Revert "Revert "cablev2: add authenticator logic.""

This reverts commit dc96d8d4.

Reason for revert: Windows is sensitive to export-annotation ordering.

TBR=msramek

Change-Id: I2ac69570957bf7d4a109d4af92dd537c77d97a44
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416572
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/master@{#808136}

device/fido/BUILD.gn

@@ -19,6 +19,8 @@ component("fido") {
     "cable/v2_constants.h",
     "cable/v2_handshake.cc",
     "cable/v2_handshake.h",
+    "cable/websocket_adapter.cc",
+    "cable/websocket_adapter.h",
     "cbor_extract.cc",
     "ed25519_public_key.cc",
     "ed25519_public_key.h",
@@ -114,8 +116,6 @@ component("fido") {
       "cable/fido_cable_handshake_handler.h",
       "cable/fido_tunnel_device.cc",
       "cable/fido_tunnel_device.h",
-      "cable/websocket_adapter.cc",
-      "cable/websocket_adapter.h",
       "client_data.cc",
       "client_data.h",
       "credential_management.cc",
@@ -279,6 +279,19 @@ static_library("cablev2_registration") {
   ]
 }
 
+static_library("cablev2_authenticator") {
+  sources = [
+    "cable/v2_authenticator.cc",
+    "cable/v2_authenticator.h",
+  ]
+  deps = [
+    ":fido",
+    "//components/cbor",
+    "//components/device_event_log",
+    "//services/network/public/mojom",
+  ]
+}
+
 if (is_chromeos) {
   proto_library("u2f_proto") {
     sources = [ "//third_party/cros_system_api/dbus/u2f/u2f_interface.proto" ]
@@ -368,6 +381,7 @@ source_set("test_support") {
   testonly = true
   sources = [ "test_callback_receiver.h" ]
   deps = [
+    ":cablev2_authenticator",
     "//base",
     "//components/apdu",
     "//device/fido",

device/fido/DEPS

@@ -6,6 +6,7 @@ include_rules = [
   "+dbus",
   "+net/base",
   "+net/cert",
+  "+net/cookies",
   "+net/traffic_annotation",
   "+services/network",
   "+third_party/boringssl/src/include",

device/fido/cable/fido_tunnel_device.cc

@@ -67,7 +67,7 @@ constexpr net::NetworkTrafficAnnotationTag kTrafficAnnotation =
             "triggered by significant user action."
           policy_exception_justification:
             "No policy provided because the operation is triggered by "
-            " significant user action."
+            " significant user action. No background activity occurs."
         })");
 
 FidoTunnelDevice::FidoTunnelDevice(

device/fido/cable/v2_authenticator.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef DEVICE_FIDO_CABLE_V2_AUTHENTICATOR_H_
+#define DEVICE_FIDO_CABLE_V2_AUTHENTICATOR_H_
+
+#include <string>
+#include <vector>
+
+#include <stdint.h>
+
+#include "base/callback_forward.h"
+#include "base/containers/span.h"
+#include "base/optional.h"
+#include "device/fido/cable/v2_constants.h"
+#include "device/fido/fido_constants.h"
+#include "services/network/public/mojom/network_context.mojom-forward.h"
+
+namespace device {
+namespace cablev2 {
+namespace authenticator {
+
+// Platform abstracts the actions taken by the platform, i.e. the
+// credential-store operations themselves, plus an interface for BLE
+// advertising.
+class Platform {
+ public:
+  // BLEAdvert represents a currently-transmitting advert. Destroying the object
+  // stops the transmission.
+  class BLEAdvert {
+   public:
+    virtual ~BLEAdvert();
+  };
+
+  virtual ~Platform();
+
+  using MakeCredentialCallback =
+      base::OnceCallback<void(uint32_t status,
+                              base::span<const uint8_t> client_data_json,
+                              base::span<const uint8_t> attestation_obj)>;
+  using GetAssertionCallback =
+      base::OnceCallback<void(uint32_t status,
+                              base::span<const uint8_t> client_data_json,
+                              base::span<const uint8_t> cred_id,
+                              base::span<const uint8_t> auth_data,
+                              base::span<const uint8_t> sig)>;
+
+  virtual void MakeCredential(
+      const std::string& origin,
+      const std::string& rp_id,
+      base::span<const uint8_t> challenge,
+      base::span<const uint8_t> user_id,
+      base::span<const int> algorithms,
+      base::span<const std::vector<uint8_t>> excluded_cred_ids,
+      bool resident_key_required,
+      MakeCredentialCallback callback) = 0;
+
+  virtual void GetAssertion(
+      const std::string& origin,
+      const std::string& rp_id,
+      base::span<const uint8_t> challenge,
+      base::span<const std::vector<uint8_t>> allowed_cred_ids,
+      GetAssertionCallback callback) = 0;
+
+  virtual std::unique_ptr<BLEAdvert> SendBLEAdvert(
+      base::span<uint8_t, 16> payload) = 0;
+};
+
+// Transport abstracts a way of transmitting to, and receiving from, the peer.
+// The framing of messages must be preserved.
+class Transport {
+ public:
+  virtual ~Transport();
+
+  // StartReading requests that the given callback be called whenever a message
+  // arrives from the peer.
+  virtual void StartReading(
+      base::RepeatingCallback<void(base::Optional<std::vector<uint8_t>>)>
+          read_callback) = 0;
+  virtual void Write(std::vector<uint8_t> data) = 0;
+};
+
+// A Transaction is a handle to an ongoing caBLEv2 transaction with a peer.
+class Transaction {
+ public:
+  using CompleteCallback = base::OnceCallback<void()>;
+
+  virtual ~Transaction();
+};
+
+// TransactWithPlaintextTransport allows an arbitrary transport to be used for a
+// caBLEv2 transaction.
+std::unique_ptr<Transaction> TransactWithPlaintextTransport(
+    std::unique_ptr<Platform> platform,
+    std::unique_ptr<Transport> transport,
+    Transaction::CompleteCallback complete_callback);
+
+// TransactFromQRCode starts a network-based transaction based on the decoded
+// contents of a QR code.
+std::unique_ptr<Transaction> TransactFromQRCode(
+    std::unique_ptr<Platform> platform,
+    network::mojom::NetworkContext* network_context,
+    base::span<const uint8_t, kRootSecretSize> root_secret,
+    const std::string& authenticator_name,
+    // TODO: name this constant.
+    base::span<const uint8_t, 16> qr_secret,
+    base::span<const uint8_t, kP256X962Length> peer_identity,
+    base::Optional<std::vector<uint8_t>> contact_id,
+    Transaction::CompleteCallback complete_callback);
+
+// TransactFromQRCode starts a network-based transaction based on the decoded
+// contents of a cloud message.
+std::unique_ptr<Transaction> TransactFromFCM(
+    std::unique_ptr<Platform> platform,
+    network::mojom::NetworkContext* network_context,
+    base::span<const uint8_t, kRootSecretSize> root_secret,
+    std::array<uint8_t, kRoutingIdSize> routing_id,
+    base::span<const uint8_t, kTunnelIdSize> tunnel_id,
+    base::span<const uint8_t> pairing_id,
+    base::span<const uint8_t, kClientNonceSize> client_nonce,
+    Transaction::CompleteCallback complete_callback);
+
+}  // namespace authenticator
+}  // namespace cablev2
+}  // namespace device
+
+#endif  // DEVICE_FIDO_CABLE_V2_AUTHENTICATOR_H_

tools/traffic_annotation/summary/annotations.xml

@@ -30,7 +30,8 @@ Refer to README.md for content description and update process.
  <item id="bluetooth_socket" added_in_milestone="65" hash_code="94099818" type="0" content_hash_code="30932349" os_list="linux,windows" file_path="device/bluetooth/bluetooth_socket_net.cc"/>
  <item id="brandcode_config" added_in_milestone="62" hash_code="109679553" type="0" content_hash_code="128843792" os_list="linux,windows" file_path="chrome/browser/profile_resetter/brandcode_config_fetcher.cc"/>
  <item id="browser_switcher_ieem_sitelist" added_in_milestone="72" hash_code="97159948" type="0" content_hash_code="129062966" os_list="linux,windows" file_path="chrome/browser/browser_switcher/browser_switcher_service.cc"/>
- <item id="cablev2_websocket_from_client" added_in_milestone="86" hash_code="3464399" type="0" content_hash_code="46324469" os_list="windows,linux" file_path="device/fido/cable/fido_tunnel_device.cc"/>
+ <item id="cablev2_websocket_from_authenticator" added_in_milestone="87" hash_code="28613769" type="0" content_hash_code="119863612" os_list="linux,windows" file_path="device/fido/cable/v2_authenticator.cc"/>
+ <item id="cablev2_websocket_from_client" added_in_milestone="86" hash_code="3464399" type="0" content_hash_code="116618103" os_list="windows,linux" file_path="device/fido/cable/fido_tunnel_device.cc"/>
  <item id="captive_portal_service" added_in_milestone="62" hash_code="88754904" type="0" content_hash_code="70737580" os_list="linux,windows" file_path="components/captive_portal/content/captive_portal_service.cc"/>
  <item id="cast_channel_send" added_in_milestone="66" hash_code="103172229" type="0" deprecated="2018-08-23" content_hash_code="33946302" file_path=""/>
  <item id="cast_keep_alive_delegate" added_in_milestone="66" hash_code="134755844" type="0" deprecated="2018-08-23" content_hash_code="66118796" file_path=""/>

tools/traffic_annotation/summary/grouping.xml

@@ -414,6 +414,7 @@ hidden="true" so that these annotations don't show up in the document.
     </sender>
     <sender name="Phone as a Security Key">
       <traffic_annotation unique_id="cablev2_websocket_from_client"/>
+      <traffic_annotation unique_id="cablev2_websocket_from_authenticator"/>
     </sender>
   </group>
 </groups>