Storage Framework

Merge lp:~jamesh/storage-framework/provider-auth-error into lp:storage-framework/devel

provider-auth-error
Merge into devel

Proposed by James Henstridge on 2017-01-24

Status:

Merged

Approved by:

Michi Henning on 2017-01-30

Approved revision:

114

Merged at revision:

105

Proposed branch:

lp:~jamesh/storage-framework/provider-auth-error

Merge into:

lp:storage-framework/devel

Diff against target:

658 lines (+292/-48)

17 files modified

debian/changelog (+3/-0)
include/unity/storage/provider/Exceptions.h (+30/-0)
include/unity/storage/provider/internal/AccountData.h (+3/-3)
include/unity/storage/provider/internal/Handler.h (+5/-1)
include/unity/storage/qt/StorageError.h (+3/-2)
src/provider/Exceptions.cpp (+7/-0)
src/provider/internal/AccountData.cpp (+34/-9)
src/provider/internal/Handler.cpp (+54/-2)
src/provider/internal/ProviderInterface.cpp (+1/-12)
src/provider/internal/ServerImpl.cpp (+1/-0)
src/provider/internal/TestServerImpl.cpp (+1/-0)
src/qt/internal/StorageErrorImpl.cpp (+2/-1)
src/qt/internal/unmarshal_error.cpp (+1/-0)
tests/provider-ProviderInterface/ProviderInterface_test.cpp (+103/-0)
tests/utils/ProviderFixture.cpp (+3/-2)
tests/utils/ProviderFixture.h (+2/-1)
tests/utils/fake-online-accounts-daemon.py (+39/-15)

To merge this branch:

bzr merge lp:~jamesh/storage-framework/provider-auth-error

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Michi Henning (community)		2017-01-24	Approve on 2017-01-30
unity-api-1-bot	continuous-integration		Approve on 2017-01-27
Review via email: mp+315429@code.launchpad.net

Commit message

Add an UnauthorizedException that providers can use to signal when the credentials provided by online-accounts are invalid or have expired.

Description of the change

Add an UnauthorizedException that providers can use to signal when the credentials provided by online-accounts are invalid or have expired.

If a provider throws this error, the request will be retried a single time after attempting to authenticate a second time while asking for stored credentials to be invalidated.

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-24:

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/239/rebuild

review: Needs Fixing (continuous-integration)

lp:~jamesh/storage-framework/provider-auth-error updated on 2017-01-24

110. By James Henstridge on 2017-01-24: Don't call the ProviderBase implementation if authentication failed.

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-24:

FAILED: Continuous integration, rev:110
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/240/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/unity-api-1/job/build/1509/console
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-0-fetch/1516
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1294
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1294/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1294
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1294/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1294
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1294/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1294
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1294/artifact/output/*zip*/output.zip
    FAILURE: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1294/console
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1294
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1294/artifact/output/*zip*/output.zip

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/240/rebuild

review: Needs Fixing (continuous-integration)

lp:~jamesh/storage-framework/provider-auth-error updated on 2017-01-24

111. By James Henstridge on 2017-01-24: Fix up handling of invalid credentials so that they actually get
re-requested on failure.

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-24:

PASSED: Continuous integration, rev:111
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/241/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build/1511
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-0-fetch/1518
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1296
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1296/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1296
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1296/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1296
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1296/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1296
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1296/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1296
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1296/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1296
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1296/artifact/output/*zip*/output.zip

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/241/rebuild

review: Approve (continuous-integration)

lp:~jamesh/storage-framework/provider-auth-error updated on 2017-01-25

112. By James Henstridge on 2017-01-25: Merge from devel
113. By James Henstridge on 2017-01-25: Update debian/changelog

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-25:

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/242/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-25:

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/243/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-25:

PASSED: Continuous integration, rev:113
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/244/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build/1523
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-0-fetch/1530
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1308
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1308/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1308
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1308/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1308
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1308/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1308
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1308/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1308
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1308/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1308
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1308/artifact/output/*zip*/output.zip

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/244/rebuild

review: Approve (continuous-integration)

Revision history for this message

Michi Henning (michihenning) wrote on 2017-01-27:

This looks good! I left a comment on the doc inline.

lp:~jamesh/storage-framework/provider-auth-error updated on 2017-01-27

114. By James Henstridge on 2017-01-27: Update documentation based on Michi's review.

Revision history for this message

unity-api-1-bot (unity-api-1-bot) wrote on 2017-01-27:

PASSED: Continuous integration, rev:114
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/245/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build/1527
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-0-fetch/1534
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1312
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=xenial+overlay/1312/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1312
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=amd64,release=zesty/1312/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1312
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=xenial+overlay/1312/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1312
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=armhf,release=zesty/1312/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1312
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=xenial+overlay/1312/artifact/output/*zip*/output.zip
    SUCCESS: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1312
        deb: https://jenkins.canonical.com/unity-api-1/job/build-2-binpkg/arch=i386,release=zesty/1312/artifact/output/*zip*/output.zip

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-storage-framework-ci/245/rebuild

review: Approve (continuous-integration)

Revision history for this message

Michi Henning (michihenning) wrote on 2017-01-30:

Looks good!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

James Henstridge

Michi Henning

 === modified file 'debian/changelog'
 --- debian/changelog	2016-12-20 03:48:43 +0000
 +++ debian/changelog	2017-01-27 09:28:36 +0000
@@ -1,6 +1,9 @@
  storage-framework (0.3-0ubuntu1) UNRELEASED; urgency=medium
    * Make providers exit after 30 seconds of inactivity. (LP: #1616758)
++  * Add UnauthorizedException to the provider library, so the provider
++    can trigger reauthentication of the account and have the request
++    restarted. (LP: #1616756)
   -- James Henstridge <james.henstridge@canonical.com>  Tue, 20 Dec 2016 11:46:21 +0800
 === modified file 'include/unity/storage/provider/Exceptions.h'
 --- include/unity/storage/provider/Exceptions.h	2016-08-05 05:37:23 +0000
 +++ include/unity/storage/provider/Exceptions.h	2017-01-27 09:28:36 +0000
@@ -105,7 +105,37 @@
  };
  /**
++\brief Indicates that an operation failed because the authentication credentials are invalid or expired.
++
++A provider implementation must throw this exception if it cannot reach
++its provider because the credentials are invalid. Do not throw this
++exception if the credentials are valid, but an operation failed due to
++insufficient permission for an item (such as an attempt to write to a
++read-only file).
++
++Typically, this will cause the request to be retried after refreshing
++the authentication credentials, but may be returned to the client on
++repeated failures.
++
++\see PermissionException
++*/
++class UNITY_STORAGE_EXPORT UnauthorizedException : public StorageException
++{
++public:
++    UnauthorizedException(std::string const& error_message);
++    ~UnauthorizedException();
++};
++
++/**
  \brief Indicates that an operation failed because of a permission problem.
++
++A provider implementation must throw this exception if it can
++authenticate with its provider, but the provider denied the operation
++due to insufficient permission for an item (such as an attempt to
++write to a read-only file). Do not throw this exception for failure to
++authenticate with the provider.
++
++\see UnauthorizedException
  */
  class UNITY_STORAGE_EXPORT PermissionException : public StorageException
+ {
 === modified file 'include/unity/storage/provider/internal/AccountData.h'
 --- include/unity/storage/provider/internal/AccountData.h	2016-12-20 02:31:23 +0000
 +++ include/unity/storage/provider/internal/AccountData.h	2017-01-27 09:28:36 +0000
@@ -66,7 +66,7 @@
                  QObject* parent=nullptr);
      virtual ~AccountData();
--    void authenticate(bool interactive);
++    void authenticate(bool interactive, bool invalidate_cache=false);
      bool has_credentials();
      Credentials const& credentials();
@@ -90,9 +90,9 @@
      QPointer<OnlineAccounts::Account> const account_;
      std::unique_ptr<OnlineAccounts::PendingCallWatcher> auth_watcher_;
      bool authenticating_interactively_ = false;
++    bool authenticating_invalidate_cache_ = false;
--    bool credentials_valid_ = false;
--    Credentials credentials_;
++    Credentials credentials_ = boost::blank();
      Q_DISABLE_COPY(AccountData)
  };
 === modified file 'include/unity/storage/provider/internal/Handler.h'
 --- include/unity/storage/provider/internal/Handler.h	2016-12-20 02:49:22 +0000
 +++ include/unity/storage/provider/internal/Handler.h	2017-01-27 09:28:36 +0000
@@ -53,11 +53,12 @@
              Callback const& callback,
              QDBusConnection const& bus, QDBusMessage const& message);
--public Q_SLOTS:
      void begin();
  private Q_SLOTS:
++    void on_authenticated();
      void credentials_received();
++    void handle_unauthorized(std::exception_ptr ep);
      void send_reply();
  Q_SIGNALS:
@@ -76,6 +77,7 @@
      boost::future<void> reply_future_;
      Context context_;
      QDBusMessage reply_;
++    bool retry_ = false;
      Q_DISABLE_COPY(Handler)
  };
@@ -84,3 +86,5 @@
+ }
+ }
+ }
++
++Q_DECLARE_METATYPE(std::exception_ptr)
 === modified file 'include/unity/storage/qt/StorageError.h'
 --- include/unity/storage/qt/StorageError.h	2016-10-12 06:05:29 +0000
 +++ include/unity/storage/qt/StorageError.h	2017-01-27 09:28:36 +0000
@@ -58,8 +58,9 @@
      enum Type
+     {
--        NoError, LocalCommsError, RemoteCommsError, RuntimeDestroyed, NotExists, Exists, Conflict,
--        PermissionDenied, Cancelled, LogicError, InvalidArgument, ResourceError, QuotaExceeded,
++        NoError, LocalCommsError, RemoteCommsError, RuntimeDestroyed,
++        NotExists, Exists, Conflict, PermissionDenied, Cancelled, LogicError,
++        InvalidArgument, ResourceError, QuotaExceeded, Unauthorized,
          __LAST_STORAGE_ERROR
      };
      Q_ENUMS(Type)
 === modified file 'src/provider/Exceptions.cpp'
 --- src/provider/Exceptions.cpp	2016-08-05 05:37:23 +0000
 +++ src/provider/Exceptions.cpp	2017-01-27 09:28:36 +0000
@@ -97,6 +97,13 @@
  ConflictException::~ConflictException() = default;
++UnauthorizedException::UnauthorizedException(string const& error_message)
++    : StorageException("UnauthorizedException", error_message)
++{
++}
++
++UnauthorizedException::~UnauthorizedException() = default;
++
  PermissionException::PermissionException(string const& error_message)
      : StorageException("PermissionException", error_message)
+ {
 === modified file 'src/provider/internal/AccountData.cpp'
 --- src/provider/internal/AccountData.cpp	2016-12-20 02:31:23 +0000
 +++ src/provider/internal/AccountData.cpp	2017-01-27 09:28:36 +0000
@@ -68,23 +68,48 @@
      return *jobs_;
+ }
--void AccountData::authenticate(bool interactive)
++void AccountData::authenticate(bool interactive, bool invalidate_cache)
+ {
--    // If there is an existing authenticating session running, use
--    // that existing session (unless it is a non-interactive session
--    // and we've requested interactivity).
--    if (auth_watcher_ && (authenticating_interactively_ || !interactive))
++    // If there is an existing authentication session running, check
++    // if it matches our requirements.
++    if (auth_watcher_)
+     {
--        return;
++        if (invalidate_cache)
++        {
++            // If invalidate_cache has been requested, the existing
++            // session must also be invalidating the cache.
++            if (authenticating_invalidate_cache_)
++            {
++                return;
++            }
++        }
++        else if (interactive)
++        {
++            // If interactive has been requested, the existing session
++            // must also be interactive.
++            if (authenticating_interactively_)
++            {
++                return;
++            }
++        }
++        else
++        {
++            // Otherwise, any session will do.
++            return;
++        }
+     }
      authenticating_interactively_ = interactive;
--    credentials_valid_ = false;
++    authenticating_invalidate_cache_ = invalidate_cache;
      credentials_ = boost::blank();
      OnlineAccounts::AuthenticationData auth_data(
          account_->authenticationMethod());
      auth_data.setInteractive(interactive);
++    if (invalidate_cache)
++    {
++        auth_data.invalidateCachedReply();
++    }
      OnlineAccounts::PendingCall call = account_->authenticate(auth_data);
      auth_watcher_.reset(new OnlineAccounts::PendingCallWatcher(call));
      connect(auth_watcher_.get(), &OnlineAccounts::PendingCallWatcher::finished,
@@ -93,7 +118,8 @@
  bool AccountData::has_credentials()
+ {
--    return credentials_valid_;
++    // variant index 0 is boost::blank
++    return credentials_.which() != 0;
+ }
  Credentials const& AccountData::credentials()
@@ -104,7 +130,6 @@
  void AccountData::on_authenticated()
+ {
      credentials_ = boost::blank();
--    credentials_valid_ = true;
      switch (account_->authenticationMethod()) {
      case OnlineAccounts::AuthenticationMethodOAuth1:
+     {
 === modified file 'src/provider/internal/Handler.cpp'
 --- src/provider/internal/Handler.cpp	2016-12-20 02:49:22 +0000
 +++ src/provider/internal/Handler.cpp	2017-01-27 09:28:36 +0000
@@ -56,6 +56,35 @@
  void Handler::begin()
+ {
++    // If we have already retrieved credentials from OnlineAccounts,
++    // and we aren't retrying the request, go to on_authenticated
++    // immediately.
++    if (account_->has_credentials() && !retry_)
++    {
++        on_authenticated();
++        return;
++    }
++
++    // Otherwise, try to authenticate and wait for the result.
++    account_->authenticate(true, retry_);
++    connect(account_.get(), &AccountData::authenticated,
++            this, &Handler::on_authenticated);
++}
++
++void Handler::on_authenticated()
++{
++    disconnect(account_.get(), &AccountData::authenticated,
++               this, &Handler::on_authenticated);
++    if (!account_->has_credentials())
++    {
++        string msg = "Handler::begin(): could not retrieve account credentials";
++        qDebug() << QString::fromStdString(msg);
++        auto ep = make_exception_ptr(UnauthorizedException(msg));
++        marshal_exception(ep);
++        QMetaObject::invokeMethod(this, "send_reply", Qt::QueuedConnection);
++        return;
++    }
++
      // Need to put security check in here.
      auto peer_future = account_->dbus_peer().get(message_.service());
      creds_future_ = peer_future.then(
@@ -72,9 +101,9 @@
+             }
              else
+             {
--                string msg = "Handler::begin(): could not retrieve credentials";
++                string msg = "Handler::begin(): could not retrieve D-Bus peer credentials";
                  qDebug() << QString::fromStdString(msg);
--                auto ep = make_exception_ptr(PermissionException(msg));
++                auto ep = make_exception_ptr(UnauthorizedException(msg));
                  marshal_exception(ep);
                  QMetaObject::invokeMethod(this, "send_reply",
                                            Qt::QueuedConnection);
@@ -104,6 +133,13 @@
+             {
                  reply_ = f.get();
+             }
++            catch (UnauthorizedException const& e)
++            {
++                QMetaObject::invokeMethod(this, "handle_unauthorized",
++                                          Qt::QueuedConnection,
++                                          Q_ARG(std::exception_ptr, current_exception()));
++                return;
++            }
              catch (std::exception const& e)
+             {
                  marshal_exception(current_exception());
@@ -112,6 +148,22 @@
          });
+ }
++void Handler::handle_unauthorized(exception_ptr ep)
++{
++    if (retry_)
++    {
++        // We've already retried once, so send error out as is.
++        marshal_exception(ep);
++        send_reply();
++    }
++    else
++    {
++        // Otherwise, restart the request with the retry_ flag set.
++        retry_ = true;
++        begin();
++    }
++}
++
  void Handler::send_reply()
+ {
      bus_.send(reply_);
 === modified file 'src/provider/internal/ProviderInterface.cpp'
 --- src/provider/internal/ProviderInterface.cpp	2016-12-20 03:00:07 +0000
 +++ src/provider/internal/ProviderInterface.cpp	2017-01-27 09:28:36 +0000
@@ -66,18 +66,7 @@
          new Handler(account_, callback, connection(), message()));
      connect(handler.get(), &Handler::finished, this, &ProviderInterface::request_finished);
      setDelayedReply(true);
--    // If we haven't retrieved the authentication details from
--    // OnlineAccounts, delay processing the handler until then.
--    if (account_->has_credentials())
--    {
--        handler->begin();
--    }
--    else
--    {
--        account_->authenticate(true);
--        connect(account_.get(), &AccountData::authenticated,
--                handler.get(), &Handler::begin);
--    }
++    handler->begin();
      requests_.emplace(handler.get(), std::move(handler));
+ }
 === modified file 'src/provider/internal/ServerImpl.cpp'
 --- src/provider/internal/ServerImpl.cpp	2016-12-20 07:29:02 +0000
 +++ src/provider/internal/ServerImpl.cpp	2017-01-27 09:28:36 +0000
@@ -48,6 +48,7 @@
      , service_id_(account_service_id)
      , trace_message_handler_("storage_provider")
+ {
++    qRegisterMetaType<std::exception_ptr>();
      qDBusRegisterMetaType<Item>();
      qDBusRegisterMetaType<std::vector<Item>>();
+ }
 === modified file 'src/provider/internal/TestServerImpl.cpp'
 --- src/provider/internal/TestServerImpl.cpp	2016-12-20 02:31:23 +0000
 +++ src/provider/internal/TestServerImpl.cpp	2017-01-27 09:28:36 +0000
@@ -54,6 +54,7 @@
      : connection_(connection), object_path_(object_path),
        inactivity_timer_(make_shared<InactivityTimer>(TIMEOUT))
+ {
++    qRegisterMetaType<std::exception_ptr>();
      qDBusRegisterMetaType<Item>();
      qDBusRegisterMetaType<std::vector<Item>>();
 === modified file 'src/qt/internal/StorageErrorImpl.cpp'
 --- src/qt/internal/StorageErrorImpl.cpp	2016-10-13 06:48:11 +0000
 +++ src/qt/internal/StorageErrorImpl.cpp	2017-01-27 09:28:36 +0000
@@ -48,7 +48,8 @@
      QStringLiteral("Cancelled"),
      QStringLiteral("LogicError"),
      QStringLiteral("InvalidArgument"),
--    QStringLiteral("ResourceError")
++    QStringLiteral("ResourceError"),
++    QStringLiteral("Unauthorized"),
  };
  }  // namespace
 === modified file 'src/qt/internal/unmarshal_error.cpp'
 --- src/qt/internal/unmarshal_error.cpp	2016-09-29 03:17:56 +0000
 +++ src/qt/internal/unmarshal_error.cpp	2017-01-27 09:28:36 +0000
@@ -82,6 +82,7 @@
      { "NotExistsException",       make_error<StorageError::Type::NotExists> },
      { "ExistsException",          make_error<StorageError::Type::Exists> },
      { "ConflictException",        make_error<StorageError::Type::Conflict> },
++    { "UnauthorizedException",    make_error<StorageError::Type::Unauthorized> },
      { "PermissionException",      make_error<StorageError::Type::PermissionDenied> },
      { "CancelledException",       make_error<StorageError::Type::Cancelled> },
      { "LogicException",           make_error<StorageError::Type::LogicError> },
 === modified file 'tests/provider-ProviderInterface/ProviderInterface_test.cpp'
 --- tests/provider-ProviderInterface/ProviderInterface_test.cpp	2017-01-12 06:02:30 +0000
 +++ tests/provider-ProviderInterface/ProviderInterface_test.cpp	2017-01-27 09:28:36 +0000
@@ -17,12 +17,14 @@
   */
  #include <unity/storage/internal/dbus_error.h>
++#include <unity/storage/provider/Exceptions.h>
  #include <unity/storage/provider/ProviderBase.h>
  #include <unity/storage/provider/testing/TestServer.h>
  #include "TestProvider.h"
  #include <utils/ProviderFixture.h>
++#include <utils/gtest_printer.h>
  #include <gtest/gtest.h>
  #include <OnlineAccounts/Account>
@@ -45,6 +47,9 @@
  using namespace std;
  using unity::storage::ItemType;
  using unity::storage::provider::ProviderBase;
++using unity::storage::provider::Context;
++using unity::storage::provider::PasswordCredentials;
++using unity::storage::provider::UnauthorizedException;
  using unity::storage::provider::testing::TestServer;
  namespace {
@@ -781,6 +786,104 @@
      EXPECT_EQ(ItemType::file, item.type);
+ }
++class ReauthenticateProvider : public TestProvider
++{
++    boost::future<ItemList> roots(vector<string> const& metadata_keys,
++                                  Context const& ctx) override
++    {
++        Q_UNUSED(metadata_keys);
++        auto password = boost::get<PasswordCredentials>(ctx.credentials).password;
++        boost::promise<ItemList> p;
++        p.set_value({
++            {"root_id", {}, password, "etag", ItemType::root, {}}
++        });
++        return p.get_future();
++    }
++
++    boost::future<Item> metadata(string const& item_id,
++                                 vector<string> const& metadata_keys,
++                                 Context const& ctx) override
++    {
++        Q_UNUSED(metadata_keys);
++        auto password = boost::get<PasswordCredentials>(ctx.credentials).password;
++        boost::promise<Item> p;
++        if (password != "refresh")
++        {
++            p.set_exception(UnauthorizedException("bad password"));
++        }
++        else
++        {
++            p.set_value(
++                {item_id, {"root_id"}, password, "etag", ItemType::file, {}});
++        }
++        return p.get_future();
++    }
++
++    boost::future<ItemList> lookup(string const& parent_id, string const& name,
++                                   vector<string> const& metadata_keys,
++                                   Context const& ctx) override
++    {
++        Q_UNUSED(parent_id);
++        Q_UNUSED(name);
++        Q_UNUSED(metadata_keys);
++        Q_UNUSED(ctx);
++        boost::promise<ItemList> p;
++        p.set_exception(UnauthorizedException("bad password"));
++        return p.get_future();
++    }
++};
++
++TEST_F(ProviderInterfaceTest, need_interactive_auth)
++{
++    // Account #10 fails to authenticate unless done interactively
++    set_provider(unique_ptr<ProviderBase>(new ReauthenticateProvider), 10);
++
++    auto reply = client_->Roots(QList<QString>());
++    wait_for(reply);
++    ASSERT_TRUE(reply.isValid()) << reply.error().message().toStdString();
++    EXPECT_EQ(1, reply.value().size());
++    auto root = reply.value()[0];
++    // Password returned as item name
++    EXPECT_EQ("interactive", root.name);
++}
++
++TEST_F(ProviderInterfaceTest, unauthorized_exception_causes_refresh)
++{
++    set_provider(unique_ptr<ProviderBase>(new ReauthenticateProvider), 10);
++
++    // The Metadata() call will throw UnauthorizedException unless the
++    // password is "refresh".  This will cause the request to be
++    // retried after authenticating a second time while invalidating
++    // stored credentials.
++    auto reply = client_->Metadata("item_id", QList<QString>());
++    wait_for(reply);
++    ASSERT_TRUE(reply.isValid()) << reply.error().message().toStdString();
++    auto item = reply.value();
++    // Password returned as item name
++    EXPECT_EQ("refresh", item.name);
++}
++
++TEST_F(ProviderInterfaceTest, always_unauthorized)
++{
++    set_provider(unique_ptr<ProviderBase>(new ReauthenticateProvider), 10);
++    // lookup() will always throw UnauthorizedException.  Rather than
++    // looping endlessly, the exception is returned to the client.
++    auto reply = client_->Lookup("parent_id", "name", QList<QString>());
++    wait_for(reply);
++    ASSERT_FALSE(reply.isValid());
++    EXPECT_EQ(PROVIDER_ERROR + "UnauthorizedException", reply.error().name());
++}
++
++TEST_F(ProviderInterfaceTest, user_canceled_auth)
++{
++    // Account #11 always returns a UserCanceled error when trying to
++    // authenticate.
++    set_provider(unique_ptr<ProviderBase>(new ReauthenticateProvider), 11);
++    auto reply = client_->Roots(QList<QString>());
++    wait_for(reply);
++    ASSERT_FALSE(reply.isValid());
++    EXPECT_EQ(PROVIDER_ERROR + "UnauthorizedException", reply.error().name());
++}
  int main(int argc, char **argv)
+ {
 === modified file 'tests/utils/ProviderFixture.cpp'
 --- tests/utils/ProviderFixture.cpp	2016-12-20 07:23:54 +0000
 +++ tests/utils/ProviderFixture.cpp	2017-01-27 09:28:36 +0000
@@ -57,10 +57,11 @@
      return dbus_->connection();
+ }
--void ProviderFixture::set_provider(unique_ptr<ProviderBase>&& provider)
++void ProviderFixture::set_provider(unique_ptr<ProviderBase>&& provider,
++                                   unsigned int account_id)
+ {
      account_manager_->waitForReady();
--    OnlineAccounts::Account* account = account_manager_->account(2, "oauth2-service");
++    OnlineAccounts::Account* account = account_manager_->account(account_id);
      ASSERT_NE(nullptr, account);
      test_server_.reset(
 === modified file 'tests/utils/ProviderFixture.h'
 --- tests/utils/ProviderFixture.h	2016-11-23 03:03:58 +0000
 +++ tests/utils/ProviderFixture.h	2017-01-27 09:28:36 +0000
@@ -41,7 +41,8 @@
      virtual void TearDown() override;
      QDBusConnection const& connection() const;
--    void set_provider(std::unique_ptr<unity::storage::provider::ProviderBase>&& provider);
++    void set_provider(std::unique_ptr<unity::storage::provider::ProviderBase>&& provider,
++                      unsigned int account_id = 2);
      void wait_for(QDBusPendingCall const& call);
      QString bus_name() const;
      QString object_path() const;
 === modified file 'tests/utils/fake-online-accounts-daemon.py'
 --- tests/utils/fake-online-accounts-daemon.py	2017-01-13 05:53:50 +0000
 +++ tests/utils/fake-online-accounts-daemon.py	2017-01-27 09:28:36 +0000
@@ -41,7 +41,7 @@
          self.token_secret = token_secret
          self.signature_method = signature_method
--    def serialise(self):
++    def serialise(self, interactive, invalidate):
          return dbus.Dictionary({
              "ConsumerKey": dbus.String(self.consumer_key),
              "ConsumerSecret": dbus.String(self.consumer_secret),
@@ -57,7 +57,7 @@
          self.expires_in = expires_in
          self.granted_scopes = granted_scopes
--    def serialise(self):
++    def serialise(self, interactive, invalidate):
          return dbus.Dictionary({
              "AccessToken": dbus.String(self.access_token),
              "ExpiresIn": dbus.Int32(self.expires_in),
@@ -70,20 +70,36 @@
          self.username = username
          self.password = password
--    def serialise(self):
++    def serialise(self, interactive, invalidate):
          return dbus.Dictionary({
              "Username": dbus.String(self.username),
              "Password": dbus.String(self.password),
          }, signature="sv")
--# A version of Password that incorrectly serialises the credentials
--#   https://bugs.launchpad.net/bugs/1628473
--class Password_Bug1628473(Password):
--    def serialise(self):
--        return dbus.Dictionary({
--            "UserName": dbus.String(self.username),
--            "Secret": dbus.String(self.password),
--        }, signature="sv")
++class CredentialsError:
++    def __init__(self, method, error):
++        assert error in {"NoAccount", "UserCanceled",
++                         "PermissionDenied", "InteractionRequired"}
++        self.method = method
++        self.error = "com.ubuntu.OnlineAccounts.Error." + error
++
++    def serialise(self, interactive, invalidate):
++        raise dbus.DBusException("Error", name=self.error)
++
++class CredentialsByMode:
++    def __init__(self, noninteractive, interactive, refresh):
++        self.method = noninteractive.method
++        self.noninteractive = noninteractive
++        self.interactive = interactive
++        self.refresh = refresh
++
++    def serialise(self, interactive, invalidate):
++        if invalidate:
++            return self.refresh.serialise(interactive, invalidate)
++        elif interactive:
++            return self.interactive.serialise(interactive, invalidate)
++        else:
++            return self.noninteractive.serialise(interactive, invalidate)
  class Account:
      def __init__(self, account_id, name, service_id, credentials, settings=None):
@@ -124,7 +140,7 @@
          sys.stdout.flush()
          for account in self.accounts:
              if account.account_id == account_id and account.service_id == service_id:
--                return account.credentials.serialise()
++                return account.credentials.serialise(interactive, invalidate)
          else:
              raise KeyError(repr((account_id, service_id)))
@@ -136,7 +152,7 @@
          for account in self.accounts:
              if account.service_id == service_id:
                  return (account.serialise(),
--                        account.credentials.serialise())
++                        account.credentials.serialise(True, False))
          else:
              raise KeyError(service_id)
@@ -172,8 +188,16 @@
          Account(3, "Password account", "password-service",
                  Password("user", "pass")),
          Account(4, "Password host account", "password-host-service",
--                Password_Bug1628473("joe", "secret"),
--                {"host": "http://www.example.com/"}),
++                Password("joe", "secret"),
++                {"host": "http://www.example.com/"}),
++        Account(10, "Mode dependent account", "mode-service",
++                CredentialsByMode(
++                    noninteractive=CredentialsError(AUTH_PASSWORD, "InteractionRequired"),
++                    interactive=Password("user", "interactive"),
++                    refresh=Password("user", "refresh")),
++                {"host": "http://www.example.com/"}),
++        Account(11, "User cancel account", "user-cancel-service",
++                CredentialsError(AUTH_PASSWORD, "UserCanceled")),
          Account(42, "Fake test account", "storage-provider-test",
                  OAuth2("fake-test-access-token", 0, [])),
          Account(99, "Fake mcloud account", "storage-provider-mcloud",