File: authenticator.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (141 lines) | stat: -rw-r--r-- 5,110 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_BROWSER_ASH_CHILD_ACCOUNTS_PARENT_ACCESS_CODE_AUTHENTICATOR_H_
#define CHROME_BROWSER_ASH_CHILD_ACCOUNTS_PARENT_ACCESS_CODE_AUTHENTICATOR_H_

#include <memory>
#include <optional>
#include <ostream>
#include <string>

#include "base/time/time.h"
#include "base/values.h"
#include "components/account_id/account_id.h"

namespace ash::parent_access {

// Configuration used to generate and verify parent access code.
class AccessCodeConfig {
 public:
  // Returns AccessCodeConfig created from a |dictionary|, if the |dictionary|
  // contains valid config data.
  static std::optional<AccessCodeConfig> FromDictionary(
      const base::Value::Dict& dictionary);

  // TODO(agawronska): Make constructor private.
  // To create valid AccessCodeConfig:
  // * |shared_secret| cannot be empty
  // * |code_validity| needs to be in between 30s and 3600s
  // * |clock_drift_tolerance| needs to be between 0 and 1800s
  // The above restrictions are applied to AccessCodeConfig policy that is the
  // main source of this configuration.
  AccessCodeConfig(const std::string& shared_secret,
                   base::TimeDelta code_validity,
                   base::TimeDelta clock_drift_tolerance);
  AccessCodeConfig(AccessCodeConfig&&);
  AccessCodeConfig& operator=(AccessCodeConfig&&);

  AccessCodeConfig(const AccessCodeConfig&) = delete;
  AccessCodeConfig& operator=(const AccessCodeConfig&) = delete;

  ~AccessCodeConfig();

  // Secret shared between child and parent devices.
  const std::string& shared_secret() const { return shared_secret_; }

  // Time that access code is valid for.
  base::TimeDelta code_validity() const { return code_validity_; }

  // The allowed difference between the clock on child and parent devices.
  base::TimeDelta clock_drift_tolerance() const {
    return clock_drift_tolerance_;
  }

  // Converts the AccessCodeConfig object to its dictionary equivalent.
  base::Value::Dict ToDictionary() const;

 private:
  std::string shared_secret_;
  base::TimeDelta code_validity_;
  base::TimeDelta clock_drift_tolerance_;
};

// Parent access code that can be used to authorize various actions on child
// user's device.
// Typical lifetime of the code is 10 minutes and clock difference between
// generating and validating device is half of the code lifetime. Clock
// difference is accounted for during code validation.
class AccessCode {
 public:
  // To create valid AccessCode:
  // * |code| needs to be 6 characters long
  // * |valid_to| needs to be greater than |valid_from|
  AccessCode(const std::string& code,
             base::Time valid_from,
             base::Time valid_to);
  AccessCode(const AccessCode&);
  AccessCode& operator=(const AccessCode&);
  ~AccessCode();

  // Parent access code.
  const std::string& code() const { return code_; }

  // Code validity start time.
  base::Time valid_from() const { return valid_from_; }

  // Code expiration time.
  base::Time valid_to() const { return valid_to_; }

  friend bool operator==(const AccessCode&, const AccessCode&) = default;
  friend std::ostream& operator<<(std::ostream&, const AccessCode&);

 private:
  std::string code_;
  base::Time valid_from_;
  base::Time valid_to_;
};

// Generates and validates parent access codes.
// Does not support timestamp from before Unix Epoch.
class Authenticator {
 public:
  // Granularity of which generation and verification of access code are carried
  // out. Should not exceed code validity period.
  static constexpr base::TimeDelta kAccessCodeGranularity = base::Minutes(1);

  explicit Authenticator(AccessCodeConfig config);

  Authenticator(const Authenticator&) = delete;
  Authenticator& operator=(const Authenticator&) = delete;

  ~Authenticator();

  // Generates parent access code from the given |timestamp|. Returns the code
  // if generation was successful. |timestamp| needs to be greater or equal Unix
  // Epoch.
  std::optional<AccessCode> Generate(base::Time timestamp) const;

  // Returns AccessCode structure with validity information, if |code| is
  // valid for the given timestamp. |timestamp| needs to be greater or equal
  // Unix Epoch.
  std::optional<AccessCode> Validate(const std::string& code,
                                     base::Time timestamp) const;

 private:
  // Returns AccessCode structure with validity information, if |code| is valid
  // for the range [|valid_from|, |valid_to|). |valid_to| needs to be greater or
  // equal to |valid_from|. |valid_from| needs to be greater or equal Unix
  // Epoch.
  std::optional<AccessCode> ValidateInRange(const std::string& code,
                                            base::Time valid_from,
                                            base::Time valid_to) const;

  // Configuration used to generate and validate parent access code.
  const AccessCodeConfig config_;
};

}  // namespace ash::parent_access

#endif  // CHROME_BROWSER_ASH_CHILD_ACCOUNTS_PARENT_ACCESS_CODE_AUTHENTICATOR_H_