// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
module ash.auth.mojom;
// This module defines interfaces to query properties of and configure
// authentication factors. The interfaces are implemented by services running
// on ash-chrome and intended to be consumed by the following webuis:
// * chrome://os-settings
// * chrome://oobe
//
// Since both the service implementations and the clients are part of
// ash-chrome, the interfaces are not guaranteed to remain stable between
// versions.
//
// The interfaces exposed here are intended as replacement for the
// quickUnlockPrivate extension API. Most methods take an |auth_token|
// parameter, which can be obtained via |quickUnlockPrivate.getAuthToken|.
// An enumeration of all authentication factors.
enum AuthFactor {
kRecovery,
kPin,
kGaiaPassword,
kLocalPassword,
// TODO(crbug.com/1327627): Add support for other authentication factors:
// kFingerprint,
};
// The type of a policy that can affect auth factor configuration.
enum ManagementType {
kNone,
kDevice,
kUser,
kChildRestriction,
};
// An interface for clients of |AuthFactorConfig| (see there for a list of
// clients) that need to be notified if configuration of auth factors changes.
interface FactorObserver {
// Called when the configuration of some |factor| changes.
OnFactorChanged(AuthFactor factor);
};
// An interface to query generic properties of how authentication factors are
// configured. Served from chrome ash, intended to be consumed by the following
// webuis:
// * chrome://os-settings
// * chrome://oobe
interface AuthFactorConfig {
// Registers an observer that is called whenever authentication factor
// configuration changes.
ObserveFactorChanges(pending_remote<FactorObserver> observer);
// Checks whether |factor| is supported for the current user and device, e.g.
// if there is a fingerprint sensor.
IsSupported(string auth_token, AuthFactor factor) => (bool supported);
// Checks whether |factor| is configured, e.g. if the user has set up at least
// one fingerprint.
IsConfigured(string auth_token, AuthFactor factor) => (bool configured);
// Retrieves how |factor| is managed (if at all), e.g. in case there is a
// policy for minimum PIN length.
GetManagementType(string auth_token, AuthFactor factor) =>
(ManagementType management);
// Checks whether the user can configure |factor|. Is false if the factor is
// not supported or e.g. a policy forces |factor| to be enabled/disabled.
IsEditable(string auth_token, AuthFactor factor) => (bool editable);
};
// Returned from various operations that change ("configure") something about
// an auth factor.
enum ConfigureResult {
// The configuration operation was successful.
kSuccess,
// Returned if the token used to access configuration was invalid. Clients
// should obtain a new token before trying again.
kInvalidTokenError,
// Returned if the client uses the API incorrectly or the backend could not
// process the request.
kFatalError,
};
// Interface for methods specific to recovery authentication. Served from chrome
// ash, intended to be consumed by the following webuis:
// * chrome://os-settings
// * chrome://oobe
interface RecoveryFactorEditor {
// Enables or disables recovery authentication. Clients must not attempt to
// enable recovery if recovery is not editable. Enabling recovery when it is
// already enabled is a no-op and succeeds; similarly for disabling.
Configure(string auth_token, bool enabled) => (ConfigureResult result);
};
// Interface for methods specific to pin authentication. Served from chrome
// ash, intended to be consumed by the following webuis:
// * chrome://os-settings
// * chrome://oobe
interface PinFactorEditor {
// Set the user pin to the desired value.
SetPin(string auth_token, string pin) => (ConfigureResult result);
// Remove the pin factor for the user.
RemovePin(string auth_token) => (ConfigureResult result);
};
// A value describing the complexity of a password.
enum PasswordComplexity {
kOk,
kTooShort,
};
// Interface for methods specific to password authentication. Served from chrome
// ash, intended to be consumed by the following trusted webuis:
//
// * chrome://os-settings
// * chrome://oobe
//
// The chrome ash implementation calls into the cryptohomed system daemon via
// the UserDataAuth.proto Dbus API to affect the desired changes to the user's
// authentication factors. Since the UserDataAuth API distinguishes between
// adding a non existing auth factor and updating an existing auth factor, we
// also make this distinction in this interface.
interface PasswordFactorEditor {
// Updates the user's password to the local password with the desired value.
// This assumes that the user has a password factor set up (either local or
// Gaia). Callers must provide a sufficiently complex password. A password
// is considered sufficiently complex if the `CheckLocalPasswordComplexity`
// call returns `kOk` for the password.
UpdateLocalPassword(string auth_token, string new_password) =>
(ConfigureResult result);
// Updates the user's cryptohoome password to match their online password.
// This assumes that the user has an online password factor set up.
UpdateOnlinePassword(string auth_token, string new_password) =>
(ConfigureResult result);
// Sets the user's local password to the desired value. This assumes that the
// user has no password set up yet. Callers must provide a sufficiently
// complex password. A password is considered sufficiently complex if
// the `CheckLocalPasswordComplexity` call returns `kOk` for the password.
SetLocalPassword(string auth_token, string new_password) =>
(ConfigureResult result);
// Sets the user's cryptohome password to match their online password.
// This assumes that the user has no online password set up yet.
SetOnlinePassword(string auth_token, string new_password) =>
(ConfigureResult result);
// Returns a value describing the complexity of the provided password value.
CheckLocalPasswordComplexity(string password) =>
(PasswordComplexity complexity);
};