Refactor Nigori bridge before new cryptographer adoption

The patch migrates away from some APIs that won't exist in the future
and adopts NigoriKeyBag more broadly to avoid dealing with strings.

Bug: 967417
Change-Id: Ieb4b9461fe2a4704b79539994ce92b9e25bff2b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1821780
Commit-Queue: Mikel Astiz <mastiz@chromium.org>
Reviewed-by: Maksim Moskvitin <mmoskvitin@google.com>
Cr-Commit-Position: refs/heads/master@{#699772}

components/sync/nigori/nigori_key_bag.cc

@@ -155,6 +155,11 @@ bool NigoriKeyBag::EncryptWithKey(
   return true;
 }
 
+bool NigoriKeyBag::CanDecrypt(
+    const sync_pb::EncryptedData& encrypted_input) const {
+  return HasKey(encrypted_input.key_name());
+}
+
 bool NigoriKeyBag::Decrypt(const sync_pb::EncryptedData& encrypted_input,
                            std::string* decrypted_output) const {
   DCHECK(decrypted_output);

components/sync/nigori/nigori_key_bag.h

@@ -62,6 +62,9 @@ class NigoriKeyBag {
                       const std::string& input,
                       sync_pb::EncryptedData* encrypted_output) const;
 
+  // Returns whether the key required to decrypt |encrypted_input| is known.
+  bool CanDecrypt(const sync_pb::EncryptedData& encrypted_input) const;
+
   // Decryption of strings (possibly binary). Returns true if success.
   // |decrypted_output| must not be null.
   bool Decrypt(const sync_pb::EncryptedData& encrypted_input,

components/sync/nigori/nigori_sync_bridge_impl.h

@@ -124,10 +124,10 @@ class NigoriSyncBridgeImpl : public KeystoreKeysHandler,
   // passphrase if SCRYPT is enabled.
   const base::RepeatingCallback<std::string()> random_salt_generator_;
 
-  // Stores serialized sync_pb::NigoriKey derived from explicit passphrase and
-  // loaded from the prefs. Empty if prefs doesn't contain this key or in case
-  // of decryption/decoding errors.
-  std::string serialized_explicit_passphrase_key_;
+  // Stores a key derived from explicit passphrase and loaded from the prefs.
+  // Empty (i.e. default value) if prefs doesn't contain this key or in case of
+  // decryption/decoding errors.
+  const sync_pb::NigoriKey explicit_passphrase_key_;
 
   // Base64 encoded keystore keys. The last element is the current keystore
   // key. These keys are not a part of Nigori node and are persisted

components/sync/syncable/directory_cryptographer.cc

@@ -164,6 +164,21 @@ bool DirectoryCryptographer::AddNonDefaultKey(const KeyParams& params) {
       /*set_as_default=*/false);
 }
 
+void DirectoryCryptographer::AddAllUnknownKeysFrom(const NigoriKeyBag& other) {
+  key_bag_.AddAllUnknownKeysFrom(other);
+}
+
+void DirectoryCryptographer::SelectDefaultEncryptionKey(
+    const std::string& key_name) {
+  DCHECK(!key_name.empty());
+  DCHECK(key_bag_.HasKey(key_name));
+  default_nigori_name_ = key_name;
+}
+
+void DirectoryCryptographer::ClearPendingKeys() {
+  pending_keys_.reset();
+}
+
 bool DirectoryCryptographer::AddKeyFromBootstrapToken(
     const Encryptor& encryptor,
     const std::string& restored_bootstrap_token) {

components/sync/syncable/directory_cryptographer.h

@@ -123,6 +123,12 @@ class DirectoryCryptographer : public Cryptographer {
   // will become the new default).
   bool AddNonDefaultKey(const KeyParams& params);
 
+  // TODO(crbug.com/967417): Remove when transition of NigoriSyncBridgeImpl is
+  // finished.
+  void AddAllUnknownKeysFrom(const NigoriKeyBag& other);
+  void SelectDefaultEncryptionKey(const std::string& key_name);
+  void ClearPendingKeys();
+
   // Decrypts |encrypted| and uses its contents to initialize Nigori instances.
   // Returns true unless decryption of |encrypted| fails. The caller is
   // responsible for checking that CanDecrypt(encrypted) == true.