ubuntuone-credentials

Merge lp:~mardy/ubuntuone-credentials/signon-plugin-part2 into lp:ubuntuone-credentials

signon-plugin-part2
Merge into trunk

Proposed by Alberto Mardegan on 2016-04-28

Status:	Rejected
Rejected by:	Natalia Bidart on 2017-05-19
Proposed branch:	lp:~mardy/ubuntuone-credentials/signon-plugin-part2
Merge into:	lp:ubuntuone-credentials
Prerequisite:	lp:~mardy/ubuntuone-credentials/signon-plugin-part1
Diff against target:	793 lines (+430/-121) 13 files modified data/ubuntuone.provider (+2/-2) debian/control (+1/-1) libubuntuoneauth/CMakeLists.txt (+4/-0) libubuntuoneauth/authenticator.cpp (+179/-0) libubuntuoneauth/authenticator.h (+71/-0) libubuntuoneauth/keyring.cpp (+52/-67) libubuntuoneauth/keyring.h (+3/-3) libubuntuoneauth/libubuntuoneauth.symbols (+2/-1) libubuntuoneauth/ssoservice.cpp (+35/-13) signon-plugin/tests/test_plugin.cpp (+58/-7) signon-plugin/ubuntuone-plugin.cpp (+19/-26) signon-plugin/ubuntuone-plugin.h (+0/-1) signon-plugin/ubuntuonedata.h (+4/-0)
To merge this branch:	bzr merge lp:~mardy/ubuntuone-credentials/signon-plugin-part2
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
unity-api-1-bot	continuous-integration		Needs Fixing on 2016-06-28
dobey (community)		2016-04-28	Needs Fixing on 2016-05-26
PS Jenkins bot	continuous-integration		Needs Fixing on 2016-04-29
Review via email: mp+293217@code.launchpad.net

Commit Message

Authenticate via the new signon plugin

Description of the Change

Authenticate via the new signon plugin

This adds a couple of new internal classes, under the "Internal" namespace. API and ABI compatibility is preserved.

PS Jenkins bot (ps-jenkins) wrote on 2016-04-28:

FAILED: Continuous integration, rev:247
http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-ci/155/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-wily-amd64-ci/32/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-wily-armhf-ci/32/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-wily-i386-ci/32/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/ubuntuone-credentials-ci/155/rebuild

review: Needs Fixing (continuous-integration)

dobey (dobey) on 2016-04-28:

lp:~mardy/ubuntuone-credentials/signon-plugin-part2 updated on 2016-04-29

248. By Alberto Mardegan on 2016-04-29: Move plugin dependency to lib, add version number

PS Jenkins bot (ps-jenkins) wrote on 2016-04-29:

FAILED: Continuous integration, rev:248
http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-ci/157/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-wily-amd64-ci/34/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-wily-armhf-ci/34/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/ubuntuone-credentials-wily-i386-ci/34/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/ubuntuone-credentials-ci/157/rebuild

review: Needs Fixing (continuous-integration)

dobey (dobey) wrote on 2016-05-26:

Some comments in-line, and where are the tests for the new code?

review: Needs Fixing

lp:~mardy/ubuntuone-credentials/signon-plugin-part2 updated on 2016-05-27

249. By Alberto Mardegan on 2016-05-27: Use Q_DECL_DEPRECATED
250. By Alberto Mardegan on 2016-05-27: handleSessionData is deprecated too
251. By Alberto Mardegan on 2016-05-27: include order
252. By Alberto Mardegan on 2016-05-27: Remove accountmanager singleton
253. By Alberto Mardegan on 2016-05-27: No UI for login()

Alberto Mardegan (mardy) wrote on 2016-05-27:

I added a few commits where I did all the easy/agreeable changes. Other remarks of you require more information.

I developed this branch trying hard not only not to break the API signature, but also to retain its functionality. However, in one of your comments you suggested to empty the Keyring::storeToken() method out and deprecate it, which would break any clients using it. If changes like this are allowed, then I'd need to know what are the methods which we need to keep functional, and those which could be removed. I can do some research myself, but maybe you can help me by giving some pointers on which projects I should be considering. Do I understand right, that the pay-ui repo is deprecated and that everything lives inside pay-service?

I see that the SSOService::login() method is used in pay-service to double-check the user's credentials before a payment, and by the account plugin to create the account. As I understand it, this method performs a couple of different operations:
1) Logs into the U1 account, to check that the given params are valid
2) If they are valid, ensures that the account exists (if not, creates it)
In the case of pay-service, #2 wouldn't normally be needed, but it's an essential functionality for the account plugin, so either we preserve it, or we move it to the account plugin code. Any preference?

Then, about invalidating credentials: this thing was not required in my first implementation, because the signon-plugin was always checking the token validity before returning it, so it would automatically attempt to re-validate it if it was expired. But indeed, now we have to do this in the library. The only small issue with it, is that we need an additional member in the Keyring class to store this information, and we cannot add it without breaking the ABI.

So, three options:
1) we just add it and break ABI, if you are confident that we have no client using the Keyring class directly.
2) use QObject::setProperty() and store this flag as a dynamic property;
3) The Keyring private data currently are Accounts::Manager and Accounts::Account *. We could move enable PIMPL for this class if we replace these two private members with a union:

   union {
       struct {
           Accounts::Manager m;
           Accounts::Account *a;
       } oldPrivateData;
       KeyringPrivate *d_ptr;
   };

Of course, we wouldn't use the members in oldPrivateData, they are needed just to keep the class size constant. That's also ugly, but then we don't have to worry when adding private members anymore.
Which one has your vote?

As for the unit tests, I'll add them later, once you are happy with the code (we'll have plenty of time while this thing is being tested in a silo).

Alberto Mardegan (mardy) wrote on 2016-05-27:

Ouch, I realized one important thing :-)
Now, when login() is called, we invoke the signon-plugin, which will (unless an OTP is given, but the OTP is not enabled for all U1 accounts) just return the cached token and not try to actually login with the given credentials. So, in the case of pay-service, the verification would actually be skipped, except for accounts having 2fa enabled.

Therefore I need to add some parameter to the signon plugin to tell it whether the cached token should be discarded.
And thinking of this, it occurs to me that this could also be the solution to the last issue I raised in my previous comment: the Keyring::invalidateCredentials() method could perform an authentication with this flag specified, so that the signon-plugin would delete its cached token and the next time an app requires to authenticate, it will go through the full flow. I'll create a separate MP for this, OK?

dobey (dobey) wrote on 2016-05-27:

On Fri, 2016-05-27 at 12:51 +0000, Alberto Mardegan wrote:
> I added a few commits where I did all the easy/agreeable changes.
> Other remarks of you require more information.
>
> I developed this branch trying hard not only not to break the API
> signature, but also to retain its functionality. However, in one of
> your comments you suggested to empty the Keyring::storeToken() method
> out and deprecate it, which would break any clients using it. If
> changes like this are allowed, then I'd need to know what are the
> methods which we need to keep functional, and those which could be
> removed. I can do some research myself, but maybe you can help me by
> giving some pointers on which projects I should be considering. Do I
> understand right, that the pay-ui repo is deprecated and that
> everything lives inside pay-service?

Functional here is a relative term. Keyring::storeToken shouldn't be
getting used directly by anything which links to libubuntuoneauth.
Really, the only classes which external apps/libs should be using are
SSOService and Token. Also, I hope we can do further cleanup, after
this lands, and break the API/ABI and get rid a lot of this old cruft
that's been left around. However, I wanted to avoid the work to add the
signon plug-in, and start using it, turning into a giant branch that
basically rewrites everything. So it's fine to make some things outside
the SSOService and Token classes be no-ops and deprecate them.

Yes, lp:pay-ui is dead. The pay-ui code is in pay-service now.

> I see that the SSOService::login() method is used in pay-service to
> double-check the user's credentials before a payment, and by the
> account plugin to create the account. As I understand it, this method
> performs a couple of different operations:
> 1) Logs into the U1 account, to check that the given params are valid
> 2) If they are valid, ensures that the account exists (if not,
> creates it)
> In the case of pay-service, #2 wouldn't normally be needed, but it's
> an essential functionality for the account plugin, so either we
> preserve it, or we move it to the account plugin code. Any
> preference?

The use of login() in pay-ui isn't a "double check" of the credentials.
It is a login. We require a fresh token when making purchases, so if
the user has not logged in during the past 15 minutes, we require them
to log in again to refresh the token. However, the design for the
purchase process requires that the login be part of that purchase flow,
and not a separate window that we pop up. We only pop up the external
U1 login window when there is no U1 account.

I'm not quite sure what you mean in #2 here. My understanding is that
all the actual work to do the login and store the token in the signon
db is done in the signon plug-in already. We need to continue calling
login from pay-service/pay-ui in order for the designed flow to work.

dobey (dobey) wrote on 2016-05-27:

On Fri, 2016-05-27 at 13:07 +0000, Alberto Mardegan wrote:
> Ouch, I realized one important thing :-)
> Now, when login() is called, we invoke the signon-plugin, which will
> (unless an OTP is given, but the OTP is not enabled for all U1
> accounts) just return the cached token and not try to actually login
> with the given credentials. So, in the case of pay-service, the
> verification would actually be skipped, except for accounts having
> 2fa enabled.

This must be fixed. The pay-service usage here isn't verification, it
is to refresh the token.

> Therefore I need to add some parameter to the signon plugin to tell
> it whether the cached token should be discarded.

It should always be replaced by a new token if login is successful. I
don't think we need additional parameters for that, but to just fix the
code so that it works this way.

> And thinking of this, it occurs to me that this could also be the
> solution to the last issue I raised in my previous comment: the
> Keyring::invalidateCredentials() method could perform an
> authentication with this flag specified, so that the signon-plugin
> would delete its cached token and the next time an app requires to
> authenticate, it will go through the full flow. I'll create a
> separate MP for this, OK?

I think Keyring::deleteToken() should probably be made no-op and
flagged as deprecated, and SSOService::invalidateCredentials() should
do whatever is necessary to mark the credentials as invalid.

lp:~mardy/ubuntuone-credentials/signon-plugin-part2 updated on 2016-05-30

254. By Alberto Mardegan on 2016-05-30

Merge clear-cached-token branch

[ Alberto Mardegan ]
* Be more explicit about which headers are installed. Move the symbol
export map to LINK_FLAGS on the target.
* Complete the UbuntuOne authentication plugin
* Make Token::isValid() return false on tokens created out of empty
strings. (LP: #1572943)

255. By Alberto Mardegan on 2016-05-30

Implement credentials invalidation

Alberto Mardegan (mardy) wrote on 2016-05-30:

On Fri, 2016-05-27 at 12:51 +0000, Alberto Mardegan wrote:
> I'm not quite sure what you mean in #2 here. My understanding is that
> all the actual work to do the login and store the token in the signon
> db is done in the signon plug-in already. We need to continue calling
> login from pay-service/pay-ui in order for the designed flow to work.

Weird, I thought I had replied, but something must have gone wrong. Trying again.

The signon-plugin does not create the account, it only cares about the credentials and other authentication data.
The account itself must be created by the account plugin; in its current incarnation, the account plugin is relying on libubuntuoneauth to create the account. This was triggered by calling SSOService::login(), and precisely in Keyring::storeToken().

So the question is: do we keep things like this, or should I investigate the possibility of moving the account creation directly in the account plugin?

unity-api-1-bot (unity-api-1-bot) wrote on 2016-06-28:

FAILED: Continuous integration, rev:255
https://jenkins.canonical.com/unity-api-1/job/lp-ubuntuone-credentials-ci/3/
Executed test runs:
FAILURE: https://jenkins.canonical.com/unity-api-1/job/build/86/console
FAILURE: https://jenkins.canonical.com/unity-api-1/job/build-0-fetch/93/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/unity-api-1/job/lp-ubuntuone-credentials-ci/3/rebuild

review: Needs Fixing (continuous-integration)

Natalia Bidart (nataliabidart) wrote on 2017-05-19:

Started a massive cleanup of old MPs, closing this given its age, please update and re-open if still valid.

Unmerged revisions

255. By Alberto Mardegan on 2016-05-30

Implement credentials invalidation

254. By Alberto Mardegan on 2016-05-30

Merge clear-cached-token branch

253. By Alberto Mardegan on 2016-05-27

No UI for login()

252. By Alberto Mardegan on 2016-05-27

Remove accountmanager singleton

251. By Alberto Mardegan on 2016-05-27

include order

250. By Alberto Mardegan on 2016-05-27

handleSessionData is deprecated too

249. By Alberto Mardegan on 2016-05-27

Use Q_DECL_DEPRECATED

248. By Alberto Mardegan on 2016-04-29

Move plugin dependency to lib, add version number

247. By Alberto Mardegan on 2016-04-28

Inject times into token

246. By Alberto Mardegan on 2016-04-28

WIP -- use plugin in libubuntuoneauth

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alberto Mardegan

Unity API Team

 === modified file 'data/ubuntuone.provider'
 --- data/ubuntuone.provider	2016-04-19 15:04:15 +0000
 +++ data/ubuntuone.provider	2016-05-30 11:56:38 +0000
@@ -8,8 +8,8 @@
    <template>
      <group name="auth">
--      <setting name="method">password</setting>
--      <setting name="mechanism">password</setting>
++      <setting name="method">ubuntuone</setting>
++      <setting name="mechanism">ubuntuone</setting>
      </group>
    </template>
  </provider>
 === modified file 'debian/control'
 --- debian/control	2016-04-27 14:07:35 +0000
 +++ debian/control	2016-05-30 11:56:38 +0000
@@ -76,7 +76,7 @@
   ${misc:Pre-Depends},
  Depends:
   account-plugin-tools,
-- signon-plugin-password,
++ signon-plugin-ubuntuone (= ${source:Version}),
   sqlite3,
   ubuntuone-credentials-common (= ${source:Version}),
   ${misc:Depends},
 === modified file 'libubuntuoneauth/CMakeLists.txt'
 --- libubuntuoneauth/CMakeLists.txt	2016-04-21 09:25:58 +0000
 +++ libubuntuoneauth/CMakeLists.txt	2016-05-30 11:56:38 +0000
@@ -13,6 +13,10 @@
    SET (LIB_TYPE STATIC)
  ENDIF (BUILD_STATIC_LIBS)
++# Some slots are deprecated; disable warnings on deprecations, because
++# moc-generated files are using these methods
++SET (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-deprecated-declarations")
++
  # The sources for building the library
  FILE (GLOB SOURCES *.cpp)
  # HEADERS only includes the public headers for installation.
 === added file 'libubuntuoneauth/authenticator.cpp'
 --- libubuntuoneauth/authenticator.cpp	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/authenticator.cpp	2016-05-30 11:56:38 +0000
@@ -0,0 +1,179 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#include "authenticator.h"
++#include "../signon-plugin/ubuntuonedata.h"
++
++#include <Accounts/Account>
++#include <Accounts/Service>
++#include <SignOn/AuthSession>
++#include <SignOn/Identity>
++#include <SignOn/IdentityInfo>
++
++#include <QDebug>
++
++using namespace Internal;
++using namespace UbuntuOne;
++
++Authenticator::Authenticator(Accounts::Manager *manager, QObject *parent):
++    QObject(parent),
++    m_manager(manager),
++    m_invalidate(false),
++    m_uiAllowed(true)
++{
++    if (!m_manager) {
++        m_manager = new Accounts::Manager(this);
++    }
++}
++
++void Authenticator::handleError(const SignOn::Error &e)
++{
++    qCritical() << "Authentication error:" << e.message();
++    Q_EMIT error(AuthenticationError);
++}
++
++void Authenticator::handleSessionData(const SignOn::SessionData &data)
++{
++    PluginData reply = data.data<PluginData>();
++
++    auto errorCode = PluginData::ErrorCode(reply.U1ErrorCode());
++    if (errorCode != PluginData::NoError) {
++        switch (errorCode) {
++        case PluginData::OneTimePasswordRequired:
++            qDebug() << "Error: OTP required";
++            Q_EMIT error(OneTimePasswordRequired);
++            break;
++        case PluginData::InvalidPassword:
++            qDebug() << "Error: invalid password";
++            Q_EMIT error(InvalidPassword);
++            break;
++        default:
++            qWarning() << "Unknown error code" << errorCode;
++            Q_EMIT error(AuthenticationError);
++        }
++        return;
++    }
++
++    Token token(reply.TokenKey(), reply.TokenSecret(),
++                reply.ConsumerKey(), reply.ConsumerSecret(),
++                reply.DateCreated(), reply.DateUpdated());
++    if (token.isValid()) {
++        Q_EMIT authenticated(token);
++    } else {
++        QString message("Failed to convert result to Token object.");
++        qCritical() << message;
++        Q_EMIT error(AuthenticationError);
++    }
++}
++
++quint32 Authenticator::credentialsId()
++{
++    QString providerId("ubuntuone");
++    Accounts::AccountIdList accountIds = m_manager->accountList(providerId);
++
++    if (accountIds.isEmpty()) {
++        qDebug() << "authenticate(): No UbuntuOne accounts found";
++        Q_EMIT error(AccountNotFound);
++        return 0;
++    }
++
++    if (Q_UNLIKELY(accountIds.count() > 1)) {
++        qWarning() << "authenticate(): Found '" << accountIds.count() <<
++            "' accounts. Using first.";
++    }
++
++    qDebug() << "authenticate(): Using account '" << accountIds[0] << "'.";
++
++    auto account = m_manager->account(accountIds[0]);
++    if (Q_UNLIKELY(!account)) {
++        qDebug() << "Couldn't load account";
++        /* This could either happen because the account was deleted right while
++         * we were loading it, or because the accounts DB was locked by another
++         * app. Let's just return an authentication error here, so the client
++         * can retry.
++         */
++        Q_EMIT error(AuthenticationError);
++        return 0;
++    }
++
++    /* Here we should check that the account service is enabled; but since the
++     * old code was not doing this check, and that from the API there is no way
++     * of knowing which service we are interested in, let's leave it as a TODO.
++     */
++
++    return account->credentialsId();
++}
++
++void Authenticator::authenticate(const QString &tokenName,
++                                 const QString &userName,
++                                 const QString &password,
++                                 const QString &otp)
++{
++    SignOn::Identity *identity;
++    if (userName.isEmpty()) {
++        // Use existing account
++        quint32 id = credentialsId();
++        if (Q_UNLIKELY(!id)) return;
++
++        identity = SignOn::Identity::existingIdentity(id, this);
++        if (Q_UNLIKELY(!identity)) {
++            qCritical() << "authenticate(): unable to load credentials" << id;
++            Q_EMIT error(AccountNotFound);
++            return;
++        }
++    } else {
++        identity = SignOn::Identity::newIdentity(SignOn::IdentityInfo(), this);
++    }
++
++    auto session = identity->createSession(QStringLiteral("ubuntuone"));
++    if (Q_UNLIKELY(!session)) {
++        qCritical() << "Unable to create AuthSession.";
++        Q_EMIT error(AuthenticationError);
++        return;
++    }
++
++    connect(session, SIGNAL(response(const SignOn::SessionData&)),
++            this, SLOT(handleSessionData(const SignOn::SessionData&)));
++    connect(session, SIGNAL(error(const SignOn::Error&)),
++            this, SLOT(handleError(const SignOn::Error&)));
++
++    PluginData data;
++    data.setTokenName(tokenName);
++    data.setUserName(userName);
++    data.setSecret(password);
++    data.setOneTimePassword(otp);
++    int uiPolicy = m_uiAllowed ?
++        SignOn::DefaultPolicy : SignOn::NoUserInteractionPolicy;
++    data.setUiPolicy(uiPolicy);
++    if (m_invalidate) {
++        data.setForceTokenRefresh(true);
++        m_invalidate = false;
++    }
++
++    session->process(data, QStringLiteral("ubuntuone"));
++}
++
++void Authenticator::invalidateCredentials()
++{
++    m_invalidate = true;
++}
++
++void Authenticator::setUiAllowed(bool allowed)
++{
++    m_uiAllowed = allowed;
++}
 === added file 'libubuntuoneauth/authenticator.h'
 --- libubuntuoneauth/authenticator.h	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/authenticator.h	2016-05-30 11:56:38 +0000
@@ -0,0 +1,71 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++#ifndef _U1_AUTHENTICATOR_H_
++#define _U1_AUTHENTICATOR_H_
++
++#include <Accounts/Manager>
++#include <SignOn/Identity>
++
++#include <QObject>
++
++#include "token.h"
++
++namespace Internal {
++
++class Authenticator : public QObject
++{
++    Q_OBJECT
++
++public:
++    enum ErrorCode {
++        NoError = 0,
++        AccountNotFound,
++        OneTimePasswordRequired,
++        InvalidPassword,
++        AuthenticationError, // will create more specific codes if needed
++    };
++
++    explicit Authenticator(Accounts::Manager *manager = 0, QObject *parent = 0);
++
++    void authenticate(const QString &tokenName,
++                      const QString &userName = QString(),
++                      const QString &password = QString(),
++                      const QString &otp = QString());
++    void invalidateCredentials();
++    void setUiAllowed(bool allowed);
++
++Q_SIGNALS:
++    void authenticated(const UbuntuOne::Token& token);
++    void error(Internal::Authenticator::ErrorCode code);
++
++private:
++    quint32 credentialsId();
++
++private Q_SLOTS:
++    void handleError(const SignOn::Error &error);
++    void handleSessionData(const SignOn::SessionData &data);
++
++private:
++    Accounts::Manager *m_manager;
++    bool m_invalidate;
++    bool m_uiAllowed;
++};
++
++} /* namespace */
++
++#endif /* _U1_AUTHENTICATOR_H_ */
 === modified file 'libubuntuoneauth/keyring.cpp'
 --- libubuntuoneauth/keyring.cpp	2016-04-19 15:04:15 +0000
 +++ libubuntuoneauth/keyring.cpp	2016-05-30 11:56:38 +0000
@@ -23,7 +23,9 @@
  #include <QDebug>
++#include "authenticator.h"
  #include "keyring.h"
++#include "../signon-plugin/ubuntuonedata.h"
  using namespace Accounts;
  using namespace SignOn;
@@ -46,58 +48,32 @@
      void Keyring::handleSessionData(const SignOn::SessionData &data)
+     {
--        QString secret = data.Secret();
--
--        if (secret.length() == 0) {
--            QString msg("Could not read credentials secret value.");
--            qCritical() << msg;
--            emit keyringError(msg);
--            return;
--        }
--
--        Token *token = Token::fromQuery(secret);
--        if (token->isValid()) {
--            emit tokenFound(*token);
--        } else {
--            QString message("Failed to convert result to Token object.");
--            qCritical() << message;
--            emit keyringError(message);
--        }
--        delete token;
++        /* UNUSED */
++        Q_UNUSED(data);
+     }
      void Keyring::findToken()
+     {
--        QString _acctName("ubuntuone");
--        AccountIdList _ids = _manager.accountList(_acctName);
--        Identity *identity;
--        Account *account;
--
--        if (_ids.length() > 0) {
--            if (_ids.length() > 1) {
--                qDebug() << "findToken(): Found '" << _ids.length() << "' accounts. Using first.";
--            }
--            account = _manager.account(_ids[0]);
--            qDebug() << "findToken(): Using Ubuntu One account '" << _ids[0] << "'.";
--            identity = Identity::existingIdentity(account->credentialsId());
--            if (identity == NULL) {
--                qCritical() << "findToken(): disabled account " << _acctName << _ids[0];
--                emit tokenNotFound();
--                return;
--            }
--            AuthSession *session = identity->createSession(QStringLiteral("password"));
--            if (session != NULL) {
--                connect(session, SIGNAL(response(const SignOn::SessionData&)),
--                        this, SLOT(handleSessionData(const SignOn::SessionData&)));
--                connect(session, SIGNAL(error(const SignOn::Error&)),
--                        this, SLOT(handleError(const SignOn::Error&)));
--                session->process(SessionData(), QStringLiteral("password"));
--                return;
--            }
--            qCritical() << "Unable to create AuthSession.";
--        }
--        qDebug() << "findToken(): No accounts found matching " << _acctName;
--        emit tokenNotFound();
++        using namespace Internal;
++
++        auto authenticator = new Authenticator(&_manager);
++        authenticator->setUiAllowed(true);
++
++        connect(authenticator, &Authenticator::authenticated,
++                [=](const Token &token) {
++            Q_EMIT tokenFound(token);
++            authenticator->deleteLater();
++        });
++        connect(authenticator, &Authenticator::error,
++                [=](Authenticator::ErrorCode code) {
++            if (code == Authenticator::AccountNotFound) {
++                Q_EMIT tokenNotFound();
++            } else {
++                Q_EMIT keyringError("Authentication failed");
++            }
++            authenticator->deleteLater();
++        });
++        authenticator->authenticate(Token::buildTokenName());
+     }
      void Keyring::handleCredentialsStored(const quint32 id)
@@ -167,37 +143,46 @@
      void Keyring::handleAccountRemoved()
+     {
++        /* UNUSED */
          emit tokenDeleted();
+     }
      void Keyring::handleDeleteError(const SignOn::Error &error)
+     {
++        /* UNUSED */
          // Just log the error here, as we don't want to infinite loop.
          qWarning() << "Error deleting token:" << error.message();
+     }
      void Keyring::deleteToken()
+     {
--        QString _acctName("ubuntuone");
--        AccountIdList _ids = _manager.accountList(_acctName);
--        if (_ids.length() > 0) {
--            if (_ids.length() > 1) {
--                qDebug() << "deleteToken(): Found '" << _ids.length() << "' accounts. Using first.";
++        using namespace Internal;
++
++        auto authenticator = new Authenticator(&_manager);
++        authenticator->setUiAllowed(false);
++        authenticator->invalidateCredentials();
++
++        connect(authenticator, &Authenticator::authenticated,
++                [=](const Token &token) {
++            Q_EMIT tokenDeleted();
++            authenticator->deleteLater();
++        });
++        connect(authenticator, &Authenticator::error,
++                [=](Authenticator::ErrorCode code) {
++            /* We are expecting the authentication to return an error, given
++             * that we are deleting the cached token and preventing the UI from
++             * opening.
++             * However, we need to handle the AccountNotFound error separately,
++             * since this error means that the token was not actually deleted.
++             */
++            if (code == Authenticator::AccountNotFound) {
++                Q_EMIT tokenNotFound();
++            } else {
++                Q_EMIT tokenDeleted();
+             }
--            Account *account = _manager.account(_ids[0]);
--            qDebug() << "deleteToken(): Using Ubuntu One account '" << _ids[0] << "'.";
--            Identity *identity = Identity::existingIdentity(account->credentialsId());
--            connect(account, SIGNAL(removed()),
--                    this, SLOT(handleAccountRemoved()));
--            connect(identity, SIGNAL(error(const SignOn::Error&)),
--                    this, SLOT(handleDeleteError(const SignOn::Error&)));
--
--            identity->remove();
--            account->remove();
--            account->sync();
--            return;
--        }
--        emit tokenNotFound();
++            authenticator->deleteLater();
++        });
++        authenticator->authenticate(Token::buildTokenName());
+     }
  } // namespace UbuntuOne
 === modified file 'libubuntuoneauth/keyring.h'
 --- libubuntuoneauth/keyring.h	2016-04-21 09:25:58 +0000
 +++ libubuntuoneauth/keyring.h	2016-05-30 11:56:38 +0000
@@ -50,10 +50,10 @@
      private Q_SLOTS:
          void handleError(const SignOn::Error &error);
--        void handleSessionData(const SignOn::SessionData &data);
++        Q_DECL_DEPRECATED void handleSessionData(const SignOn::SessionData &data);
          void handleCredentialsStored(const quint32 id);
--        void handleAccountRemoved();
--        void handleDeleteError(const SignOn::Error &error);
++        Q_DECL_DEPRECATED void handleAccountRemoved();
++        Q_DECL_DEPRECATED void handleDeleteError(const SignOn::Error &error);
      private:
          Accounts::Manager _manager;
 === modified file 'libubuntuoneauth/libubuntuoneauth.symbols'
 --- libubuntuoneauth/libubuntuoneauth.symbols	2013-07-22 15:54:02 +0000
 +++ libubuntuoneauth/libubuntuoneauth.symbols	2016-05-30 11:56:38 +0000
@@ -1,7 +1,8 @@
+ {
    global:
      extern "C++" {
--      *UbuntuOne::*;
++      UbuntuOne::*;
++      *for?UbuntuOne::*;
      };
      qt_*;
    local:
 === modified file 'libubuntuoneauth/ssoservice.cpp'
 --- libubuntuoneauth/ssoservice.cpp	2016-04-19 15:04:15 +0000
 +++ libubuntuoneauth/ssoservice.cpp	2016-05-30 11:56:38 +0000
@@ -22,6 +22,7 @@
  #include <QNetworkRequest>
  #include <QUrlQuery>
++#include "authenticator.h"
  #include "logging.h"
  #include "ssoservice.h"
  #include "requests.h"
@@ -64,9 +65,6 @@
                  this, SLOT(accountPinged(QNetworkReply*)));
          connect(&(_provider),
--                SIGNAL(OAuthTokenGranted(const OAuthTokenResponse&)),
--                this, SLOT(tokenReceived(const OAuthTokenResponse&)));
--        connect(&(_provider),
                  SIGNAL(AccountGranted(const AccountResponse&)),
                  this, SLOT(accountRegistered(const AccountResponse&)));
          connect(&(_provider),
@@ -116,12 +114,32 @@
      void SSOService::login(QString email, QString password, QString twoFactorCode)
+     {
--        OAuthTokenRequest request(getAuthBaseUrl(),
--                                  email, password,
--                                  Token::buildTokenName(), twoFactorCode);
--        _tempEmail = email;
--
--        _provider.GetOAuthToken(request);
++        using namespace Internal;
++
++        auto authenticator = new Authenticator;
++        /* The caller of this API is assumed to have his own UI, so no support
++         * from SignOn UI is needed or even desired. */
++        authenticator->setUiAllowed(false);
++
++        connect(authenticator, &Authenticator::authenticated,
++                [=](const Token &token) {
++            _keyring->storeToken(token, email);
++            authenticator->deleteLater();
++        });
++        connect(authenticator, &Authenticator::error,
++                [=](Authenticator::ErrorCode code) {
++            if (code == Authenticator::AccountNotFound) {
++                Q_EMIT credentialsNotFound();
++            } else if (code == Authenticator::OneTimePasswordRequired) {
++                Q_EMIT twoFactorAuthRequired();
++            } else {
++                /* TODO: deliver a proper error response. */
++                Q_EMIT requestFailed(ErrorResponse());
++            }
++            authenticator->deleteLater();
++        });
++        authenticator->authenticate(Token::buildTokenName(),
++                                    email, password, twoFactorCode);
+     }
      void SSOService::handleTwoFactorAuthRequired()
@@ -147,10 +165,14 @@
      void SSOService::tokenReceived(const OAuthTokenResponse& token)
+     {
--        Token realToken = Token(token.token_key(), token.token_secret(),
--                                token.consumer_key(), token.consumer_secret(),
--                                token.date_created(), token.date_updated());
--        _keyring->storeToken(realToken, _tempEmail);
++        // Not used anymore
++
++        /* The following two lines are needed to ensure that the
++         * OAuthTokenRequest::~OAuthTokenRequest() symbol is exported by the
++         * library.
++         */
++        OAuthTokenRequest request;
++        qDebug() << request.serialize();
+     }
      void SSOService::accountPinged(QNetworkReply*)
 === modified file 'signon-plugin/tests/test_plugin.cpp'
 --- signon-plugin/tests/test_plugin.cpp	2016-04-27 08:41:03 +0000
 +++ signon-plugin/tests/test_plugin.cpp	2016-05-30 11:56:38 +0000
@@ -28,6 +28,7 @@
  #include <SignOn/uisessiondata_priv.h>
++#include "token.h"
  #include "ubuntuone-plugin.h"
  using namespace SignOn;
@@ -232,8 +233,8 @@
      QTest::newRow("empty") <<
          sessionData.toMap() <<
--        int(Error::MissingData) <<
--        false << QVariantMap() << QVariantMap();
++        -1 <<
++        true << QVariantMap() << QVariantMap();
      sessionData.setTokenName("helloworld");
      sessionData.setSecret("consumer_key=aAa&consumer_secret=bBb&name=helloworld&token=cCc&token_secret=dDd");
@@ -249,10 +250,60 @@
          sessionData.toMap() <<
          -1 <<
          false << response.toMap() << stored.toMap();
--    sessionData = UbuntuOne::PluginData();
--    response = UbuntuOne::PluginData();
--    stored = UbuntuOne::PluginData();
--    storedData.clear();
++
++    sessionData = UbuntuOne::PluginData();
++    QString tokenName = UbuntuOne::Token::buildTokenName();
++    sessionData.setStoredData(QVariantMap {
++        { tokenName, QVariantMap {
++            { "ConsumerKey", "ck" },
++            { "ConsumerSecret", "cs" },
++            { "TokenKey", "tk" },
++            { "TokenSecret", "ts" },
++        }},
++    });
++    response = UbuntuOne::PluginData();
++    response.setConsumerKey("ck");
++    response.setConsumerSecret("cs");
++    response.setTokenKey("tk");
++    response.setTokenSecret("ts");
++    response.setTokenName(tokenName);
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++    QTest::newRow("stored, valid") <<
++        sessionData.toMap() <<
++        -1 <<
++        false << response.toMap() << stored.toMap();
++
++    sessionData = UbuntuOne::PluginData();
++    sessionData.setStoredData(QVariantMap {
++        { tokenName, QVariantMap {
++            { "ConsumerKey", "ck" },
++            { "ConsumerSecret", "cs" },
++            { "TokenKey", "tk" },
++            { "TokenSecret", "ts" },
++        }},
++    });
++    sessionData.setForceTokenRefresh(true);
++    response = UbuntuOne::PluginData();
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++    stored.setStoredData(storedData);
++    QTest::newRow("clearing token") <<
++        sessionData.toMap() <<
++        -1 <<
++        true << response.toMap() << stored.toMap();
++
++    sessionData = UbuntuOne::PluginData();
++    sessionData.setSecret("consumer_key=aAa&consumer_secret=bBb&name=helloworld&token=cCc&token_secret=dDd");
++    sessionData.setForceTokenRefresh(true);
++    response = UbuntuOne::PluginData();
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++    stored.setStoredData(storedData);
++    QTest::newRow("in secret, clearing") <<
++        sessionData.toMap() <<
++        -1 <<
++        true << response.toMap() << stored.toMap();
+ }
  void PluginTest::testStoredToken()
@@ -382,10 +433,10 @@
      response.setTokenSecret("dDd");
      response.setDateUpdated("2013-01-11 12:43:23");
      response.setDateCreated("2013-01-11 12:43:23");
++    response.setTokenName(sessionData.TokenName());
      QVariantMap storedData;
      storedData[sessionData.TokenName()] = response.toMap();
      stored.setStoredData(storedData);
--    response.setTokenName(sessionData.TokenName());
      QTest::newRow("no OTP needed, 201") <<
          sessionData.toMap() <<
          -1 <<
 === modified file 'signon-plugin/ubuntuone-plugin.cpp'
 --- signon-plugin/ubuntuone-plugin.cpp	2016-04-27 14:07:35 +0000
 +++ signon-plugin/ubuntuone-plugin.cpp	2016-05-30 11:56:38 +0000
@@ -69,18 +69,6 @@
+     {
+     }
--    bool SignOnPlugin::validateInput(const PluginData &data,
--                                     const QString &mechanism)
--    {
--        Q_UNUSED(mechanism);
--
--        if (data.TokenName().isEmpty()) {
--            return false;
--        }
--
--        return true;
--    }
--
      bool SignOnPlugin::respondWithStoredData()
+     {
          QVariantMap storedData = m_data.StoredData();
@@ -119,6 +107,9 @@
                  m_data.setSecret(QString());
+             }
              delete token;
++        } else {
++            /* Always use the same token name for now */
++            m_data.setTokenName(Token::buildTokenName());
+         }
          /* Check if we have stored data for this token name */
@@ -167,18 +158,20 @@
          PluginData response;
          m_data = inData.data<PluginData>();
--        if (!validateInput(m_data, mechanism)) {
--            qWarning() << "Invalid parameters passed";
--            Q_EMIT error(SignOn::Error(SignOn::Error::MissingData));
--            return;
--        }
--
--        /* It may be that the stored token is valid; however, do the check only
--         * if no OTP was provided (since the presence of an OTP is a clear
--         * signal that the caller wants to get a new token). */
--        if (m_data.OneTimePassword().isEmpty() &&
--            respondWithStoredData()) {
--            return;
++        if (m_data.ForceTokenRefresh()) {
++            qDebug() << "Clearing stored token";
++            PluginData pluginData;
++            pluginData.setStoredData(QVariantMap());
++            Q_EMIT store(pluginData);
++            m_data.setStoredData(QVariantMap());
++        } else {
++            /* It may be that the stored token is valid; however, do the check
++             * only if no OTP was provided (since the presence of an OTP is a
++             * clear signal that the caller wants to get a new token). */
++            if (m_data.OneTimePassword().isEmpty() &&
++                respondWithStoredData()) {
++                return;
++            }
+         }
          getCredentialsAndCreateNewToken();
@@ -208,6 +201,7 @@
              token.setTokenSecret(object.value("token_secret").toString());
              token.setDateCreated(Token::dateStringToISO(object.value("date_created").toString()));
              token.setDateUpdated(Token::dateStringToISO(object.value("date_updated").toString()));
++            token.setTokenName(tokenName);
              /* Store the token */
              QVariantMap storedData;
@@ -216,7 +210,6 @@
              pluginData.setStoredData(storedData);
              Q_EMIT store(pluginData);
--            token.setTokenName(tokenName);
              Q_EMIT result(token);
          } else if (statusCode == 401 && error == ERR_INVALID_CREDENTIALS) {
              m_data.setSecret(QString());
@@ -253,7 +246,7 @@
          QJsonObject formData;
          formData.insert("email", m_data.UserName());
          formData.insert("password", m_data.Secret());
--        formData.insert("token_name", m_data.TokenName());
++        formData.insert("token_name", Token::buildTokenName());
          if (!m_data.OneTimePassword().isEmpty()) {
              formData.insert("otp", m_data.OneTimePassword());
+         }
 === modified file 'signon-plugin/ubuntuone-plugin.h'
 --- signon-plugin/ubuntuone-plugin.h	2016-04-26 08:45:29 +0000
 +++ signon-plugin/ubuntuone-plugin.h	2016-05-30 11:56:38 +0000
@@ -54,7 +54,6 @@
          void userActionFinished(const SignOn::UiSessionData &data) Q_DECL_OVERRIDE;
      private:
--        bool validateInput(const PluginData &data, const QString &mechanism);
          bool respondWithStoredData();
          void emitErrorFromReply(QNetworkReply *reply);
          void createNewToken();
 === modified file 'signon-plugin/ubuntuonedata.h'
 --- signon-plugin/ubuntuonedata.h	2016-04-27 08:36:19 +0000
 +++ signon-plugin/ubuntuonedata.h	2016-05-30 11:56:38 +0000
@@ -46,6 +46,10 @@
          SIGNON_SESSION_DECLARE_PROPERTY(QString, DateCreated);
          SIGNON_SESSION_DECLARE_PROPERTY(QString, DateUpdated);
++        // Set this to true if the token returned by the previous
++        // authentication is invalid.
++        SIGNON_SESSION_DECLARE_PROPERTY(bool, ForceTokenRefresh);
++
          // Error code
          enum ErrorCode {
              NoError = 0,