// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// The messages in this file comprise the DBus/Proto interface for
// the new set of Cryptohome interface after the refactor, and the
// associated messages that's used by those interfaces.
// All input parameter to a call is named with a "Request" suffix,
// and all output parameter to a call is named with a "Reply" suffix.

syntax = "proto3";

option optimize_for = LITE_RUNTIME;

package user_data_auth;

import "auth_factor.proto";
import "fido.proto";
import "key.proto";

///////////////////////////////////////////////////////////////////////////////
// Messages that's used by the actual request/reply goes below
///////////////////////////////////////////////////////////////////////////////

// We still need the AccountIdentifier, KeyDelegate and AuthorizationRequest
// messages from the old interface.
import "rpc.proto";

// Error codes do not need to be sequential per-call.
// Prefixes by Request/Reply type should be used to help
// callers know if specialized errors apply.
// TODO(b/135984863): Rename this.
enum CryptohomeErrorCode {
  // No error: the operation succeeded.
  CRYPTOHOME_ERROR_NOT_SET = 0;

  CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
  CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
  CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
  CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
  CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
  CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
  CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
  CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11;
  CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12;
  CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13;
  CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14;
  CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15;
  CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16;
  CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17;
  CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18;
  CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19;
  CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20;
  CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21;
  CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22;
  CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23;
  CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24;
  CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25;
  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26;
  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27;
  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28;
  CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29;
  CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30;
  CRYPTOHOME_ERROR_MIGRATE_KEY_FAILED = 31;
  CRYPTOHOME_ERROR_REMOVE_FAILED = 32;
  CRYPTOHOME_ERROR_INVALID_ARGUMENT = 33;
  CRYPTOHOME_ERROR_INSTALL_ATTRIBUTES_GET_FAILED = 34;
  CRYPTOHOME_ERROR_INSTALL_ATTRIBUTES_SET_FAILED = 35;
  CRYPTOHOME_ERROR_INSTALL_ATTRIBUTES_FINALIZE_FAILED = 36;
  CRYPTOHOME_ERROR_UPDATE_USER_ACTIVITY_TIMESTAMP_FAILED = 37;
  CRYPTOHOME_ERROR_FAILED_TO_READ_PCR = 38;
  CRYPTOHOME_ERROR_PCR_ALREADY_EXTENDED = 39;
  CRYPTOHOME_ERROR_FAILED_TO_EXTEND_PCR = 40;
  CRYPTOHOME_ERROR_TPM_UPDATE_REQUIRED = 41;
  CRYPTOHOME_ERROR_FINGERPRINT_ERROR_INTERNAL = 42;
  // Fingerprint match failed but at least one retry count left.
  CRYPTOHOME_ERROR_FINGERPRINT_RETRY_REQUIRED = 43;
  // Fingerprint match failed and maximum retry count reached.
  CRYPTOHOME_ERROR_FINGERPRINT_DENIED = 44;
  CRYPTOHOME_ERROR_VAULT_UNRECOVERABLE = 45;
  CRYPTOHOME_ERROR_FIDO_MAKE_CREDENTIAL_FAILED = 46;
  CRYPTOHOME_ERROR_FIDO_GET_ASSERTION_FAILED = 47;
  CRYPTOHOME_TOKEN_SERIALIZATION_FAILED = 48;
  CRYPTOHOME_INVALID_AUTH_SESSION_TOKEN = 49;
  CRYPTOHOME_ADD_CREDENTIALS_FAILED = 50;
  CRYPTOHOME_ERROR_UNAUTHENTICATED_AUTH_SESSION = 51;
  CRYPTOHOME_ERROR_UNKNOWN_LEGACY = 52;
  CRYPTOHOME_ERROR_UNUSABLE_VAULT = 53;
  // Note: After adding new fields to this enum, the new enum should be added
  // to ash/components/login/auth/auth_session_authenticator.cc's
  // AuthSessionAuthenticator::ProcessCryptohomeError() so that Chromium
  // can handle them properly.
}

// This is used by MountRequest to store details about the mount to create
message CreateRequest {
  // In the future, this will contain account-wide data like
  // the deletion priority or the IdP's origin.

  // keys contain the key data to add to the key for the mount that we
  // are creating. Currently, only one key is supported.
  // TODO(b/133212955): Change the name of this to "key".
  repeated cryptohome.Key keys = 1;

  // Explicitly use the |key| from the AuthorizationRequest.
  // Setting this value means that the |keys| above would be populated with
  // the |key| specified in MountRequest, so that we can spare the trouble
  // of specifying |keys| above.
  bool copy_authorization_key = 2;

  // If set to true, always use eCryptfs as the encryption method.
  bool force_ecryptfs = 3;
}

///////////////////////////////////////////////////////////////////////////////
// Error handling related
///////////////////////////////////////////////////////////////////////////////

// PrimaryAction is used to indicate that cryptohomed believes that a certain
// condition is true and thus the corresponding action should be carried out or
// it can resolve the issues.
enum PrimaryAction {
  // PRIMARY_NO_ERROR indicates that there's no error.
  PRIMARY_NO_ERROR = 0;

  // PRIMARY_NONE indicates that cryptohomed is not sure. Caller should check
  // PossibleAction.
  PRIMARY_NONE = 1;

  // PRIMARY_CREATE_REQUIRED indicates that the user doesn't exist and the
  // caller should add CreateRequest to the Mount() call.
  PRIMARY_CREATE_REQUIRED = 2;

  // PRIMARY_NOTIFY_OLD_ENCRYPTION_POLICY indicates that the vault is using
  // legacy crypto and the policy doesn't allow it. The caller should notify
  // users regarding the policy.
  PRIMARY_NOTIFY_OLD_ENCRYPTION_POLICY = 3;

  // PRIMARY_RESUME_PREVIOUS_MIGRATION indicates that eCryptfs is being
  // migrated to dircrypto but it's not completed yet. Caller should finish
  // the migration before trying again.
  PRIMARY_RESUME_PREVIOUS_MIGRATION = 4;

  // PRIMARY_TPM_UDPATE_REQUIRED indicates that the TPM firmware should be
  // updated before proceeding.
  PRIMARY_TPM_UDPATE_REQUIRED = 5;

  // PRIMARY_TPM_NEEDS_REBOOT indicates that the TPM encountered a critical
  // error that can only be resolved by rebooting.
  PRIMARY_TPM_NEEDS_REBOOT = 6;

  // PRIMARY_TPM_LOCKOUT indicates that the TPM is in dictionary attack lockout
  // state. The caller should advise the user to wait it out.
  PRIMARY_TPM_LOCKOUT = 7;

  // PRIMARY_INCORRECT_AUTH indicates that the supplied auth material
  // (password) is incorrect. The caller should notify the user as such.
  // Note that it is a special case, see CryptohomeErrorInfo's
  // probable_action field for more info.
  PRIMARY_INCORRECT_AUTH = 8;
}

// PossibleAction is used to indicate that cryptohomed believies some actions
// are more likely to resolve the error than other actions.
enum PossibleAction {
  // POSSIBLY_NONE is not used, it's defined to take the 0 position.
  POSSIBLY_NONE = 0;

  // POSSIBLY_RETRY suggests the caller to retry immediately.
  POSSIBLY_RETRY = 1;

  // POSSIBLY_REBOOT suggests the caller to reboot then retry.
  POSSIBLY_REBOOT = 2;

  // POSSIBLY_AUTH suggests the caller to try another authentication method.
  POSSIBLY_AUTH = 3;

  // POSSIBLY_INCORRECT_AUTH suggests that incorrect auth material (password)
  // have been supplied. The caller should notify the user as such.
  POSSIBLY_INCORRECT_AUTH = 4;

  // POSSIBLY_DELETE_VAULT suggests the caller to delete the user's vault
  // because it's unrecoverable.
  POSSIBLY_DELETE_VAULT = 5;

  // POSSIBLY_POWERWASH suggests the caller to powerwash because certain TPM
  // state is corrupted and can only be obtained at OOBE.
  POSSIBLY_POWERWASH = 6;

  // POSSIBLY_DEV_CHECK_UNEXPECTED_STATE suggests that it's the developer's
  // problem. Software developers should investigate if this error ever occurs.
  POSSIBLY_DEV_CHECK_UNEXPECTED_STATE = 7;

  // POSSIBLY_FATAL suggests that there's no way to resolve the issue.
  // It should not have happened and the caller should not retry.
  POSSIBLY_FATAL = 8;
}

// CryptohomeErrorInfo contains the information regarding an error or a
// condition that occurred.
// Note on the migration: During the migration process, both the legacy
// CryptohomeErrorCode and the new CryptohomeErrorInfo field will be available.
// Before the Phase 1 of the migration is completed (b/229804686), callers of
// Cryptohome API should rely on the legacy CryptohomeErrorCode. After Phase 1
// is completed, which will be indicated in the issue tracker entry, callers
// can assume that both the legacy CryptohomeErrorCode field and
// CryptohomeErrorInfo field contains valid information and the callers can
// proceed to refactor to use the new fields, this is Phase 2 (b/229805195).
// The legacy CryptohomeErrorCode field that coexists with CryptohomeErrorInfo
// will be removed in Phase 3 (b/229807416).
// We are currently in the process of completing Phase 1, and thus caller
// should still rely on the legacy CryptohomeErrorCode field.
message CryptohomeErrorInfo {
  // error_id is a unique identifier that identifies the location that the
  // error occurred within cryptohome. More effectively, it's a "smart
  // stacktrace" that remains the same from version to version for the same
  // error.
  // There's no guarantee on the exact formatting to users external to
  // cryptohome, except that it should be short enough to be displayed on
  // one line and contains fine-grained and detailed information on the error.
  // For cryptohome developers, see cryptohome/docs/error_reporting.md.
  // Example: "42-15-3"
  string error_id = 1;

  // readable_error_id is the human readable version of the error_id. It
  // encompasses all information that is in error_id and is more human
  // readable. However, it may or may not remain the same from version to
  // version.
  // There's no guarantee on the exact formatting of this field to users
  // external to cryptohome, except that it should be at most a few lines in
  // length and should be reasonable to write to the logs.
  // For cryptohome developers, see cryptohome/docs/error_reporting.md.
  string readable_error_id = 2;

  // primary_action is when cryptohome is quite certain that something can
  // be done to resolve the error/condition. Usually primary_action is used
  // to indicate to the Chromium side that an action should be done.
  PrimaryAction primary_action = 3;

  // probable_action is when cryptohome is not quite sure how the error
  // occurred, but believes that some of the actions (as listed in this field)
  // are more likely to resolve the error than other actions.
  // The entries in this repeated field are not ordered.
  // This field can be ignored if primary_action is not PRIMARY_NONE or
  // PRIMARY_INCORRECT_AUTH.
  // Note that primary_action = PRIMARY_INCORRECT_AUTH is a special case,
  // because the Chromium side will handle it different depending the number
  // of times it happened. Therefore, for the case when primary_action =
  // PRIMARY_INCORRECT_AUTH, the probable_action field will be populated with
  // any PossibleAction entry that might be relevant (if any).
  // In the future we intend to weed out any false positives in reporting
  // PRIMARY_INCORRECT_AUTH, and thus probable_action will eventually be empty.
  repeated PossibleAction possible_actions = 4;
}

///////////////////////////////////////////////////////////////////////////////
// Actual request/reply goes below
///////////////////////////////////////////////////////////////////////////////

// ------------------------- UserDataAuth Interface -------------------------

// Input parameters to IsMounted()
message IsMountedRequest {
  // If username is available, then it'll check if a specific user's home
  // directory is mounted. Otherwise, it'll check if any home directory is
  // mounted.
  string username = 1;
}

// Output parameters for IsMounted()
message IsMountedReply {
  // If the requested home directory is mounted.
  bool is_mounted = 1;
  // If the mount is ephemeral, that is, if the contents get cleared once
  // the user logs out.
  // Note that if there's no username specified in the IsMountedRequest,
  // then this field is set to true if any mount is ephemeral.
  bool is_ephemeral_mount = 2;
}

// Input parameters to Unmount()
// Currently we only support unmounting all mounted cryptohomes but in the
// future we may implement per-user unmount, at which point we can extend this
// proto with the necessary information.
message UnmountRequest {
}

// Output parameters for Unmount()
message UnmountReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

// Input parameters to Mount()
message MountRequest {
  // The account of the user whose home directory is requested for mounting.
  cryptohome.AccountIdentifier account = 1;
  // Authorization data from the user.
  cryptohome.AuthorizationRequest authorization = 2;

  // If set, then perform an ephemeral mount only.
  bool require_ephemeral = 3;
  // If defined, the account will be created if it does not exist.
  // Additionally, a failed AuthorizationRequest will be expected as
  // there will be no existing keys.
  CreateRequest create = 4;
  // If set to true, and cryptohomed supports the new "dircrypto" encryption,
  // forces to use the new encryption. That is, makes it an error to mount
  // an existing home directory encrypted in the old way (ecryptfs).
  bool force_dircrypto_if_available = 5;
  // If set to true, mounts the existing ecryptfs vault to a temporary location
  // while setting up a new dircrypto directory.
  bool to_migrate_from_ecryptfs = 6;
  // If set, then performs a public mount, which is used for a Kiosk session.
  // Credentials are not needed in the request; they are synthesized by
  // cryptohomed from id.
  bool public_mount = 7;
  // If set to true, the mount will be for a guest session.
  bool guest_mount = 8;
  // Auth Session id will let mount derive credentials from AuthSessions.
  bytes auth_session_id = 9;
}

// Output parameters for Mount()
message MountReply {
  // Indicate an error when |error| is not empty.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // |recreated| is set when the cryptohome had to be wiped
  // because the key or data was an unrecoverable.  It does not imply
  // failure to Mount nor is it 'true' when a CreateRequest creates
  // a cryptohome for the first time.
  bool recreated = 2;
  // Returns the filesystem-sanitized username.
  string sanitized_username = 3;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 4;
}

// Input parameters to Remove()
// If an AuthSession ID is provided, then that will be used and validated.
message RemoveRequest {
  // Identifies the user, whose home directory to remove
  cryptohome.AccountIdentifier identifier = 1;
  // Token that would be get user id from AuthSession.
  bytes auth_session_id = 2;
}

// Output parameters for Remove()
message RemoveReply {
  // Indicate an error when |error| is not empty.
  CryptohomeErrorCode error = 1;
  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

// Input parameters to ListKeys()
message ListKeysRequest {
  // The default behavior is by label so any extension here should honor that.

  // List the key(s) that is/are used to protect the home directory whose
  // owner is identified by account_id.
  cryptohome.AccountIdentifier account_id = 1;
  // Provide user authentication if necessary (currently not required).
  cryptohome.AuthorizationRequest authorization_request = 2;
}

// Output parameters for ListKeys()
message ListKeysReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
  // The labels of the Vault Keyset. This will be empty on error.
  repeated string labels = 2;
  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

// Input parameters to GetKeyData()
message GetKeyDataRequest {
  // The keys whose data to retrieve, is the key whose owner is identified
  // by account_id.
  cryptohome.AccountIdentifier account_id = 1;
  // Provide user authentication if necessary (currently not required).
  cryptohome.AuthorizationRequest authorization_request = 2;
  // |key| must supply at least one attribute and all others will be treated as
  // wildcards.  Currently only |key.data().label()| may be supplied.  Like
  // AuthorizationRequest, support can be added for queries by
  // |key.data().type()| to return all keys of a certain class, testing
  // |key.secret()|, or |key.data().provider_data()| entries.
  cryptohome.Key key = 3;
}

// Output parameters for GetKeyData()
message GetKeyDataReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
  // The data associated with those keys.
  repeated cryptohome.KeyData key_data = 2;
}

// Input parameters to CheckKey()
message CheckKeyRequest {
  // We only check against keys that belongs to the user identified by
  // account_id.
  cryptohome.AccountIdentifier account_id = 1;
  // The authentication credentials to check against the keys
  cryptohome.AuthorizationRequest authorization_request = 2;
  // Whether the webauthn secret should be unlocked.
  bool unlock_webauthn_secret = 3;
}

// Output parameters for CheckKey()
message CheckKeyReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to AddKey()
message AddKeyRequest {
  // The owner of the new key.
  cryptohome.AccountIdentifier account_id = 1;
  // The authentication data of the new key.
  cryptohome.AuthorizationRequest authorization_request = 2;
  // The key to add.
  cryptohome.Key key = 3;
  // Do we delete the existing key if it already exists?
  bool clobber_if_exists = 4;
}

// Output parameters for AddKey()
message AddKeyReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to RemoveKey()
message RemoveKeyRequest {
  // The owner of the key to remove
  cryptohome.AccountIdentifier account_id = 1;
  // Authorization from the user
  cryptohome.AuthorizationRequest authorization_request = 2;
  // Only key.data().label() is used at present.
  cryptohome.Key key = 3;
}

// Output parameters for RemoveKey()
message RemoveKeyReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to MassRemoveKeys()
message MassRemoveKeysRequest {
  // The owner of the key to remove
  cryptohome.AccountIdentifier account_id = 1;
  // Authorization from the user
  cryptohome.AuthorizationRequest authorization_request = 2;

  // Remove all keys whose labels are NOT included in exempt_key_data.
  repeated cryptohome.KeyData exempt_key_data = 3;
}

// Output parameters for MassRemoveKeys()
message MassRemoveKeysReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to MigrateKey()
message MigrateKeyRequest {
  // The owner whose key are going to migrate
  cryptohome.AccountIdentifier account_id = 1;
  // Authorization from the user
  cryptohome.AuthorizationRequest authorization_request = 2;
  // The new secret for the key.
  bytes secret = 3;
}

// Output parameters for MigrateKey()
message MigrateKeyReply {
  // Indicates an error if error is not empty.
  CryptohomeErrorCode error = 1;
}

// StartFingerprintAuthSession sets BiometricsDaemon and the Fingerprint MCU to
// match mode. EndFingerprintAuthSession sets them back to non-match mode.
// A typical call sequence involves one or more other calls that actually wait
// for fingerprint scan result, between StartFingerprintAuthSession and
// EndFingerprintAuthSession.
//
// Example 1: successful fingerprint match at first attempt.
// --> StartFingerprintAuthSession
// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan success
// --> EndFingerprintAuthSession
//
// Example 2: successful fingerprint match at third attempt.
// --> StartFingerprintAuthSession
// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan success
// --> EndFingerprintAuthSession
//
// Example 3: client chooses to cancel before success.
// --> StartFingerprintAuthSession
// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
// --> EndFingerprintAuthSession

// Input parameters to StartFingerprintAuthSession()
message StartFingerprintAuthSessionRequest {
  // This represents the "single user" that we are will be fingerprint for.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for StartFingerprintAuthSession()
message StartFingerprintAuthSessionReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to EndFingerprintAuthSession()
message EndFingerprintAuthSessionRequest {}

// Output parameters for EndFingerprintAuthSession()
message EndFingerprintAuthSessionReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetWebAuthnSecret()
message GetWebAuthnSecretRequest {
  // This represents the "single user" that the secret belongs to.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for GetWebAuthnSecret()
message GetWebAuthnSecretReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;
  // The WebAuthn secret.
  bytes webauthn_secret = 2;
}

// Input parameters to GetWebAuthnSecretHash()
message GetWebAuthnSecretHashRequest {
  // This represents the "single user" that the secret belongs to.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for GetWebAuthnSecretHash()
message GetWebAuthnSecretHashReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;
  // The WebAuthn secret hash.
  bytes webauthn_secret_hash = 2;
}

// Input parameters to GetHibernateSecret()
message GetHibernateSecretRequest {
  // This represents the "single user" that the secret belongs to.
  // This mechanism is deprecated in favor of the auth_session_id below.
  cryptohome.AccountIdentifier account_id = 1;
  // Serialized form of token that is used to identify Auth Session in
  // progress.
  bytes auth_session_id = 2;
}

// Output parameters for GetHibernateSecret()
message GetHibernateSecretReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;
  // The hibernate secret.
  bytes hibernate_secret = 2;
}

// TODO(b/126307305): For the messages, below, we'll need to add the documentations
// for them.

// Input parameters to StartMigrateToDircrypto().
message StartMigrateToDircryptoRequest {
  // The owner of the cryptohome that we are going to migrate.
  cryptohome.AccountIdentifier account_id = 1;

  // If true, only a few paths (specified in cryptohomed) that are necessary for
  // a working profile will be migrated. Most user data will be wiped.
  bool minimal_migration = 2;

  // Auth Session id will let migrate derive credentials from AuthSessions.
  // AuthSession needs to be authenticated for this to be successful. If both
  // account_id and auth_session_id is mentioned, auth_session_id would be
  // superseed and identity would be derived from that.
  bytes auth_session_id = 3;
}

// Output parameters for StartMigrateToDircrypto().
message StartMigrateToDircryptoReply {
  // Indicates an error if not empty.
  CryptohomeErrorCode error = 1;
}

// Status code for the message DircryptoMigrationProgress below.
enum DircryptoMigrationStatus {
  // 0 means a successful completion.
  DIRCRYPTO_MIGRATION_SUCCESS = 0;
  // TODO(kinaba,dspaid): Add error codes as needed here.
  DIRCRYPTO_MIGRATION_FAILED = 1;
  // TODO(kinaba,dspaid): Add state codes as needed.
  DIRCRYPTO_MIGRATION_INITIALIZING = 2;
  DIRCRYPTO_MIGRATION_IN_PROGRESS = 3;
}

// The data that comes with DircryptoMigrationProgress signal.
message DircryptoMigrationProgress {
  // See cryptohome::dircrypto_data_migrator::MigrationHelper::ProgressCallback
  // for more information.

  // The status of the migration
  DircryptoMigrationStatus status = 1;

  // The amount of bytes that we've migrated over.
  uint64 current_bytes = 2;

  // The total amount of bytes in this migration operation.
  uint64 total_bytes = 3;
}

// Input parameters to NeedsDircryptoMigration().
message NeedsDircryptoMigrationRequest {
  // The account for which we want to check if Dircrypto migration is needed.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for NeedsDircryptoMigration().
message NeedsDircryptoMigrationReply {
  // Indicates an error if not empty.
  CryptohomeErrorCode error = 1;

  // Whether Dircrypto migration is needed.
  // Note that this is invalid and should be disregarded if |error| is not
  // empty.
  bool needs_dircrypto_migration = 2;
}

// Input parameters to GetSupportedKeyPolicies().
message GetSupportedKeyPoliciesRequest {
}

// Output parameters for GetSupportedKeyPolicies().
// This informs the caller which KeyPolicy features are supported.
message GetSupportedKeyPoliciesReply {
  // Whether low entropy credentials is supported by the policies
  bool low_entropy_credentials_supported = 1;
}

// Input parameters to GetAccountDiskUsage().
message GetAccountDiskUsageRequest {
  // The owner of the home directory that we are going to compute the
  // size for.
  cryptohome.AccountIdentifier identifier = 1;
}

// Output parameters for GetAccountDiskUsage().
message GetAccountDiskUsageReply {
  // Indicates an error if not empty.
  // Note that for this API call, it is not an error to supply a non-existent
  // user in the |GetAccountDiskUsageRequest.identifier| parameter.
  CryptohomeErrorCode error = 1;

  // The size of cryptohome in bytes. If a non-existent user is given in the
  // request, size will be 0.
  // Negative values are reserved, see HomeDir::ComputeSize() for more
  // information.
  int64 size = 2;
}

// The data that comes with LowDiskSpace signal.
message LowDiskSpace {
  // The amount of remaining free disk space.
  uint64 disk_free_bytes = 1;
}

// These flags will define any requests from the caller for how to run an
// AuthSession.
enum AuthSessionFlags {
  // Default Value.
  AUTH_SESSION_FLAGS_NONE = 0;
  // This flag is set when auth session is used for an ephemeral user.
  AUTH_SESSION_FLAGS_EPHEMERAL_USER = 2;
  reserved 1;
}

message StartAuthSessionRequest {
  // The account of the user whose home directory is requested for mounting.
  cryptohome.AccountIdentifier account_id = 1;
  // AuthSessionFlags to define AuthSession behaviour.
  uint32 flags = 2;
  // Currently nothing is required to be passed in for KeyData map request,
  // but in the future we can expect this to be expanded to filter queries with
  // |key.data().type()| to return all keys of a certain class, testing
  // |key.secret()|, or |key.data().provider_data()| entries.
}

message StartAuthSessionReply {
  // Error if any to start the Auth Session
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // Token that would be used to conduct any auth-related operation.
  bytes auth_session_id = 2;
  // True if the user that the Auth Session is created for exists or not.
  bool user_exists = 3;
  // Map to return label and public key data for the authentication credential
  // to be sent in. This will be empty if user_exists is set to false.
  map<string, cryptohome.KeyData> key_label_data = 4;
  // List of AuthFactors to return all the AuthFactors available for user
  // authentication. This will be empty if user_exists is set to false.
  repeated AuthFactor auth_factors = 5;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 6;

  // Gives AuthFactors that can be configured as authentication means for
  // this user (regardless of whether they are already added for this user or
  // not).
  repeated AuthFactorType supported_auth_factors = 7;
}

message AddCredentialsRequest {
  reserved 4;
  // Serialized form of token that is used to identify Auth Session that needs
  // to be authenticated.
  bytes auth_session_id = 1;
  // Authorization data from the user.
  cryptohome.AuthorizationRequest authorization = 2;
  // Adding a new credentials for an existing user?
  bool add_more_credentials = 3;
}

message AddCredentialsReply {
  // Error if any to add new credentials with the Auth Session.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

message AuthenticateAuthSessionRequest {
  // Serialized form of token that is used to identify Auth Session that needs
  // to be authenticated.
  bytes auth_session_id = 1;
  // Authorization data from the user.
  cryptohome.AuthorizationRequest authorization = 2;
}

message AuthenticateAuthSessionReply {
  // Error if any to authenticate the Auth Session.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // Returns if the Auth Session is authenticated.
  bool authenticated = 2;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

message InvalidateAuthSessionRequest {
  // Serialized form of token that is used to identify Auth Session that needs
  // to be invalidated.
  bytes auth_session_id = 1;
}

message InvalidateAuthSessionReply {
  // Error if any to invalidate the Auth Session.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

message ExtendAuthSessionRequest {
  // Serialized form of token that is used to identify Auth Session that needs
  // to be extended.
  bytes auth_session_id = 1;
  // Duration of the extension requested in seconds, with a default of
  // 60 seconds if not specified.
  uint32 extension_duration = 2;
}

message ExtendAuthSessionReply {
  // Error if any to extend the Auth Session.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

message UpdateCredentialRequest {
  // Serialized form of token that is used to identify Auth Session that will
  // be used to update credentials.
  bytes auth_session_id = 1;
  // Label of the credential that will be updated by this request.
  // If this is empty, it would be considered a password keyset as those keysets
  // do not have any label stored for them.
  string old_credential_label = 2;
  // Authorization data from the user for the new credential. The label in this
  // request should match |old_credential_label|.
  cryptohome.AuthorizationRequest authorization = 3;
}

message UpdateCredentialReply {
  // Error if any to update credential.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

message CreatePersistentUserRequest {
  // Id of the auth session associated with the user we aim to create.
  bytes auth_session_id = 1;
}

message CreatePersistentUserReply {
  // The status of the operation.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

message PrepareGuestVaultRequest {}

message PrepareGuestVaultReply {
  // The status of the operation.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

message PrepareEphemeralVaultRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
}

message PrepareEphemeralVaultReply {
  // The status of the operation.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

message GetAuthSessionStatusRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
}

enum AuthSessionStatus {
  AUTH_SESSION_STATUS_NOT_SET = 0;
  AUTH_SESSION_STATUS_FURTHER_FACTOR_REQUIRED = 1;
  AUTH_SESSION_STATUS_AUTHENTICATED = 2;
  AUTH_SESSION_STATUS_INVALID_AUTH_SESSION = 3;
}

message GetAuthSessionStatusReply {
  // Error if any to start the Auth Session
  CryptohomeErrorCode error = 1;
  // Status for the valid AuthSession.
  AuthSessionStatus status = 2;
  // The time left (in sec) in the current AuthSession. This is only set if
  // AuthSession is authenticated.
  uint32 time_left = 3;
}

enum VaultEncryptionType {
  CRYPTOHOME_VAULT_ENCRYPTION_ANY = 0;
  CRYPTOHOME_VAULT_ENCRYPTION_ECRYPTFS = 1;
  CRYPTOHOME_VAULT_ENCRYPTION_FSCRYPT = 2;
  CRYPTOHOME_VAULT_ENCRYPTION_DMCRYPT = 3;
}

message PreparePersistentVaultRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
  // Whether ecryptfs mount should be prohibited
  // TODO(dlunev): deprecate the field once we migrate to the new interface.
  // |force_encryption_type| will fully supercede it for all cases later on, but
  // in the interim we need to preserve it for backward compatibility.
  bool block_ecryptfs = 2;
  // Expected encryption type.
  // TODO(dlunev): for now it is enforced only for the vault creation. After
  // removing the old interface it will superceded |block_ecryptfs| flag to
  // enforce mandatory migrations.
  VaultEncryptionType encryption_type = 3;
}

message PreparePersistentVaultReply {
  // The status of the operation.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

message PrepareVaultForMigrationRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
}

message PrepareVaultForMigrationReply {
  // The status of the operation.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 3;
}

// ------------------------- ArcQuota Interface -------------------------

// Input parameters to GetArcDiskFeatures().
message GetArcDiskFeaturesRequest {}

// Output parameters for GetArcDiskFeatures().
message GetArcDiskFeaturesReply {
  // Set to true if Quota feature is supported for ARC Disk/Storage.
  bool quota_supported = 1;
}

// Input parameters to GetCurrentSpaceForArcUid().
message GetCurrentSpaceForArcUidRequest {
  // The Android UID for whom we are going to query the disk usage.
  // Note that Android UID is a shifted UID.
  uint32 uid = 1;
}

// Output parameters for GetCurrentSpaceForArcUid().
message GetCurrentSpaceForArcUidReply {
  // The current disk space usage for the given Android UID.
  // Will be a negative number if the request fails. See
  // cryptohome/arc_disk_quota.h for more details.
  int64 cur_space = 1;
}

// Input parameters to GetCurrentSpaceForArcGid().
message GetCurrentSpaceForArcGidRequest {
  // The Android GID for whom we are going to query the disk usage.
  // Note that Android GID is a shifted GID.
  uint32 gid = 1;
}

// Output parameters for GetCurrentSpaceForArcGid().
message GetCurrentSpaceForArcGidReply {
  // The current disk space usage for the given Android GID.
  // Will be a negative number if the request fails. See
  // cryptohome/arc_disk_quota.h for more details.
  int64 cur_space = 1;
}

// Input parameters to GetCurrentSpaceForArcProjectId().
message GetCurrentSpaceForArcProjectIdRequest {
  // The project ID for whom we are going to query the disk usage.
  uint32 project_id = 1;
}

// Output parameters for GetCurrentSpaceForArcProjectId().
message GetCurrentSpaceForArcProjectIdReply {
  // The current disk space usage for the given project ID.
  // Will be a negative number if the request fails. See
  // cryptohome/arc_disk_quota.h for more details.
  int64 cur_space = 1;
}

// Type of paths that are allowed for SetProjectId.
enum SetProjectIdAllowedPathType {
  // /home/user/<obfuscated_username>/MyFiles/Downloads/
  PATH_DOWNLOADS = 0;
  // /home/root/<obfuscated_username>/android-data/
  PATH_ANDROID_DATA = 1;
}

// Input parameters to SetProjectId().
message SetProjectIdRequest {
  // The project ID.
  uint32 project_id = 1;

  // |parent_path|, |child_path| and |account_id| are used for constructing the
  // target path. (e.g.
  // /home/user/<obfuscated_username>/MyFiles/Downloads/<child_path> for
  // parent_path=PATH_DOWNLOADS)
  SetProjectIdAllowedPathType parent_path = 2;
  string child_path = 3;
  cryptohome.AccountIdentifier account_id = 4;
}

// Output parameters for SetProjectId().
message SetProjectIdReply {
  // Set to true if ioctl syscall for setting the project ID succeeds.
  bool success = 1;
}

// Input parameters to SetMediaRWDataFileProjectId().
message SetMediaRWDataFileProjectIdRequest {
  // The project ID.
  uint32 project_id = 1;
}

// Output parameters for SetMediaRWDataFileProjectId().
message SetMediaRWDataFileProjectIdReply {
  // Set to true if ioctl syscall for setting the project ID succeeds.
  bool success = 1;

  // Errno if success == false.
  int32 error = 2;
}

// Input parameters to SetMediaRWDataFileProjectInheritanceFlag().
message SetMediaRWDataFileProjectInheritanceFlagRequest {
  // Set to true if we are setting the project inheritance flag.
  bool enable = 1;
}

// Output parameters for SetMediaRWDataFileProjectInheritanceFlag().
message SetMediaRWDataFileProjectInheritanceFlagReply {
  // Set to true if ioctl syscall for setting the project inheritance flag
  // succeeds.
  bool success = 1;

  // Errno if success == false.
  int32 error = 2;
}

// ------------------------- PKCS#11 Interface -------------------------

// Represents the information about a token in PKCS#11, used by
// Pkcs11GetTpmTokenInfo()
message TpmTokenInfo {
  // The label of the token.
  string label = 1;

  // The pin that is used to access the token.
  // Note that in most cases this is a default well known value.
  string user_pin = 2;

  // The slot number of the token.
  int32 slot = 3;
}

// Input parameters to Pkcs11IsTpmTokenReady()
message Pkcs11IsTpmTokenReadyRequest {
  // Nothing at the moment.
}

// Output parameters for Pkcs11IsTpmTokenReady()
message Pkcs11IsTpmTokenReadyReply {
  // True if the TPM-backed token store for all mount is ready for access.
  // That is, every TPM-backed token store associated with a mount is in an
  // initialized state.
  bool ready = 1;
}

// Input parameters to Pkcs11GetTpmTokenInfo()
message Pkcs11GetTpmTokenInfoRequest {
  // If username is empty or not set, then the information regarding system TPM
  // token is returned. Otherwise, the user TPM token is returned.
  string username = 1;
}

// Output parameters for Pkcs11GetTpmTokenInfo()
message Pkcs11GetTpmTokenInfoReply {
  // The TPM Token information, generally it's the stuffs required to access
  // the TPM token.
  TpmTokenInfo token_info = 1;
}

// Input parameters to Pkcs11Terminate()
message Pkcs11TerminateRequest {
  // This call will remove all PKCS#11 token store that is associated with a
  // mount.

  // Username is currently unused.
  string username = 1;
}

// Output parameters for Pkcs11Terminate()
message Pkcs11TerminateReply {
  // Nothing at the moment.
}

// Input parameters to Pkcs11RestoreTpmTokens()
message Pkcs11RestoreTpmTokensRequest {
  // This call will retrieve all the tokens to chaps.

  // Nothing at the moment.
}

// Output parameters for Pkcs11RestoreTpmTokens()
message Pkcs11RestoreTpmTokensReply {
  // Nothing at the moment.
}

// ----------------------- Install Attributes Interface -----------------------

// The possible states of Install Attributes module, this is used by
// InstallAttributesGetStatus().
enum InstallAttributesState {
  // See InstallAttributes::Status in install_attributes.h for definition
  // of these states.
  UNKNOWN = 0;
  TPM_NOT_OWNED = 1;
  FIRST_INSTALL = 2;
  VALID = 3;
  INVALID = 4;
}

// Input parameters to InstallAttributesGet()
message InstallAttributesGetRequest {
  // Name of the install attributes to retrieve.
  // There's no explicit requirement about the name, so generally it can be
  // any valid string.
  string name = 1;
}

// Output parameters for InstallAttributesGet()
message InstallAttributesGetReply {
  // Will be set if an error occurred.
  CryptohomeErrorCode error = 1;

  // The value associated with the install attributes.
  bytes value = 2;
}

// Input parameters to InstallAttributesSet()
message InstallAttributesSetRequest {
  // Name of the install attributes to set.
  // There's no explicit requirement about the name, so generally it can be
  // any valid string.
  string name = 1;

  // Value to set for the install attributes.
  bytes value = 2;
}

// Output parameters for InstallAttributesSet()
message InstallAttributesSetReply {
  // Will be set if an error occurred.
  CryptohomeErrorCode error = 1;
}

// Input parameters to InstallAttributesFinalize()
message InstallAttributesFinalizeRequest {
  // There's no parameters to InstallAttributesFinalize() right now.
}

// Output parameters for InstallAttributesFinalize()
message InstallAttributesFinalizeReply {
  // If the install attributes are not finalized successfully, then this
  // error code would be set. Otherwise, the install attribute is correctly
  // finalized.
  CryptohomeErrorCode error = 1;
}

// Input parameters to InstallAttributesGetStatus()
message InstallAttributesGetStatusRequest {
}

// Output parameters for InstallAttributesGetStatus()
message InstallAttributesGetStatusReply {
  // If there's a problem retrieving the status, this will be set.
  CryptohomeErrorCode error = 1;

  // How many install attributes are there?
  int32 count = 2;

  // Returns true if the attribute storage is securely stored. It does not
  // indicate if the store has been finalized, just if the system TPM/Lockbox
  // is being used.
  bool is_secure = 3;

  // The state the install attributes are in.
  InstallAttributesState state = 4;
}

// ----------------- Firmware Management Parameters Interface -----------------

// This represents the content of Firmware Management Parameters
message FirmwareManagementParameters {
  // The Developer Flags, this is part of the FWMP.
  uint32 flags = 1;

  // Developer Key Hash, this is part of the FWMP.
  // For current version of the FWMP (V1.0), this is the size of SHA256.
  bytes developer_key_hash = 2;
}

// Input parameters to GetFirmwareManagementParameters()
message GetFirmwareManagementParametersRequest {
}

// Output parameters for GetFirmwareManagementParameters()
message GetFirmwareManagementParametersReply {
  // If there's a problem retrieving the FWMP, then this will be set.
  CryptohomeErrorCode error = 1;

  // The firmware management parameters that is retrieved.
  FirmwareManagementParameters fwmp = 2;
}

// Input parameters to RemoveFirmwareManagementParameters()
message RemoveFirmwareManagementParametersRequest {
  // Note that calling this function will destroy the NVRAM space that
  // stores the FWMP (if defined).
}

// Output parameters for RemoveFirmwareManagementParameters()
message RemoveFirmwareManagementParametersReply {
  // If there's a problem removing the FWMP, then this will be set.
  CryptohomeErrorCode error = 1;
}

// Input parameters to SetFirmwareManagementParameters()
message SetFirmwareManagementParametersRequest {
  // The firmware management parameters to set.
  FirmwareManagementParameters fwmp = 1;
}

// Output parameters for SetFirmwareManagementParameters()
message SetFirmwareManagementParametersReply {
  // If there's a problem setting the FWMP, then this will be set.
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetSystemSalt()
message GetSystemSaltRequest {
  // No parameter is needed to retrieve the system salt.
}

// Output parameters for GetSystemSalt()
message GetSystemSaltReply {
  // The system salt.
  // Note that the caller should not expect the system salt to be a particular
  // size. The length is defined by the CRYPTOHOME_DEFAULT_SALT_LENGTH
  // constant.
  bytes salt = 1;
}

// Input parameters to UpdateCurrentUserActivityTimestamp()
message UpdateCurrentUserActivityTimestampRequest {
  // This is the time, expressed in number of seconds since the last
  // user activity.
  // For instance, if the unix timestamp now is x, if this value is 5,
  // then the last user activity happened at x-5 unix timestamp.
  // Note that negative values for this parameter is reserved, and should not
  // be used.
  int32 time_shift_sec = 1;
}

// Output parameters for UpdateCurrentUserActivityTimestamp()
message UpdateCurrentUserActivityTimestampReply {
  // This will be set if there's a problem updating the user activity timestamp
  // for any user.
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetSanitizedUsername()
message GetSanitizedUsernameRequest {
  // The username to sanitize.
  string username = 1;
}

// Output parameters for GetSanitizedUsername()
message GetSanitizedUsernameReply {
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 1;
}

// Input parameters to GetLoginStatus()
message GetLoginStatusRequest {}

// Output parameters for GetLoginStatus()
message GetLoginStatusReply {
  // This will be set if there's a problem getting login status.
  CryptohomeErrorCode error = 1;

  // This is set to true if an owner user is specified in the device policy.
  bool owner_user_exists = 2;

  // Note that |boot_lockbox_finalized| is not supplied because current version
  // of bootlockbox doesn't support querying whether it's finalized. The
  // previous version that does support that has been deprecated.

  bool is_locked_to_single_user = 3;
}

// Input parameters to GetStatusString()
message GetStatusStringRequest {}

// Output parameters for GetStatusString()
message GetStatusStringReply {
  // Contains a JSON string that includes some tpm status, mount status and
  // install attributes status information.
  string status = 1;
}

// Input parameters to LockToSingleUserMountUntilReboot()
// Lock the device to single user use.
message LockToSingleUserMountUntilRebootRequest {
  // This represents the "single user", whose mount we are going to lock to.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for LockToSingleUserMountUntilReboot()
// Informs the caller whether the disabling succeeded, that is, whether we are
// now locked to a single user mount.
message LockToSingleUserMountUntilRebootReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetRsuDeviceId()
message GetRsuDeviceIdReply {
  // This will be set if there's a problem getting device ID.
  // Note that to be compliant with behaviours before the refactor, failure
  // in this method call will be reported through DBus error.
  CryptohomeErrorCode error = 1;

  // Returns lookup key for Remote Server Unlock
  bytes rsu_device_id = 2;
}

// Output parameters for GetRsuDeviceId()
message GetRsuDeviceIdRequest {}

// Input parameters to CheckHealth()
message CheckHealthRequest {}

// Output parameters for CheckHealth()
message CheckHealthReply {
  bool requires_powerwash = 2;
}

// Fido make credential public key options.
message FidoMakeCredentialRequest {
  cryptohome.AccountIdentifier account_id = 1;
  cryptohome.fido.PublicKeyCredentialCreationOptions make_credential_options =
      2;
}

// Fido make credential response.
message FidoMakeCredentialReply {
  CryptohomeErrorCode error = 1;
  // Contains MakeCredentialAuthenticatorResponse.
  cryptohome.fido.MakeCredentialAuthenticatorResponse make_credential_response =
      2;
}

// Fido challenge
message FidoGetAssertionRequest {
  cryptohome.fido.PublicKeyCredentialRequestOptions get_assertion_options = 1;
}

message FidoGetAssertionReply {
  CryptohomeErrorCode error = 1;
  // Contains GetAssertionAuthenticatorResponse.
  cryptohome.fido.GetAssertionAuthenticatorResponse get_assertion_response = 2;
}

// AddAuthFactorRequest is built when a user is trying to add an AuthFactor
// for a user. When the call is made, AuthSession should be authenticated. After
// the operation the AuthSession would still be in the authenticated state.
message AddAuthFactorRequest {
  // AuthFactor cannot be added without an active AuthSession running. This id
  // would be used to associate the AuthFactor to an AuthSession.
  bytes auth_session_id = 1;
  // The AuthFactor that will be added for a given user. This should be
  // populated with any factor specific data and metadata.
  // If AuthFactor in the request be constructed with an existing label, the
  // call would return an error.
  AuthFactor auth_factor = 2;
  // In some cases, such as password, the secret would be user supplied. In
  // those cases the secret can be passed here.
  AuthInput auth_input = 3;
}

message AddAuthFactorReply {
  // Return the status of the request.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

// AuthenticateAuthFactorRequest is built when a user is trying to
// authenticate with an AuthFactor for a user. When the call is made,
// AuthSession is in an unauthenticated state. After the operation the
// AuthSession would still be in an authenticated state.
message AuthenticateAuthFactorRequest {
  // AuthFactor cannot be authenticated without an active AuthSession running.
  // This id would be used to associate the AuthFactor to an AuthSession.
  bytes auth_session_id = 1;
  // The AuthFactor label would be used to determine the AuthFactor that
  // needs to be authenticated. If the label does not exist, the call would
  // return an error.
  bytes auth_factor_label = 2;
  // In some cases, such as password, the secret would be user supplied. In
  // those cases the secret can be passed here.
  AuthInput auth_input = 3;
}

message AuthenticateAuthFactorReply {
  // Return the status of the request.
  // TODO(b/229807416): Remove once CryptohomeError refactor is complete.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
  // Returns if the Auth Session is authenticated.
  bool authenticated = 3;
}

// UpdateAuthFactorRequest is built when a user is trying to
// update an AuthFactor for a user. old_auth_factor_label would identify
// the AuthFactor that the request is trying to update. When the call is made,
// AuthSession is in an authenticated state. After the operation the
// AuthSession would still be in an authenticated state.
message UpdateAuthFactorRequest {
  // AuthFactor cannot be updated without an active and authenticated
  // AuthSession running. This id would be used to associate the AuthFactor to
  // an AuthSession.
  bytes auth_session_id = 1;
  // Label to identify the existing AuthFactor.
  string old_auth_factor_label = 2;
  // The AuthFactor that we will replace the existing AuthFactor with. The full
  // structure should be populated with factor specific data and metadata. The
  // new label should either be same as old_auth_factor_label or be different
  // than anything else that exist for a user already.
  AuthFactor auth_factor = 3;
  // In some cases, such as password, the secret would be user supplied. In
  // those cases the secret can be passed here
  AuthInput auth_input = 4;
}

message UpdateAuthFactorReply {
  // Return the status of the request.
  CryptohomeErrorCode error = 1;
}

// RemoveAuthFactorRequest is built when a user is trying to
// remove an AuthFactor for a user. auth_factor_label would identify
// the AuthFactor that the request is trying to remove. When the call is made,
// AuthSession is in an authenticated state. After the operation the
// AuthSession would still be in an authenticated state.
message RemoveAuthFactorRequest {
  // AuthFactor cannot be removed without an authenticated AuthSession running.
  // This id would be used to get the user whose AuthFactor the call is trying
  // to delete.
  bytes auth_session_id = 1;
  // The AuthFactor label would be used to determine the AuthFactor that
  // needs to be removed.
  // If this AuthFactor is the last AuthFactor for a given user, then the call
  // would return an error stating that.
  string auth_factor_label = 2;
}

message RemoveAuthFactorReply {
  // Return the status of the request.
  CryptohomeErrorCode error = 1;
}

// GetRecoveryRequestRequest is built when a user is trying to get the
// recovery payload for CryptohomeRecoveryAuthFactor for a user. When the call
// is made, AuthSession is in an unauthenticated state. After the operation the
// AuthSession would still be in an unauthenticated state.
message GetRecoveryRequestRequest {
  enum UserType {
    UNKNOWN = 0;
    GAIA_ID = 1;
  }

  // This id would be used to associate the AuthFactor to an AuthSession.
  bytes auth_session_id = 1;
  // Label to identify the existing cryptohome recovery AuthFactor.
  string auth_factor_label = 2;

  UserType requestor_user_id_type = 3;
  // Format of `requestor_user_id` is determined by `requestor_user_id_type`
  // enum. For GAIA_ID it's number string obfuscated Gaia id.
  string requestor_user_id = 4;
  // Access token with reauth scope.
  string gaia_access_token = 5;
  // A short-lived token, it's validity will be verified by the Recovery
  // Service.
  string gaia_reauth_proof_token = 6;
  // Serialized cryptohome.cryptorecovery.CryptoRecoveryEpochResponse.
  // An epoch response received from Recovery Mediator service containing epoch
  // beacon value for Cryptohome recovery flow.
  bytes epoch_response = 7;
}

message GetRecoveryRequestReply {
  CryptohomeErrorCode error = 1;
  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
  // Serialized cryptohome.cryptorecovery.CryptoRecoveryRpcRequest, to be sent
  // to the recovery server.
  bytes recovery_request = 3;
}