mojo/services/vanadium/security/interfaces/principal.mojom - Issue 1418013004: Principal Service: Add support for multiple user accounts

Side by Side Diff: mojo/services/vanadium/security/interfaces/principal.mojom

Issue 1418013004: Principal Service: Add support for multiple user accounts (Closed) Base URL: https://github.com/domokit/mojo.git@master

Patch Set: Created 5 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved. Use of this

2 // Use of this source code is governed by a BSD-style license that can be	2 // source code is governed by a BSD-style license that can be found in the

3 // found in the LICENSE file.	3 // LICENSE file.

4	4

5 module vanadium;	5 module vanadium;

6	6

7 // Represents the name of an application. \|url\| is the url of the	7 // Represents the name of an application. \|url\| is the url of the application.

8 // application. \|qualifier\| is a string that allows to tie a specific	8 // \|qualifier\| is a string that allows to tie a specific instance of an

9 // instance of an application to another.	9 // application to another.

10 struct AppInstanceName {	10 struct AppInstanceName {

11 string url;	11 string url;

12 string? qualifier;	12 string? qualifier;

13 };	13 };

14	14

15 // Certificate represents a human-readable name and public-key (DER encoded) pai r.	15 // Represents a user identity. \|email\| is the email address of the user, which m ay

16 // The private-key for a certificate is only available for signing operations	16 // be obtained through a third-party authentication flow (e.g., oauth2).

17 // within the principal service application.	17 struct User {

18 struct Certificate {	18 string email;
	ashankar 2015/10/30 02:24:13 Must it be "email" - would saying "username" be mo Must it be "email" - would saying "username" be more appropriate? ataly 2015/11/04 00:24:29 I have been going back and forth on this. The user I have been going back and forth on this. The username is not necessarily the email address. For instance, based on what I understood from Usha, on Android the username can also be the phone number. Therefore for now I though we should just promise the email address in the User object as that is what our Vanadium IDP blessings promise. The other minor reason is that an email address stands on its own where a username string may require the identity provider name as well. ashankar 2015/11/04 00:37:10 On the other hand, we don't want to end up in a po Show quoted text On 2015/11/04 00:24:29, ataly wrote: > I have been going back and forth on this. The username is not necessarily the > email address. For instance, based on what I understood from Usha, on Android > the username can also be the phone number. > > Therefore for now I though we should just promise the email address in the User > object as that is what our Vanadium IDP blessings promise. The other minor > reason is that an email address stands on its own where a username string may > require the identity provider name as well. On the other hand, we don't want to end up in a position where an email is required, right? Anyway, this is fine for now but as this evolves I do think that we might want to make this username - and email can be one form of username ataly 2015/11/04 21:22:51 Acknowledged. Show quoted text On 2015/11/04 00:37:10, ashankar wrote: > On 2015/11/04 00:24:29, ataly wrote: > > I have been going back and forth on this. The username is not necessarily the > > email address. For instance, based on what I understood from Usha, on Android > > the username can also be the phone number. > > > > Therefore for now I though we should just promise the email address in the > User > > object as that is what our Vanadium IDP blessings promise. The other minor > > reason is that an email address stands on its own where a username string may > > require the identity provider name as well. > > On the other hand, we don't want to end up in a position where an email is > required, right? > Anyway, this is fine for now but as this evolves I do think that we might want > to make this username - and email can be one form of username Acknowledged.
19 string extension;	19 Blessing user_blessing;
	ashankar 2015/10/30 02:24:13 Just "blessing" - it's part of the "User" struct, Just "blessing" - it's part of the "User" struct, so don't need the "_user" suffix? ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/30 02:24:13, ashankar wrote: > Just "blessing" - it's part of the "User" struct, so don't need the "_user" > suffix? Done.
20 array<uint8>? publickey;	20 // TODO(ataly, ukode): Include the name of the identity provider?

	21 // TODO(ataly, ukode): Include the first and last name of the user?

	22 // TODO(ataly, ukode): Include any unique ids assigned to the user by the

	23 // identity provider?

21 };	24 };

22	25

23 // Blessing is a credential binding a user identity to a public key. The corresp onding	26 // Certificate represents a human-readable name and public-key (DER encoded)

24 // private key is only available for signing within the PrincipalService applica tion.	27 // pair. The private-key for a certificate is only available for signing

25 struct Blessing {	28 // operations within the principal service application.

26 array<Certificate> chain;	29 struct Certificate {

	30 string extension;

	31 array<uint8>? publickey;

27 };	32 };

28	33

29 // ChainSeparator is the separator used to join name extensions in a certificate chain.	34 // Blessing is a credential binding a user identity to a public key. The

	35 // corresponding private key is only available for signing within the

	36 // PrincipalService application.

	37 // TODO(ataly, gauthamt): This Blessing type does not match the Vanadium

	38 // WireBlessing type. For the blessing to be usable by SyncBase we will have

	39 // to make it match the WireBlessing type.
	ashankar 2015/10/30 02:24:13 Would it make sense to link to the security concep Would it make sense to link to the security concepts page: https://github.com/vanadium/docs/blob/master/concepts/security.md as a form of documentation? ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/30 02:24:13, ashankar wrote: > Would it make sense to link to the security concepts page: > https://github.com/vanadium/docs/blob/master/concepts/security.md > as a form of documentation? Done.
	40 struct Blessing {

	41 array<Certificate> chain;

	42 };

	43

	44 // ChainSeparator is the separator used to join name extensions in a

	45 // certificate chain.

30 const string ChainSeparator = "/";	46 const string ChainSeparator = "/";

31	47

32 // A service that binds user identities to an application instance running in Mo jo	48 // A service that binds user identities to an application instance running in

	49 // Mojo. An application instance may have multiple user identities with one of

	50 // them set as the current identity.

33 interface PrincipalService {	51 interface PrincipalService {

34 // Login is called by an application instance (requestor_url/qualifier) that	52 // Login is called by an application instance (requestor_url/qualifier) that

35 // wants to get a user blessing. The service may obtain the user blessing	53 // wants to get a new user identity. The service may obtain the user identity

36 // through a third-party authentication flow (eg:oauth2). The user blessing	54 // through a third-party authentication flow (e.g., oauth2) which may involve

37 // is bound to a public/private key-pair that this service generates and	55 // user intervention. The obtained identity is added to the set of

38 // persists for this application instance. Returns null if login fails.	56 // authenticated user identities of the application instance, and is also set

39 Login() => (Blessing? user_blessing);	57 // as the current user identity for the instance.
	gautham 2015/10/28 23:02:45 application instance. application instance. ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > application instance. Done.
	58 //

	59 // Additionally, the service creates a user blessing that binds the obtained

	60 // email address of the user to the unique public/private key-pair of the inst ance.
	gautham 2015/10/28 23:02:45 application instance. application instance. ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > application instance. Done.
	61 // This key pair is generated and persisted by this service on the first Login
	gautham 2015/10/28 23:02:45 This seems like an implementation detail. Not sure This seems like an implementation detail. Not sure its needed in API level comments. ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > This seems like an implementation detail. Not sure its needed in API level > comments. Done.
	62 // invocation by the application instance.

	63 //

	64 // Returns the user identifier or null if an error is encountered at any

	65 // stage.

	66 Login() => (User? user);

40	67

41 // Removes the user blessing for the application instance that invokes the	68 // GetUsers returns all authenticated user identities and the current user

42 // Logout method.	69 // identity of the calling application instance. The user identities are a

	70 // result of previous Login calls by the instance.

	71 //

	72 // The current user identity may be null if the instance is in logged out

	73 // state (see 'Logout').

	74 GetUsers() => (array<User> ids, User? current);
	gautham 2015/10/28 23:02:45 maybe call this GetAuthenticatedUsers or GetLogged maybe call this GetAuthenticatedUsers or GetLoggedInUsers Also, given that we have a GetUser() below do we need to return current here as part of this interface? ashankar 2015/10/30 02:24:13 +1. Also, is mojo style to have the "Get" prefix o Show quoted text On 2015/10/28 23:02:45, gautham wrote: > maybe call this GetAuthenticatedUsers or GetLoggedInUsers > > Also, given that we have a GetUser() below do we need to return current here as > part of this interface? +1. Also, is mojo style to have the "Get" prefix or do they generally do away with it? Basically, let's just stick with their convention (and maybe you are, I'm jus' sayin' :) ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > maybe call this GetAuthenticatedUsers or GetLoggedInUsers > > Also, given that we have a GetUser() below do we need to return current here as > part of this interface? Done.
	75

	76 // SetCurrentUser sets the provided identity as the current user identity of
	gautham 2015/10/28 23:02:45 SetCurrentUser sets the current user identity of t SetCurrentUser sets the current user identity of the calling application instance.... ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > SetCurrentUser sets the current user identity of the calling application > instance.... Done.
	77 // the calling application instance. The provided identity must be present in

	78 // the set of authenticated user identities for the application instance,

	79 // otherwise an error is returned.

	80 SetCurrentUser(User user) => (string? error);

	81

	82 // Logout sets the current user identity of the calling application instance

	83 // to null.

43 Logout();	84 Logout();
	ashankar 2015/10/30 02:24:13 Nit: Would re-order things so that related methods Nit: Would re-order things so that related methods are together: Login(); Logout() GetLoggedInUsers() SetCurrentUser() GetCurrentUser() ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/30 02:24:13, ashankar wrote: > Nit: Would re-order things so that related methods are together: > > Login(); > Logout() > GetLoggedInUsers() > > SetCurrentUser() > GetCurrentUser() Done.
44	85

45 // GetUserBlessing returns the user blessing for a given application instance.	86 // GetUser returns the current user identity for a given application instance.

46 // It returns an error if the application instance has not invoked Login().	87 // If a null application instance is provided then the current user identifier
	gautham 2015/10/28 23:02:45 identifier -> identity identifier -> identity ataly 2015/11/04 00:24:29 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > identifier -> identity Done.
47 GetUserBlessing(AppInstanceName app) => (Blessing? user_blessing);	88 // of the calling application instance is returned.

	89 //

	90 // Returns null if the application instance has not invoked Login.
	gautham 2015/10/28 23:02:45 Returns null if the application instance is in log Returns null if the application instance is in logged out state (see 'Logout'). ataly 2015/11/04 00:24:30 Done. Show quoted text On 2015/10/28 23:02:45, gautham wrote: > Returns null if the application instance is in logged out state (see 'Logout'). Done.
	91 GetUser(AppInstanceName? app) => (User? user);
	gautham 2015/10/28 23:02:45 GetUser -> GetCurrentUser given that we have SetCu GetUser -> GetCurrentUser given that we have SetCurrentUser. ataly 2015/11/04 00:24:29 Since we renamed GetUsers to GetLoggedInUsers, I r Since we renamed GetUsers to GetLoggedInUsers, I renamed SetCurrentUser to SetUser.
48 };	92 };

49

OLD	NEW

« examples/bank_app/customer.cc ('K') | « examples/bank_app/customer.cc ('k') | services/vanadium/security/BUILD.gn » ('j') | services/vanadium/security/conventions.go » ('J')