) = delete;
   void operator=(const RealUserSession&) = delete;
   void operator=(const RealUserSession&&) = delete;

   // Returns whether the user session represents an active login session.
   bool IsActive() const override { return mount_->IsMounted(); }

   // Returns whether the session is for an ephemeral user.
   bool IsEphemeral() const override { return mount_->IsEphemeral(); }

   // Returns whether the path belong to the session.
   // TODO(dlunev): remove it once recovery logic is embedded into storage code.
   bool OwnsMountPoint(const base::FilePath& path) const override {
     return mount_->OwnsMountPoint(path);
   }

   // Perform migration of the vault to a different encryption type.
   bool MigrateVault(
       const dircrypto_data_migrator::MigrationHelper::ProgressCallback&
           callback,
       MigrationType migration_type) override {
     return mount_->MigrateEncryption(callback, migration_type);
   }

   // Mounts disk backed vault for the given username with the supplied file
   // system keyset.
   MountStatus MountVault(
       const std::string username,
       const FileSystemKeyset& fs_keyset,
       const CryptohomeVault::Options& vault_options) override;

   // Creates and mounts a ramdisk backed ephemeral session for the given user.
   MountStatus MountEphemeral(const std::string username) override;

   // Creates and mounts a ramdisk backed ephemeral session for an anonymous
   // user.
   MountStatus MountGuest() override;

   // Unmounts the session.
   bool Unmount() override;

   // Returns status string of the proxied Mount objest.
   //
   // The returned object is a dictionary whose keys describe the mount. Current
   // keys are: "keysets", "mounted", "owner", "enterprise", and "type".
   base::Value GetStatus() const override;

   // Returns the WebAuthn secret and clears it from memory.
   std::unique_ptr<brillo::SecureBlob> GetWebAuthnSecret() override;

   // Returns the WebAuthn secret hash.
   const brillo::SecureBlob& GetWebAuthnSecretHash() const override;

   // Returns the hibernate secret.
   std::unique_ptr<brillo::SecureBlob> GetHibernateSecret() override;

   // Sets credentials current session can be re-authenticated with.
   // Returns false in case anything went wrong in setting up new re-auth state.
   bool SetCredentials(const Credentials& credentials) override;

   // Sets credentials current session can be re-authenticated with.
   void SetCredentials(AuthSession* auth_session) override;

   // Checks that the session belongs to the obfuscated_user.
   bool VerifyUser(const std::string& obfuscated_username) const override;

   // Verifies credentials against store re-auth state. Returns true if the
   // credentials were successfully re-authenticated against the saved re-auth
   // state.
   bool VerifyCredentials(const Credentials& credentials) const override;

   // Returns key_data of the current session credentials.
   const KeyData& key_data() const override { return key_data_; }

   // Returns PKCS11 token associated with the session.
   Pkcs11Token* GetPkcs11Token() override { return pkcs11_token_.get(); }

   // Returns the name of the user associated with the session.
   std::string GetUsername() const override { return username_; }

   // Computes a public derivative from |fek| and |fnek| for u2fd to fetch.
   void PrepareWebAuthnSecret(const brillo::SecureBlob& fek,
                              const brillo::SecureBlob& fnek) override;

  private:
   ~RealUserSession() override;

   // Computes a public derivative from |fek| and |fnek|, and store its hash for
   // u2fd to fetch.
   void PrepareWebAuthnSecretHash(const brillo::SecureBlob& fek,
                                  const brillo::SecureBlob& fnek);

   // Clears the WebAuthn secret if it's not read yet.
   void ClearWebAuthnSecret();

   // Computes a public derivative from |fek| and |fnek| for hiberman to fetch.
   void PrepareHibernateSecret(const brillo::SecureBlob& fek,
                               const brillo::SecureBlob& fnek);

   // Clears the WebAuthn secret if it's not read yet.
   void ClearHibernateSecret();

   HomeDirs* homedirs_;
   KeysetManagement* keyset_management_;
   UserOldestActivityTimestampManager* user_activity_timestamp_manager_;
   Pkcs11TokenFactory* pkcs11_token_factory_;

   std::string obfuscated_username_;
   std::string username_;
   std::unique_ptr<CredentialVerifier> credential_verifier_;
   KeyData key_data_;

   // Secret for WebAuthn credentials.
   std::unique_ptr<brillo::SecureBlob> webauthn_secret_;
   // Hash of the WebAuthn secret.
   brillo::SecureBlob webauthn_secret_hash_;
   // Timer for clearing the WebAuthn secret.
   base::OneShotTimer clear_webauthn_secret_timer_;

   // Secret for securing hibernate images.
   std::unique_ptr<brillo::SecureBlob> hibernate_secret_;
   // Timer for clearing the hibernate secret.
   base::OneShotTimer clear_hibernate_secret_timer_;

   scoped_refptr<cryptohome::Mount> mount_;
   std::unique_ptr<Pkcs11Token> pkcs11_token_;

   friend class UserDataAuthTestTasked;
 };

 }  // namespace cryptohome

 #endif  // CRYPTOHOME_USER_SESSION_REAL_USER_SESSION_H_
	// Copyright 2022 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CRYPTOHOME_USER_SESSION_REAL_USER_SESSION_H_
	#define CRYPTOHOME_USER_SESSION_REAL_USER_SESSION_H_

	#include <memory>
	#include <string>

	#include <base/timer/timer.h>
	#include <brillo/secure_blob.h>

	#include "cryptohome/auth_session.h"
	#include "cryptohome/cleanup/user_oldest_activity_timestamp_manager.h"
	#include "cryptohome/credential_verifier.h"
	#include "cryptohome/credentials.h"
	#include "cryptohome/error/cryptohome_mount_error.h"
	#include "cryptohome/keyset_management.h"
	#include "cryptohome/pkcs11/pkcs11_token.h"
	#include "cryptohome/pkcs11/pkcs11_token_factory.h"
	#include "cryptohome/storage/cryptohome_vault.h"
	#include "cryptohome/storage/homedirs.h"
	#include "cryptohome/storage/mount.h"
	#include "cryptohome/user_session/user_session.h"

	#include "cryptohome/dircrypto_data_migrator/migration_helper.h"

	namespace cryptohome {

	class RealUserSession : public UserSession {
	public:
	RealUserSession();
	RealUserSession(
	HomeDirs* homedirs,
	KeysetManagement* keyset_management,
	UserOldestActivityTimestampManager* user_activity_timestamp_manager,
	Pkcs11TokenFactory* pkcs11_token_factory,
	const scoped_refptr<Mount> mount);

	// Disallow Copy/Move/Assign
	RealUserSession(const RealUserSession&) = delete;
	RealUserSession(const RealUserSession&&) = delete;
	void operator=(const RealUserSession&) = delete;
	void operator=(const RealUserSession&&) = delete;

	// Returns whether the user session represents an active login session.
	bool IsActive() const override { return mount_->IsMounted(); }

	// Returns whether the session is for an ephemeral user.
	bool IsEphemeral() const override { return mount_->IsEphemeral(); }

	// Returns whether the path belong to the session.
	// TODO(dlunev): remove it once recovery logic is embedded into storage code.
	bool OwnsMountPoint(const base::FilePath& path) const override {
	return mount_->OwnsMountPoint(path);
	}

	// Perform migration of the vault to a different encryption type.
	bool MigrateVault(
	const dircrypto_data_migrator::MigrationHelper::ProgressCallback&
	callback,
	MigrationType migration_type) override {
	return mount_->MigrateEncryption(callback, migration_type);
	}

	// Mounts disk backed vault for the given username with the supplied file
	// system keyset.
	MountStatus MountVault(
	const std::string username,
	const FileSystemKeyset& fs_keyset,
	const CryptohomeVault::Options& vault_options) override;

	// Creates and mounts a ramdisk backed ephemeral session for the given user.
	MountStatus MountEphemeral(const std::string username) override;

	// Creates and mounts a ramdisk backed ephemeral session for an anonymous
	// user.
	MountStatus MountGuest() override;

	// Unmounts the session.
	bool Unmount() override;

	// Returns status string of the proxied Mount objest.
	//
	// The returned object is a dictionary whose keys describe the mount. Current
	// keys are: "keysets", "mounted", "owner", "enterprise", and "type".
	base::Value GetStatus() const override;

	// Returns the WebAuthn secret and clears it from memory.
	std::unique_ptr<brillo::SecureBlob> GetWebAuthnSecret() override;

	// Returns the WebAuthn secret hash.
	const brillo::SecureBlob& GetWebAuthnSecretHash() const override;

	// Returns the hibernate secret.
	std::unique_ptr<brillo::SecureBlob> GetHibernateSecret() override;

	// Sets credentials current session can be re-authenticated with.
	// Returns false in case anything went wrong in setting up new re-auth state.
	bool SetCredentials(const Credentials& credentials) override;

	// Sets credentials current session can be re-authenticated with.
	void SetCredentials(AuthSession* auth_session) override;

	// Checks that the session belongs to the obfuscated_user.
	bool VerifyUser(const std::string& obfuscated_username) const override;

	// Verifies credentials against store re-auth state. Returns true if the
	// credentials were successfully re-authenticated against the saved re-auth
	// state.
	bool VerifyCredentials(const Credentials& credentials) const override;

	// Returns key_data of the current session credentials.
	const KeyData& key_data() const override { return key_data_; }

	// Returns PKCS11 token associated with the session.
	Pkcs11Token* GetPkcs11Token() override { return pkcs11_token_.get(); }

	// Returns the name of the user associated with the session.
	std::string GetUsername() const override { return username_; }

	// Computes a public derivative from \|fek\| and \|fnek\| for u2fd to fetch.
	void PrepareWebAuthnSecret(const brillo::SecureBlob& fek,
	const brillo::SecureBlob& fnek) override;

	private:
	~RealUserSession() override;

	// Computes a public derivative from \|fek\| and \|fnek\|, and store its hash for
	// u2fd to fetch.
	void PrepareWebAuthnSecretHash(const brillo::SecureBlob& fek,
	const brillo::SecureBlob& fnek);

	// Clears the WebAuthn secret if it's not read yet.
	void ClearWebAuthnSecret();

	// Computes a public derivative from \|fek\| and \|fnek\| for hiberman to fetch.
	void PrepareHibernateSecret(const brillo::SecureBlob& fek,
	const brillo::SecureBlob& fnek);

	// Clears the WebAuthn secret if it's not read yet.
	void ClearHibernateSecret();

	HomeDirs* homedirs_;
	KeysetManagement* keyset_management_;
	UserOldestActivityTimestampManager* user_activity_timestamp_manager_;
	Pkcs11TokenFactory* pkcs11_token_factory_;

	std::string obfuscated_username_;
	std::string username_;
	std::unique_ptr<CredentialVerifier> credential_verifier_;
	KeyData key_data_;

	// Secret for WebAuthn credentials.
	std::unique_ptr<brillo::SecureBlob> webauthn_secret_;
	// Hash of the WebAuthn secret.
	brillo::SecureBlob webauthn_secret_hash_;
	// Timer for clearing the WebAuthn secret.
	base::OneShotTimer clear_webauthn_secret_timer_;

	// Secret for securing hibernate images.
	std::unique_ptr<brillo::SecureBlob> hibernate_secret_;
	// Timer for clearing the hibernate secret.
	base::OneShotTimer clear_hibernate_secret_timer_;

	scoped_refptr<cryptohome::Mount> mount_;
	std::unique_ptr<Pkcs11Token> pkcs11_token_;

	friend class UserDataAuthTestTasked;
	};

	} // namespace cryptohome

	#endif // CRYPTOHOME_USER_SESSION_REAL_USER_SESSION_H_