Chromium Code Reviews Chromium Code Reviews
Issue 10827266:
[Sync] Add SyncEncryptionHandler (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef SYNC_INTERNAL_API_PUBLIC_SYNC_ENCRYPTION_HANDLER_H | |
| 6 #define SYNC_INTERNAL_API_PUBLIC_SYNC_ENCRYPTION_HANDLER_H | |
| 7 | |
| 8 #include <string> | |
| 9 | |
| 10 #include "sync/internal_api/public/base/model_type.h" | |
| 11 | |
| 12 namespace sync_pb { | |
| 13 class EncryptedData; | |
| 14 class NigoriSpecifics; | |
| 15 } | |
| 16 | |
| 17 namespace syncer { | |
| 18 | |
| 19 class Cryptographer; | |
| 20 | |
| 21 // Reasons due to which Cryptographer might require a passphrase. | |
| 22 enum PassphraseRequiredReason { | |
| 23 REASON_PASSPHRASE_NOT_REQUIRED = 0, // Initial value. | |
| 24 REASON_ENCRYPTION = 1, // The cryptographer requires a | |
| 25 // passphrase for its first attempt at | |
| 26 // encryption. Happens only during | |
| 27 // migration or upgrade. | |
| 28 REASON_DECRYPTION = 2, // The cryptographer requires a | |
| 29 // passphrase for its first attempt at | |
| 30 // decryption. | |
| 31 }; | |
| 32 | |
| 33 // Sync's encryption handler. Handles tracking encrypted types, ensuring the | |
| 34 // cryptographer encrypts with the proper key and has the most recent keybag, | |
| 35 // and keeps the nigori node up to date. | |
| 36 // | |
| 37 // TODO(zea): This class should not need to be entirely thread safe. Refactor | |
| 38 // how datatypes/sync gets the set of encrypted types and pull that out | |
| 39 // into a thread safe class, then make this class explicitly non-thread safe | |
| 40 // and ensure its only accessed from the sync thread. As it stands, | |
| 41 // GetEncryptedTypes is called from all datatype threads via the cryptographer's | |
| 42 // GetEncryptedTypes method. | |
| 43 class SyncEncryptionHandler { | |
| 44 public: | |
| 45 // All Observer methods are done synchronously and are assumed to be called | |
|
tim (not reviewing)
2012/08/13 20:01:00
Why is the word 'assumed' here?
'All Observer m
Nicolas Zea
2012/08/13 22:56:38
Done.
| |
| 46 // from within a transaction and on the sync thread. | |
| 47 class Observer { | |
| 48 public: | |
| 49 Observer(); | |
| 50 | |
| 51 // Called when user interaction is required to obtain a valid passphrase. | |
| 52 // - If the passphrase is required for encryption, |reason| will be | |
| 53 // REASON_ENCRYPTION. | |
| 54 // - If the passphrase is required for the decryption of data that has | |
| 55 // already been encrypted, |reason| will be REASON_DECRYPTION. | |
| 56 // - If the passphrase is required because decryption failed, and a new | |
| 57 // passphrase is required, |reason| will be REASON_SET_PASSPHRASE_FAILED. | |
| 58 // | |
| 59 // |pending_keys| is a copy of the cryptographer's pending keys, that may be | |
| 60 // cached by the frontend for subsequent use by the UI. | |
| 61 virtual void OnPassphraseRequired( | |
| 62 PassphraseRequiredReason reason, | |
| 63 const sync_pb::EncryptedData& pending_keys) = 0; | |
| 64 // Called when the passphrase provided by the user has been accepted and is | |
| 65 // now used to encrypt sync data. | |
| 66 | |
| 67 virtual void OnPassphraseAccepted() = 0; | |
| 68 // |bootstrap_token| is an opaque base64 encoded representation of the key | |
| 69 // generated by the current passphrase, and is provided to the observer for | |
| 70 // persistence purposes and use in a future initialization of sync (e.g. | |
| 71 // after restart). The boostrap token will always be derived from the most | |
| 72 // recent GAIA password (for accounts with implicit passphrases), even if | |
| 73 // the data is still encrypted with an older GAIA password. For accounts | |
| 74 // with explicit passphrases, it will be the most recently seen custom | |
| 75 // passphrase. | |
| 76 virtual void OnBootstrapTokenUpdated( | |
| 77 const std::string& bootstrap_token) = 0; | |
| 78 | |
| 79 // Called when the set of encrypted types or the encrypt | |
| 80 // everything flag has been changed. Note that encryption isn't | |
| 81 // complete until the OnEncryptionComplete() notification has been | |
| 82 // sent (see below). | |
| 83 // | |
| 84 // |encrypted_types| will always be a superset of | |
| 85 // Cryptographer::SensitiveTypes(). If |encrypt_everything| is | |
| 86 // true, |encrypted_types| will be the set of all known types. | |
| 87 // | |
| 88 // Until this function is called, observers can assume that the | |
| 89 // set of encrypted types is Cryptographer::SensitiveTypes() and | |
| 90 // that the encrypt everything flag is false. | |
| 91 virtual void OnEncryptedTypesChanged( | |
| 92 ModelTypeSet encrypted_types, | |
| 93 bool encrypt_everything) = 0; | |
| 94 | |
| 95 // Called after we finish encrypting the current set of encrypted | |
| 96 // types. | |
| 97 virtual void OnEncryptionComplete() = 0; | |
| 98 | |
| 99 // The cryptographer has been updated. Listeners should check that their | |
| 100 // own state matches the cryptographer. | |
| 101 // Used primarily for debugging. | |
| 102 virtual void OnCryptographerStateChanged(Cryptographer* cryptographer) = 0; | |
| 103 | |
| 104 protected: | |
| 105 virtual ~Observer(); | |
| 106 }; | |
| 107 | |
| 108 SyncEncryptionHandler(); | |
| 109 virtual ~SyncEncryptionHandler(); | |
| 110 | |
| 111 // Add/Remove SyncEncryptionHandler::Observer's. | |
| 112 // Must be called from sync thread. | |
| 113 virtual void AddObserver(Observer* observer) = 0; | |
| 114 virtual void RemoveObserver(Observer* observer) = 0; | |
| 115 | |
| 116 // Reads the nigori node, updates internal state as needed, and, if a | |
| 117 // stale/incompatible nigori node is detected, overwrites the existing | |
| 118 // nigori node. Upon completion, if the cryptographer is still ready | |
| 119 // attempts to re-encrypt all sync data. | |
| 120 // Note: This method is expensive (it iterates through all encrypted types), | |
| 121 // so should only be used sparingly (e.g. on startup). | |
| 122 virtual void ReloadNigori() = 0; | |
| 123 | |
| 124 // Apply a nigori node update, updating the internal encryption state | |
| 125 // accordingly. | |
| 126 // TODO(zea): remove this in favor of using the ChangeProcessor interface. | |
| 127 virtual void UpdateFromNigori(const sync_pb::NigoriSpecifics& nigori) = 0; | |
| 128 | |
| 129 // Returns the set of currently encrypted types. | |
| 130 // Note: caller must be holding a transaction. See TODO above about | |
| 131 // refactoring how this is called. | |
| 132 virtual ModelTypeSet GetEncryptedTypes() const = 0; | |
| 133 | |
| 134 // Store the current encrypt everything/encrypted types state into |nigori|. | |
| 135 // TODO(zea): remove this in favor of using a ResolveConflict method via | |
| 136 // the ChangeProcessor interface. | |
| 137 virtual void UpdateNigoriFromEncryptedTypes( | |
| 138 sync_pb::NigoriSpecifics* nigori) const = 0; | |
| 139 | |
| 140 // Attempts to re-encrypt encrypted data types using the passphrase provided. | |
| 141 // Notifies observers of the result of the operation via OnPassphraseAccepted | |
| 142 // or OnPassphraseRequired, updates the nigori node, and does re-encryption as | |
| 143 // appropriate. If an explicit password has been set previously, we drop | |
| 144 // subsequent requests to set a passphrase. If the cryptographer has pending | |
| 145 // keys, and a new implicit passphrase is provided, we try decrypting the | |
| 146 // pending keys with it, and if that fails, we cache the passphrase for | |
| 147 // re-encryption once the pending keys are decrypted. | |
| 148 virtual void SetEncryptionPassphrase(const std::string& passphrase, | |
| 149 bool is_explicit) = 0; | |
| 150 | |
| 151 // Provides a passphrase for decrypting the user's existing sync data. | |
| 152 // Notifies observers of the result of the operation via OnPassphraseAccepted | |
| 153 // or OnPassphraseRequired, updates the nigori node, and does re-encryption as | |
| 154 // appropriate if there is a previously cached encryption passphrase. It is an | |
| 155 // error to call this when we don't have pending keys. | |
| 156 virtual void SetDecryptionPassphrase(const std::string& passphrase) = 0; | |
| 157 | |
| 158 // Enables encryption of all datatypes. | |
| 159 virtual void EnableEncryptEverything() = 0; | |
| 160 | |
| 161 // Whether encryption of all datatypes is enabled. If false, only sensitive | |
| 162 // types are encrypted. | |
| 163 virtual bool EncryptEverythingEnabled() const = 0; | |
| 164 | |
| 165 // Whether the account requires a user-provided passphrase to decrypt | |
| 166 // encrypted data. | |
| 167 virtual bool IsUsingExplicitPassphrase() const = 0; | |
| 168 | |
| 169 // The set of types that are always encrypted. | |
| 170 static ModelTypeSet SensitiveTypes(); | |
| 171 }; | |
| 172 | |
| 173 } // namespace syncer | |
| 174 | |
| 175 #endif // SYNC_INTERNAL_API_PUBLIC_SYNC_ENCRYPTION_HANDLER_H | |
| OLD | NEW |
