device/fido/mac/authenticator.h

// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef DEVICE_FIDO_MAC_AUTHENTICATOR_H_
#define DEVICE_FIDO_MAC_AUTHENTICATOR_H_

#include <memory>
#include <string>

#include "base/callback.h"
#include "base/component_export.h"
#include "base/memory/weak_ptr.h"
#include "base/strings/string_piece_forward.h"
#include "device/fido/ctap_make_credential_request.h"
#include "device/fido/fido_authenticator.h"
#include "device/fido/fido_transport_protocol.h"
#include "device/fido/mac/credential_store.h"
#include "device/fido/mac/operation.h"

namespace device::fido::mac {

struct AuthenticatorConfig;

// TouchIdAuthenticator is a platform authenticator on macOS. It persists Secure
// Enclave backed credentials along with metadata in the macOS keychain. Each
// Chrome profile maintains its own set of credentials.
//
// Despite the name, any local login factor can be used for User Verification
// (e.g. Touch ID, password, Apple Watch).
class COMPONENT_EXPORT(DEVICE_FIDO) TouchIdAuthenticator
    : public FidoAuthenticator {
 public:
  // IsAvailable runs |callback| with a bool indicating whether the
  // authenticator is available, i.e. whether the device has a Secure Enclave
  // and the current binary carries a keychain-access-groups entitlement that
  // matches the one set in |config|.
  static void IsAvailable(AuthenticatorConfig config,
                          base::OnceCallback<void(bool is_available)> callback);

  // CreateIfAvailable returns a TouchIdAuthenticator. Callers must check
  // IsAvailable() first.
  static std::unique_ptr<TouchIdAuthenticator> Create(
      AuthenticatorConfig config);

  TouchIdAuthenticator(const TouchIdAuthenticator&) = delete;
  TouchIdAuthenticator& operator=(const TouchIdAuthenticator&) = delete;

  ~TouchIdAuthenticator() override;

  // FidoAuthenticator:
  void InitializeAuthenticator(base::OnceClosure callback) override;
  void MakeCredential(CtapMakeCredentialRequest request,
                      MakeCredentialOptions options,
                      MakeCredentialCallback callback) override;
  void GetAssertion(CtapGetAssertionRequest request,
                    CtapGetAssertionOptions options,
                    GetAssertionCallback callback) override;
  void GetNextAssertion(GetAssertionCallback callback) override;
  void GetCredentialInformationForRequest(
      const CtapGetAssertionRequest& request,
      GetCredentialInformationForRequestCallback callback) override;
  void Cancel() override;
  Type GetType() const override;
  std::string GetId() const override;
  const absl::optional<AuthenticatorSupportedOptions>& Options() const override;
  absl::optional<FidoTransportProtocol> AuthenticatorTransport() const override;
  bool IsInPairingMode() const override;
  bool IsPaired() const override;
  bool RequiresBlePairingPin() const override;
  void GetTouch(base::OnceClosure callback) override;
  base::WeakPtr<FidoAuthenticator> GetWeakPtr() override;

 private:
  TouchIdAuthenticator(std::string keychain_access_group,
                       std::string metadata_secret);

  TouchIdCredentialStore credential_store_;

  std::unique_ptr<Operation> operation_;

  base::WeakPtrFactory<TouchIdAuthenticator> weak_factory_;
};

}  // namespace device::fido::mac

#endif  // DEVICE_FIDO_MAC_AUTHENTICATOR_H_