chromium/chromeos/ash/services/auth_factor_config/public/mojom/auth_factor_config.mojom

// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

module ash.auth.mojom;

// This module defines interfaces to query properties of and configure
// authentication factors. The interfaces are implemented by services running
// on ash-chrome and intended to be consumed by the following webuis:
// * chrome://os-settings
// * chrome://oobe
//
// Since both the service implementations and the clients are part of
// ash-chrome, the interfaces are not guaranteed to remain stable between
// versions.
//
// The interfaces exposed here are intended as replacement for the
// quickUnlockPrivate extension API. Most methods take an |auth_token|
// parameter, which can be obtained via |quickUnlockPrivate.getAuthToken|.

// An enumeration of all authentication factors.
enum AuthFactor {
  kRecovery,
  kPin,
  kGaiaPassword,
  kLocalPassword,
  // TODO(crbug.com/1327627): Add support for other authentication factors:
  // kFingerprint,
};

// The type of a policy that can affect auth factor configuration.
enum ManagementType {
  kNone,
  kDevice,
  kUser,
  kChildRestriction,
};

// An interface for clients of |AuthFactorConfig| (see there for a list of
// clients) that need to be notified if configuration of auth factors changes.
interface FactorObserver {
  // Called when the configuration of some |factor| changes.
  OnFactorChanged(AuthFactor factor);
};

// An interface to query generic properties of how authentication factors are
// configured. Served from chrome ash, intended to be consumed by the following
// webuis:
// * chrome://os-settings
// * chrome://oobe
interface AuthFactorConfig {
  // Registers an observer that is called whenever authentication factor
  // configuration changes.
  ObserveFactorChanges(pending_remote<FactorObserver> observer);

  // Checks whether |factor| is supported for the current user and device, e.g.
  // if there is a fingerprint sensor.
  IsSupported(string auth_token, AuthFactor factor) => (bool supported);

  // Checks whether |factor| is configured, e.g. if the user has set up at least
  // one fingerprint.
  IsConfigured(string auth_token, AuthFactor factor) => (bool configured);

  // Retrieves how |factor| is managed (if at all), e.g. in case there is a
  // policy for minimum PIN length.
  GetManagementType(string auth_token, AuthFactor factor) =>
      (ManagementType management);

  // Checks whether the user can configure |factor|. Is false if the factor is
  // not supported or e.g. a policy forces |factor| to be enabled/disabled.
  IsEditable(string auth_token, AuthFactor factor) => (bool editable);
};

// Returned from various operations that change ("configure") something about
// an auth factor.
enum ConfigureResult {
  // The configuration operation was successful.
  kSuccess,
  // Returned if the token used to access configuration was invalid. Clients
  // should obtain a new token before trying again.
  kInvalidTokenError,
  // Returned if the client uses the API incorrectly or the backend could not
  // process the request.
  kFatalError,
};

// Interface for methods specific to recovery authentication. Served from chrome
// ash, intended to be consumed by the following webuis:
// * chrome://os-settings
// * chrome://oobe
interface RecoveryFactorEditor {
  // Enables or disables recovery authentication. Clients must not attempt to
  // enable recovery if recovery is not editable. Enabling recovery when it is
  // already enabled is a no-op and succeeds; similarly for disabling.
  Configure(string auth_token, bool enabled) => (ConfigureResult result);
};

// Interface for methods specific to pin authentication. Served from chrome
// ash, intended to be consumed by the following webuis:
// * chrome://os-settings
// * chrome://oobe
interface PinFactorEditor {
  // Set the user pin to the desired value.
  SetPin(string auth_token, string pin) => (ConfigureResult result);
  // Remove the pin factor for the user.
  RemovePin(string auth_token) => (ConfigureResult result);
};

// A value describing the complexity of a password.
enum PasswordComplexity {
  kOk,
  kTooShort,
};

// Interface for methods specific to password authentication. Served from chrome
// ash, intended to be consumed by the following trusted webuis:
//
// * chrome://os-settings
// * chrome://oobe
//
// The chrome ash implementation calls into the cryptohomed system daemon via
// the UserDataAuth.proto Dbus API to affect the desired changes to the user's
// authentication factors. Since the UserDataAuth API distinguishes between
// adding a non existing auth factor and updating an existing auth factor, we
// also make this distinction in this interface.
interface PasswordFactorEditor {
  // Updates the user's password to the local password with the desired value.
  // This assumes that the user has a password factor set up (either local or
  // Gaia). Callers must provide a sufficiently complex password. A password
  // is considered sufficiently complex if the `CheckLocalPasswordComplexity`
  // call returns `kOk` for the password.
  UpdateLocalPassword(string auth_token, string new_password) =>
      (ConfigureResult result);

  // Updates the user's cryptohoome password to match their online password.
  // This assumes that the user has an online password factor set up.
  UpdateOnlinePassword(string auth_token, string new_password) =>
      (ConfigureResult result);

  // Sets the user's local password to the desired value. This assumes that the
  // user has no password set up yet. Callers must provide a sufficiently
  // complex password. A password is considered sufficiently complex if
  // the `CheckLocalPasswordComplexity` call returns `kOk` for the password.
  SetLocalPassword(string auth_token, string new_password) =>
      (ConfigureResult result);

  // Sets the user's cryptohome password to match their online password.
  // This assumes that the user has no online password set up yet.
  SetOnlinePassword(string auth_token, string new_password) =>
      (ConfigureResult result);

  // Returns a value describing the complexity of the provided password value.
  CheckLocalPasswordComplexity(string password) =>
      (PasswordComplexity complexity);
};