bug 1498351 - add interface to allow OS-specific user re-authentication r=franziskus

This patch introduces the interface with a stub implementation that does
nothing. Follow-up bugs will add platform-specific implementations.

Differential Revision: https://phabricator.services.mozilla.com/D8480

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Dana Keeler 2018-10-16 16:06:30 +00:00
Родитель b72d2fe05f
Коммит e7838236e8
11 изменённых файлов: 170 добавлений и 2 удалений

Просмотреть файл

@ -235,7 +235,7 @@ OSKeyStore::GetIsNSSKeyStore(bool* aNSSKeyStore)
// Async interfaces that return promises because the key store implementation
// might block, e.g. asking for a password.
static nsresult
nsresult
GetPromise(JSContext* aCx, /* out */ RefPtr<Promise>& aPromise)
{
nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);

Просмотреть файл

@ -68,6 +68,8 @@ private:
#define NS_OSKEYSTORE_CID \
{ 0x57972956, 0x5718, 0x42d2, { 0x80, 0x70, 0xb3, 0xfc, 0x72, 0x21, 0x2e, 0xaf } }
nsresult GetPromise(JSContext* aCx, /* out */ RefPtr<mozilla::dom::Promise>& aPromise);
class OSKeyStore : public nsIOSKeyStore
{
public:

Просмотреть файл

@ -0,0 +1,72 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "OSReauthenticator.h"
#include "OSKeyStore.h"
NS_IMPL_ISUPPORTS(OSReauthenticator, nsIOSReauthenticator)
using namespace mozilla;
using dom::Promise;
static nsresult
ReauthenticateUser(const nsACString& prompt, /* out */ bool& reauthenticated)
{
reauthenticated = false;
return NS_OK;
}
static void
BackgroundReauthenticateUser(RefPtr<Promise>& aPromise,
const nsACString& aPrompt)
{
nsAutoCString recovery;
bool reauthenticated;
nsresult rv = ReauthenticateUser(aPrompt, reauthenticated);
nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
"BackgroundReauthenticateUserResolve",
[rv, reauthenticated, aPromise = std::move(aPromise)]() {
if (NS_FAILED(rv)) {
aPromise->MaybeReject(rv);
} else {
aPromise->MaybeResolve(reauthenticated);
}
}));
NS_DispatchToMainThread(runnable.forget());
}
NS_IMETHODIMP
OSReauthenticator::AsyncReauthenticateUser(const nsACString& aPrompt,
JSContext* aCx,
Promise** promiseOut)
{
NS_ENSURE_ARG_POINTER(aCx);
RefPtr<Promise> promiseHandle;
nsresult rv = GetPromise(aCx, promiseHandle);
if (NS_FAILED(rv)) {
return rv;
}
nsCOMPtr<nsIRunnable> runnable(
NS_NewRunnableFunction("BackgroundReauthenticateUser",
[promiseHandle, aPrompt = nsAutoCString(aPrompt)]() mutable {
BackgroundReauthenticateUser(promiseHandle, aPrompt);
}
)
);
nsCOMPtr<nsIThread> thread;
rv = NS_NewNamedThread(NS_LITERAL_CSTRING("ReauthenticateUserThread"),
getter_AddRefs(thread), runnable);
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
promiseHandle.forget(promiseOut);
return NS_OK;
}

Просмотреть файл

@ -0,0 +1,26 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef OSReauthenticator_h
#define OSReauthenticator_h
#include "nsIOSReauthenticator.h"
#define NS_OSREAUTHENTICATOR_CONTRACTID "@mozilla.org/security/osreauthenticator;1"
#define NS_OSREAUTHENTICATOR_CID \
{ 0x4fe082ae, 0x6ff0, 0x4b41, { 0xb2, 0x4f, 0xea, 0xa6, 0x64, 0xf6, 0xe4, 0x6a } }
class OSReauthenticator : public nsIOSReauthenticator
{
public:
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSIOSREAUTHENTICATOR
private:
virtual ~OSReauthenticator() = default;
};
#endif // OSReauthenticator_h

Просмотреть файл

@ -26,6 +26,7 @@ XPIDL_SOURCES += [
'nsINSSErrorsService.idl',
'nsINSSVersion.idl',
'nsIOSKeyStore.idl',
'nsIOSReauthenticator.idl',
'nsIPK11Token.idl',
'nsIPK11TokenDB.idl',
'nsIPKCS11Module.idl',
@ -126,6 +127,7 @@ UNIFIED_SOURCES += [
'nsSSLSocketProvider.cpp',
'nsTLSSocketProvider.cpp',
'OSKeyStore.cpp',
'OSReauthenticator.cpp',
'PKCS11ModuleDB.cpp',
'PSMContentListener.cpp',
'PSMRunnable.cpp',

Просмотреть файл

@ -0,0 +1,41 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsISupports.idl"
[scriptable, uuid(4fe082ae-6ff0-4b41-b24f-eaa664f6e46a)]
interface nsIOSReauthenticator: nsISupports {
/**
* This interface provides an abstract way to request that the user
* reauthenticate themselves to the operating system. It may be useful in
* conjunction with nsIOSKeyStore, whereby consumers of these APIs may
* consider some secrets too sensitive to access without first
* reauthenticating the user.
*
* Usage:
*
* // obtain the singleton nsIOSReauthenticator instance
* const reauthenticator = Cc["@mozilla.org/security/osreauthenticator;1"]
* .getService(Ci.nsIOSReauthenticator);
* if (await reauthenticator.asyncReauthenticate()) {
* // do something only authenticated users are allowed to do...
* } else {
* // show a "sorry, this isn't allowed" error
* }
*/
/**
* Asynchronously cause the operating system to request that the user
* reauthenticate. This is typically in the form of a dialog box asking the
* user for their login password. The actual behaviour of this depends on the
* OS.
*
* @param prompt A short string that may be incorporated in the dialog
* @return Promise resolving to true if the user successfully authenticated
* and false otherwise.
*/
[implicit_jscontext, must_use]
Promise asyncReauthenticateUser(in ACString prompt);
};

Просмотреть файл

@ -4,6 +4,8 @@
#include "nsNSSCertTrust.h"
#include "certdb.h"
void
nsNSSCertTrust::AddCATrust(bool ssl, bool email)
{

Просмотреть файл

@ -5,7 +5,6 @@
#ifndef nsNSSCertTrust_h
#define nsNSSCertTrust_h
#include "certdb.h"
#include "certt.h"
/*

Просмотреть файл

@ -34,6 +34,7 @@
#include "nsTLSSocketProvider.h"
#include "nsXULAppAPI.h"
#include "OSKeyStore.h"
#include "OSReauthenticator.h"
#ifdef MOZ_XUL
#include "nsCertTree.h"
@ -160,6 +161,7 @@ NS_DEFINE_NAMED_CID(NS_SECURE_BROWSER_UI_CID);
NS_DEFINE_NAMED_CID(NS_SITE_SECURITY_SERVICE_CID);
NS_DEFINE_NAMED_CID(NS_CERT_BLOCKLIST_CID);
NS_DEFINE_NAMED_CID(NS_OSKEYSTORE_CID);
NS_DEFINE_NAMED_CID(NS_OSREAUTHENTICATOR_CID);
// Components that require main thread initialization could cause a deadlock
// in necko code (bug 1418752). To prevent it we initialize all such components
@ -221,6 +223,10 @@ static const mozilla::Module::CIDEntry kNSSCIDs[] = {
nullptr,
ProcessRestriction::ParentProcessOnly,
ThreadRestriction::MainThreadOnly> },
{ &kNS_OSREAUTHENTICATOR_CID, false, nullptr, Constructor<OSReauthenticator,
nullptr,
ProcessRestriction::ParentProcessOnly,
ThreadRestriction::MainThreadOnly> },
{ nullptr }
};
@ -253,6 +259,7 @@ static const mozilla::Module::ContractIDEntry kNSSContracts[] = {
{ NS_SSSERVICE_CONTRACTID, &kNS_SITE_SECURITY_SERVICE_CID },
{ NS_CERTBLOCKLIST_CONTRACTID, &kNS_CERT_BLOCKLIST_CID },
{ NS_OSKEYSTORE_CONTRACTID, &kNS_OSKEYSTORE_CID},
{ NS_OSREAUTHENTICATOR_CONTRACTID, &kNS_OSREAUTHENTICATOR_CID},
{ nullptr }
};

Просмотреть файл

@ -0,0 +1,16 @@
/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";
// Tests nsIOSReauthenticator.asyncReauthenticateUser().
// Currently this always resolves to false on all platforms. As this gets implemented on various
// platforms, running this rest will result in a prompt from the OS. Consequently, we won't be able
// to run this in automation, but it will help in testing locally.
add_task(async function test_asyncReauthenticateUser() {
const reauthenticator = Cc["@mozilla.org/security/osreauthenticator;1"]
.getService(Ci.nsIOSReauthenticator);
ok(reauthenticator, "nsIOSReauthenticator should be available");
ok(!await reauthenticator.asyncReauthenticateUser("this is the prompt string"),
"nsIOSReauthenticator.asyncReauthenticateUser always resolves to false for now");
});

Просмотреть файл

@ -141,6 +141,7 @@ run-sequentially = hardcoded ports
[test_ocsp_url.js]
run-sequentially = hardcoded ports
[test_oskeystore.js]
[test_osreauthenticator.js]
[test_password_prompt.js]
[test_pinning.js]
run-sequentially = hardcoded ports