// Copyright (c) 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// The messages in this file comprise the DBus/Proto interface for
// Cryptohome where there is an AccountIdentifer argument, an
// AuthorizationRequest (if needed for the call), and the call's
// parameters as <Call>Request.
//
// 'optional' annotations are used heavily in the RPC definition
// because the RPC endpoints most properly sanity check the contents
// for application-specific logic, and the more optional-with-default
// parameters exist, the less data is actually transferred on the wire
// in "default" situations.

option optimize_for = LITE_RUNTIME;

package cryptohome;

import "key.proto";

// Error codes do not need to be sequential per-call.
// Prefixes by Request/Reply type should be used to help
// callers know if specialized errors apply.
enum CryptohomeErrorCode {
  // 0 is the default value of BaseReply::error. It
  // should never be used.
  CRYPTOHOME_ERROR_NOT_SET = 0;

  CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
  CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
  CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
  CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
  CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
  CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
  CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
  CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11;
  CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12;
  CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13;
  CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14;
  CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15;
  CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16;
  CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17;
}

message AccountIdentifier {
  optional string email = 1;
}

message AuthorizationRequest {
  // |key| must supply at least a |key.secret()|.  If no |key.data()| or
  // |key.data().label()| is supplied, the |key.secret()| will be tested
  // against all compatible |key.data().type()| keys, where
  // KEY_TYPE_PASSWORD_CROS_LEGACY is the default type.  If
  // |key.data().label()| is supplied, then the |key.secret()| will only be
  // tested against the matching VaultKeyset.
  optional Key key = 1;
};

// These parameters are for inbound data to Cryptohome RPC
// interfaces.  When calls are added that return data, a
// <Call>Response should be defined.
message MountRequest {
  // Perform an ephemeral mount only.
  optional bool require_ephemeral = 1 [default=false];
  // If defined, the account will be created if it does not exist.
  // Additionally, a failed AuthorizationRequest will be expected as
  // there will be no existing keys.
  optional CreateRequest create = 2;
}

// A BaseReply type is used for all cryptohomed responses. A shared base class
// is used because all calls will always reply with no-error or an error value.
// A centralized definition allows for a reusable reply handler for cases where
// there is no Request-specific reply data.  Any specialized data will live in
// an extension as per MountReply below:
//   if (reply.HasExtension(MountReply::reply)) { ... }
//
message BaseReply {
  // If a call was successful, error will not be defined (clear_error()).
  // If a call failed, it must set an error code (set_error(CODE)).
  // In either case, call-specific data may be added as an extension.
  optional CryptohomeErrorCode error = 1;

  extensions 1000 to max;
}

// The MountRequest call may return more than just success or failure
// so it embeds itself in a BaseReply as an extension.
message MountReply {
  extend BaseReply {
    optional MountReply reply = 1000;
  }
  // |recreated| is set when the cryptohome had to be wiped
  // because the key or data was an unrecoverable.  It does not imply
  // failure to Mount nor is it 'true' when a CreateRequest creates
  // a cryptohome for the first time.
  optional bool recreated = 1 [default=false];
  // Returns the filesystem-sanitized username.
  optional string sanitized_username = 2;
};

message CreateRequest {
  repeated Key keys = 1;
  // Explicitly use the |key| from the AuthorizationRequest.
  // Setting this value means that the KeyData is filled as it
  // would be with a Key above or in an AddKeyRequest.
  optional bool copy_authorization_key = 2 [default=false];
  // In the future, this will contain account-wide data like
  // the deletion priority or the IdP's origin.
}

message AddKeyRequest {
  optional Key key = 1;
  optional bool clobber_if_exists = 2 [default=false];
}

message UpdateKeyRequest {
  optional Key changes = 1;
  optional bytes authorization_signature = 2;
}

message CheckKeyRequest {
}

message RemoveKeyRequest {
  // Only key.data().label() is used at present.
  optional Key key = 1;
}

message SignBootLockboxRequest {
  // The data to be signed.
  optional bytes data = 1;
}

message SignBootLockboxReply {
  extend BaseReply {
    optional SignBootLockboxReply reply = 1001;
  }
  optional bytes signature = 1;
}

message VerifyBootLockboxRequest {
  // The signed data to be verified.
  optional bytes data = 1;
  // The signature to be verified.
  optional bytes signature = 2;
}

message FinalizeBootLockboxRequest {
}