1 // Copyright 2015 The Weave Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef LIBWEAVE_SRC_PRIVET_AUTH_MANAGER_H_ 6 #define LIBWEAVE_SRC_PRIVET_AUTH_MANAGER_H_ 7 8 #include <deque> 9 #include <string> 10 #include <vector> 11 12 #include <base/gtest_prod_util.h> 13 #include <base/time/default_clock.h> 14 #include <base/time/time.h> 15 #include <weave/error.h> 16 17 #include "src/privet/privet_types.h" 18 19 namespace weave { 20 21 class Config; 22 enum class RootClientTokenOwner; 23 24 namespace privet { 25 26 class AuthManager { 27 public: 28 AuthManager(Config* config, 29 const std::vector<uint8_t>& certificate_fingerprint); 30 31 // Constructor for tests. 32 AuthManager(const std::vector<uint8_t>& auth_secret, 33 const std::vector<uint8_t>& certificate_fingerprint, 34 const std::vector<uint8_t>& access_secret, 35 base::Clock* clock = nullptr); 36 ~AuthManager(); 37 38 std::vector<uint8_t> CreateAccessToken(const UserInfo& user_info, 39 base::TimeDelta ttl) const; 40 41 bool ParseAccessToken(const std::vector<uint8_t>& token, 42 UserInfo* user_info, 43 ErrorPtr* error) const; 44 GetAuthSecret()45 const std::vector<uint8_t>& GetAuthSecret() const { return auth_secret_; } GetAccessSecret()46 const std::vector<uint8_t>& GetAccessSecret() const { return access_secret_; } GetCertificateFingerprint()47 const std::vector<uint8_t>& GetCertificateFingerprint() const { 48 return certificate_fingerprint_; 49 } 50 51 base::Time Now() const; 52 53 std::vector<uint8_t> ClaimRootClientAuthToken(RootClientTokenOwner owner, 54 ErrorPtr* error); 55 bool ConfirmClientAuthToken(const std::vector<uint8_t>& token, 56 ErrorPtr* error); 57 58 std::vector<uint8_t> GetRootClientAuthToken(RootClientTokenOwner owner) const; 59 bool IsValidAuthToken(const std::vector<uint8_t>& token, 60 ErrorPtr* error) const; 61 bool CreateAccessTokenFromAuth(const std::vector<uint8_t>& auth_token, 62 base::TimeDelta ttl, 63 std::vector<uint8_t>* access_token, 64 AuthScope* access_token_scope, 65 base::TimeDelta* access_token_ttl, 66 ErrorPtr* error) const; 67 68 void SetAuthSecret(const std::vector<uint8_t>& secret, 69 RootClientTokenOwner owner); 70 71 std::string CreateSessionId() const; 72 bool IsValidSessionId(const std::string& session_id) const; 73 74 private: 75 friend class AuthManagerTest; 76 77 // Test helpers. Device does not need to implement delegation. 78 std::vector<uint8_t> DelegateToUser(const std::vector<uint8_t>& token, 79 base::TimeDelta ttl, 80 const UserInfo& user_info) const; 81 82 Config* config_{nullptr}; // Can be nullptr for tests. 83 base::DefaultClock default_clock_; 84 base::Clock* clock_{&default_clock_}; 85 mutable uint32_t session_counter_{0}; 86 87 std::vector<uint8_t> auth_secret_; // Persistent. 88 std::vector<uint8_t> certificate_fingerprint_; 89 std::vector<uint8_t> access_secret_; // New on every reboot. 90 91 std::deque<std::pair<std::unique_ptr<AuthManager>, RootClientTokenOwner>> 92 pending_claims_; 93 94 DISALLOW_COPY_AND_ASSIGN(AuthManager); 95 }; 96 97 } // namespace privet 98 } // namespace weave 99 100 #endif // LIBWEAVE_SRC_PRIVET_AUTH_MANAGER_H_ 101