blob: a1f9399d909a3063887942a55b5025b8899be112 [file] [log] [blame]
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +00001// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module defines the AuthTokenHandler enum and its methods. AuthTokenHandler enum represents
16//! the different states an auth token and an associated verification token can be expressed during
17//! the operation life cycle.
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +000018use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
19 HardwareAuthToken::HardwareAuthToken, VerificationToken::VerificationToken,
20};
21use anyhow::{Context, Result};
22use std::sync::mpsc::Receiver;
23
24/// AuthTokenHandler enum has five different variants which are described by the comments above
Hasini Gunasinghe888dd352020-11-17 23:08:39 +000025// each variant, as follows.
26#[derive(Debug)]
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +000027pub enum AuthTokenHandler {
28 /// Used when an operation does not require an auth token for authorization.
29 NoAuthRequired,
30 /// Used to represent the intermediate state between the time the operation is found to be
31 /// requiring per-op auth and the time the auth token for the operation is found.
32 OpAuthRequired,
33 /// Used to represent the intermediate state between the time the operation is found to be
34 /// using a time_out key with STRONGBOX keymint, and the time a verficiation token is requested
35 /// from the worker thread which obtains verification tokens from the TEE KeyMint.
36 VerificationRequired(HardwareAuthToken),
37 /// Used to represent the intermediate state between the time a verification token is requested
38 /// from the worker thread which obtains verification tokens from the TEE KeyMint and the time
39 /// the verification token is received from the worker thread.
40 Channel(Receiver<(HardwareAuthToken, VerificationToken)>),
41 /// Used to represent the final state for all operations requiring an auth token for
42 /// authorization, after the matching auth token (and the associated verification token if
43 /// required) is found.
44 Token(HardwareAuthToken, Option<VerificationToken>),
45}
46
47impl AuthTokenHandler {
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +000048 /// If Channel variant, block on it until the verification token is sent by the
Hasini Gunasinghe888dd352020-11-17 23:08:39 +000049 /// keystore2 worker thread which obtains verification tokens from TEE Keymint and converts the
50 /// object from Channel variant to Token variant.
51 /// Retrieve auth token and verification token from the Token variant of an AuthTokenHandler
52 /// instance.
53 pub fn retrieve_auth_and_verification_tokens(
54 &mut self,
55 ) -> Result<(Option<&HardwareAuthToken>, Option<&VerificationToken>)> {
56 // Converts to Token variant if Channel variant found, after retrieving the
57 // VerificationToken
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +000058 if let AuthTokenHandler::Channel(recv) = self {
59 let (auth_token, verification_token) =
60 recv.recv().context("In receive_verification_token: sender disconnected.")?;
61 *self = AuthTokenHandler::Token(auth_token, Some(verification_token));
Hasini Gunasinghe888dd352020-11-17 23:08:39 +000062 }
63 // get the tokens from the Token variant
64 if let AuthTokenHandler::Token(auth_token, optional_verification_token) = self {
65 Ok((Some(auth_token), optional_verification_token.as_ref()))
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +000066 } else {
Hasini Gunasinghe888dd352020-11-17 23:08:39 +000067 Ok((None, None))
68 }
69 }
70
71 /// Retrieve auth token from VerificationRequired and Token variants of an
72 /// AuthTokenHandler instance. This method is useful when we only expect an auth token and
73 /// do not expect a verification token.
74 pub fn get_auth_token(&self) -> Option<&HardwareAuthToken> {
75 match self {
76 AuthTokenHandler::VerificationRequired(auth_token) => Some(auth_token),
77 AuthTokenHandler::Token(auth_token, _) => Some(auth_token),
78 _ => None,
Hasini Gunasinghe9ec096c2020-11-17 00:45:44 +000079 }
80 }
81}