/usr/include/signond/credentialsaccessmanager.h is in signond-dev 8.56+14.04.20140307-0ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 | /* -*- Mode: C++; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This file is part of signon
*
* Copyright (C) 2009-2010 Nokia Corporation.
*
* Contact: Aurel Popirtac <mailto:ext-Aurel.Popirtac@nokia.com>
* Contact: Alberto Mardegan <alberto.mardegan@canonical.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* version 2.1 as published by the Free Software Foundation.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA
*/
/*!
@file credentialsaccessmanager.h
Definition of the CredentialsAccessManager object.
@ingroup Accounts_and_SSO_Framework
*/
#ifndef CREDENTIALS_ACCESS_MANAGER_H
#define CREDENTIALS_ACCESS_MANAGER_H
#include "accesscontrolmanagerhelper.h"
#include "credentialsdb.h"
#include "signonui_interface.h"
#include <QObject>
#include <QPointer>
#include <QFlags>
#include <QStringList>
#include <QVariantMap>
#include "SignOn/AbstractAccessControlManager"
#include "SignOn/AbstractCryptoManager"
#include "SignOn/AbstractKeyAuthorizer"
#include "SignOn/AbstractKeyManager"
#include "SignOn/AbstractSecretsStorage"
#include "SignOn/KeyHandler"
/*!
* @def SIGNON_SECURE_STORAGE_NOT_AVAILABLE
* Use this event type to signal the CAM when the secure storage is not
* available. CAM can also reply with a event of this type if it doesn't manage
* to resolve the secure storage access.
* @sa SecureStorageEvent
*/
#define SIGNON_SECURE_STORAGE_NOT_AVAILABLE (QEvent::User + 1001)
/*!
* @def SIGNON_SECURE_STORAGE_AVAILABLE
* The CAM will reply with an event of this type when the secure storage access
* will be successfully resolved.
* @sa SecureStorageEvent
*/
#define SIGNON_SECURE_STORAGE_AVAILABLE (QEvent::User + 1002)
/**
* Manager access to the Credentials DB - synchronized singleton available
* everywhere in the Authentication Core module.
*/
namespace SignonDaemonNS {
/*!
* @typedef EventSender Guarded pointer for event sending objects.
*/
typedef QPointer<QObject> EventSender;
/*!
* @class SecureStorageEvent
* Any object in the signon framework that needs the CredentialsAccessManager -
* CAM - secure storage in order to function properly can signal this event to
* the CAM.
* The object posting this event should reimplement the
* QObject::customEvent(QEvent *event) method and handle response events of the
* same type coming from the CAM upon success/failure in resolving access to
* the secure storage.
* @sa SIGNON_SECURE_STORAGE_NOT_AVAILABLE
* @sa SIGNON_SECURE_STORAGE_AVAILABLE
*/
class SecureStorageEvent: public QEvent
{
public:
SecureStorageEvent(QEvent::Type type): QEvent(type), m_sender(0) {}
EventSender m_sender; /*! << The sender object of the event. */
};
/*!
* @class CAMConfiguration
* Configuration object for the CredentialsAccessManager - CAM.
* @ingroup Accounts_and_SSO_Framework
*/
struct CAMConfiguration
{
/*!
* Constructs a CAMConfiguration object with the default configuration -
* encryption in use.
*/
CAMConfiguration();
/*!
* Serializes the CAMConfiguration object as string to a specific IODevice.
* @param device, must not be null.
*/
void serialize(QIODevice *device);
/*!
* Returns the path to the metadata DB.
*/
QString metadataDBPath() const;
/*!
* Returns the name of the CryptoManager to use.
*/
QString cryptoManagerName() const;
/*!
* Returns the name of the AccessControlManager to use.
*/
QString accessControlManagerName() const;
bool useEncryption() const;
/*!
* Returns the name of the SecretsStorage to use.
*/
QString secretsStorageName() const;
void setStoragePath(const QString &storagePath);
void addSetting(const QString &key, const QVariant &value) {
m_settings.insert(key, value);
}
QString m_storagePath; /*!< The base directory for storage. */
QString m_dbName; /*!< The database file name. */
QString m_secretsDbName; /*!< The credentials database file name. */
QByteArray m_encryptionPassphrase; /*!< Passphrase used for opening
encrypted FS. */
QVariantMap m_settings;
};
/*!
* @enum, error reported by the CAM via the lastError() method.
*/
enum CredentialsAccessError {
NoError = 0,
NotInitialized,
AlreadyInitialized,
AccessCodeHandlerInitFailed,
AccessCodeNotReady,
FailedToFetchAccessCode,
AccessCodeInvalid,
EncryptionInUse,
CredentialsDbSetupFailed,
CredentialsDbMountFailed,
CredentialsDbUnmountFailed,
CredentialsDbDeletionFailed,
CredentialsDbAlreadyDeployed,
CredentialsDbAlreadyMounted,
CredentialsDbNotMounted,
CredentialsDbConnectionError,
CredentialsDbSqlError,
UnknownError
};
/*!
* @class CredentialsAccessManager
* Main singleton and manager object of the credentials database system.
* Offers access to the CredentialsDB and AccessControl objects, using a
* specific configuration (e.g. Access to a SQL database created on an
* encrypted file system which is mounted by this system).
* Most calls of this object's methods return false or NULL in case of failure;
* the specific error code can be retrieved by calling the lastError() method.
* @ingroup Accounts_and_SSO_Framework
* @sa CredentialsDB
* @sa AccessControl
* @sa AccessCodeHandler
* @sa AbstractCryptoManager
*/
class CredentialsAccessManager: public QObject
{
Q_OBJECT
/*!
* @enum KeySwapAuthorizingMech
* Core key authorization is performed through key swapping mechanisms.
* This feature becomes available when the number of inserted authorized
* keys reaches `0`.
* - If the mechanism is `Disabled`, signon core will attemp authorizing
* keys only through available AbstractKeyManager implementations that
* support key authorization.
* - If the mechanism is `AuthorizedKeyRemovedFirst`, signon core will
* attempt authorization of a newly inserted key using its internal
* already authorized keys collection.
* - If the mechanism is `UnauthorizedKeyRemovedFirst`, signon core will
* attempt authorization of a previously disabled unauthorized key, if
* the last physically inserted key is already authorized. In this case
* the disabled unauthorized key was cached when disabled, prior to its
* authorization.
*/
enum KeySwapAuthorizingMech {
Disabled = 0, /**< Signon core does not authorize keys. */
AuthorizedKeyRemovedFirst, /**< The key swap order is as suggested. */
UnauthorizedKeyRemovedFirst /**< The key swap order is as suggested. */
};
/*!
* @enum StorageUiCleanupFlag
* Specific options for cleaning up resources upon secure storage UI closure.
* @sa KeySwapAuthorizingMech
*/
enum StorageUiCleanupFlag {
NoFlags = 0, /**< No flags. */
DisableCoreKeyAuthorization /**< Disable any core key authorization
mechanism and clears any unauthorized
cached key that is not physically
inserted into the device. */
};
Q_DECLARE_FLAGS(StorageUiCleanupFlags, StorageUiCleanupFlag)
public:
/*!
* Constructs a CredentialsAccessManager object with the given parent.
* @param configuration The configuration to use.
* @param parent A parent QObject.
*/
CredentialsAccessManager(const CAMConfiguration &configuration,
QObject *parent = 0);
/*!
* Destroys a CredentialsAccessManager.
* Closes the credentials access system
* - closes the database connection
* - unmounts the dedicated encrypted filesystem, if in use.
*/
~CredentialsAccessManager();
/*!
* Returns CAM instance.
*/
static CredentialsAccessManager *instance();
/*!
* Initializes the CAM instance.
* If encryption is in use, this will start the key managers and create the
* CryptoManager object, preparing everything for the mounting of the
* encrypted file system.
*/
bool init();
/*!
* Finalizes the CAM instance, this could include, closing the credentials
* system and resetting the configuration. After this call the CAM needs to
* be reinitialized.
*/
void finalize();
/*!
* Adds a key manager. This method must be called before init().
* @param keyManager The key manager to add.
*/
void addKeyManager(SignOn::AbstractKeyManager *keyManager);
/*!
* Initializes know objects from an extension plugin.
* @param extension A signon extension plugin.
*
* @returns True if the extension provides objects that the CAM is using.
*/
bool initExtension(QObject *object);
QStringList backupFiles() const;
/*!
* Opens the credentials system, creates the CreadentialsDB object; if
* encryption is configured this will also mount the encrypted file system,
* based on the AccessControlHandler obtained keys.
* First call of this method on a specific platform also does the
* formatting prior to the effective opening.
*
* @returns true on success, false otherwise. Call lastError() to get
* the error code.
*/
bool openCredentialsSystem();
/*!
* Closes the credentials system
* - closes the database connection
* - if encryption is in use, unmounts the encrypted file system
* This is also called by the destructor.
*
* @returns true on success, false otherwise. Call lastError() to get the
* error code.
*/
bool closeCredentialsSystem();
/*!
* Deletes the credentials system.
* - deletes the credentials database
* - if encryption is in use the encrypted file system will be deleted
* @warning use this carefully. Upon successful completion this call
* deletes all the stored credentials.
*
* @returns true on success, false otherwise. Call lastError() to get the
* error code.
*/
bool deleteCredentialsSystem();
/*!
* For convenience method.
* @returns true if the credentials system is opened, false otherwise.
*/
bool credentialsSystemOpened() const { return m_systemOpened; }
/*!
* The creadentials system is ready when all of the subscribed key managers
* have successfully reported all of the inserted keys. The credentials
* system can be ready while at the same time the secure storage is not
* opened.
*
* @returns true if the credentials system is ready, false otherwise.
*/
bool isCredentialsSystemReady() const;
/*!
* @returns the credentials database object.
*/
CredentialsDB *credentialsDB() const;
/*!
* @returns the CAM in use configuration.
*/
const CAMConfiguration &configuration() const { return m_CAMConfiguration; }
/*!
* @sa CredentialsAccessError
* @returns the last CAM's internally reported error.
*/
CredentialsAccessError lastError() const { return m_error; }
/*!
* The CAM manages the encryption keys collection.
* @returns whether the CAM detected any encryption keys or not.
*/
bool keysAvailable() const;
Q_SIGNALS:
/*!
* Is emitted when the credentials system becomes ready.
*/
void credentialsSystemReady();
private Q_SLOTS:
void onKeyInserted(const SignOn::Key key);
void onLastAuthorizedKeyRemoved(const SignOn::Key key);
void onKeyRemoved(const SignOn::Key key);
void onKeyAuthorizationQueried(const SignOn::Key, int);
void onEncryptedFSMounted();
void onEncryptedFSUnmounting();
protected:
void customEvent(QEvent *event);
private:
bool createStorageDir();
bool openSecretsDB();
bool isSecretsDBOpen();
bool closeSecretsDB();
bool openMetaDataDB();
void closeMetaDataDB();
void replyToSecureStorageEventNotifiers();
private:
static CredentialsAccessManager *m_pInstance;
bool m_isInitialized;
bool m_systemOpened;
/* Flag indicating whether the system is ready or not.
* Currently the system is ready when all of the key managers have
* successfully reported all of the inserted keys.
*/
mutable CredentialsAccessError m_error;
QList<SignOn::AbstractKeyManager *> keyManagers;
CredentialsDB *m_pCredentialsDB;
SignOn::AbstractCryptoManager *m_cryptoManager;
SignOn::KeyHandler *m_keyHandler;
SignOn::AbstractKeyAuthorizer *m_keyAuthorizer;
SignOn::AbstractSecretsStorage *m_secretsStorage;
CAMConfiguration m_CAMConfiguration;
SignOn::AbstractAccessControlManager *m_acManager;
AccessControlManagerHelper *m_acManagerHelper;
/* List of all the senders of a SecureStorageEvent. */
QList<EventSender> m_secureStorageEventNotifiers;
};
} //namespace SignonDaemonNS
#endif // CREDENTIALS_ACCESS_MANAGER_H
|