Merge lp:~mir-team/mir/attestable-timestamps-server into lp:mir

FAILED: Continuous integration, rev:2909
http://jenkins.qa.ubuntu.com/job/mir-ci/4825/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3868/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2775/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3814/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/974/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3814/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4825/rebuild

FAILED: Continuous integration, rev:2911
http://jenkins.qa.ubuntu.com/job/mir-ci/4826/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3869
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2776/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3815/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/975
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/975/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3815
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3815/artifact/work/output/*zip*/output.zip
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6544/console
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23154

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4826/rebuild

From the other review:

AFAICS libmircookie is only used by libmirserver.

What is the advantage to having a shared library over linking the code directly into libmirserver?

FAILED: Continuous integration, rev:2912
http://jenkins.qa.ubuntu.com/job/mir-ci/4827/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3870
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2777/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3816
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/976
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/976/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3816
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3816/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6545
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23155

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4827/rebuild

FAILED: Continuous integration, rev:2912
http://jenkins.qa.ubuntu.com/job/mir-ci/4831/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3875
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2782/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3821
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/980
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/980/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3821
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3821/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6549
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23159

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4831/rebuild

+std::string mir_test_framework::udev_recordings_path()
+{
+ std::string bin_path = MIR_BUILD_PREFIX"/bin/udev_recordings";
+ std::string share_path = MIR_INSTALL_PREFIX"/share/udev_recordings";
+
+ if (boost::filesystem::exists(bin_path))
+ return bin_path;
+ else if (boost::filesystem::exists(share_path))
+ return share_path;
+
+ BOOST_THROW_EXCEPTION(std::runtime_error("Failed to find udev_recordings in standard search locations"));
+}

Can this really be the right behaviour? An installed test binary looks in the location where it was built? Even though a developer may be making changes there to compare results with.

~~~~

+ char const* RANDOM_DEVICE_PATH = "/dev/random";
+ int const WAIT_SECONDS = 30;
...
+ int const MAX_WAIT = 4;

http://unity.ubuntu.com/mir/cppguide/index.html?showone=Constant_Names#Constant_Names

~~~~

AFAICS libmircookie is only used by libmirserver.

What is the advantage to having a shared library over linking the code directly into libmirserver?

~~~~

/mir/tests/acceptance-tests/test_mir_cookie.cpp:39:13: error: unused variable 'MAX_WAIT' [-Werror,-Wunused-const-variable]
  int const MAX_WAIT = 4;
            ^
1 error generated.

>
> +std::string mir_test_framework::udev_recordings_path()
> +{
> + std::string bin_path = MIR_BUILD_PREFIX"/bin/udev_recordings";
> + std::string share_path = MIR_INSTALL_PREFIX"/share/udev_recordings";
> +
> + if (boost::filesystem::exists(bin_path))
> + return bin_path;
> + else if (boost::filesystem::exists(share_path))
> + return share_path;
> +
> + BOOST_THROW_EXCEPTION(std::runtime_error("Failed to find udev_recordings
> in standard search locations"));
> +}
>
> Can this really be the right behaviour? An installed test binary looks in the
> location where it was built? Even though a developer may be making changes
> there to compare results with.

I should check the share folder first. Other then that... I think its correct behaviour. We still want to be able to test it in a build directory. Unless I add an env variable that we set for the test it self. Let me know which one you would like!

>
> ~~~~
>
> + char const* RANDOM_DEVICE_PATH = "/dev/random";
> + int const WAIT_SECONDS = 30;
> ...
> + int const MAX_WAIT = 4;
>
> http://unity.ubuntu.com/mir/cppguide/index.html?showone=Constant_Names#Constan
> t_Names
>

I need to read through the coding standard for mir :). Use to compiz/unity7/nux.

> ~~~~
>
> AFAICS libmircookie is only used by libmirserver.
>
> What is the advantage to having a shared library over linking the code
> directly into libmirserver?
>

This is how it currently stands but we are planning on using this for the content hub as well. So best to keep it shared now, as it will be used by something else.

> ~~~~
>
> /mir/tests/acceptance-tests/test_mir_cookie.cpp:39:13: error: unused variable
> 'MAX_WAIT' [-Werror,-Wunused-const-variable]
> int const MAX_WAIT = 4;
> ^
> 1 error generated.

Thanks! Missed removing that.

PASSED: Continuous integration, rev:2913
http://jenkins.qa.ubuntu.com/job/mir-ci/4846/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3890
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2797
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3836
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/995
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/995/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3836
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3836/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6564
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23190

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4846/rebuild

Sorry about the long list here, most of it is about fitting in with the design styles that have grown in Mir and you would not yet be familiar with. I've voted "Needs Fixing" but many of the points might be addressed by discussion.

~~~~

src/server/default_server_configuration.cpp

There's a lot of code added here (to generate a seed) that probably doesn't belong in a translation unit that is about constructing the right objects to configure the system. I'd prefer to see it put in a separate file. (Is there any reason it can't be part of the new library?)

~~~~

+void fill_vector_with_random_data(std::vector<uint8_t>& buffer)

Could we not use a return value instead of an out parameter?

~~~~

+std::string mir_test_framework::udev_recordings_path()
+{
+ std::string share_path = MIR_INSTALL_PREFIX"/share/udev_recordings";
+ std::string bin_path = MIR_BUILD_PREFIX"/bin/udev_recordings";
+
+ if (boost::filesystem::exists(share_path))
+ return share_path;
+ else if (boost::filesystem::exists(bin_path))
+ return bin_path;
+
+ BOOST_THROW_EXCEPTION(std::runtime_error("Failed to find udev_recordings in standard search locations"));
+}

Can this be right? A development test binary looks in the location where it would be installed? Even though a developer may be making changes to the version in the build path.

The older logic (based on the executable path) seems less surprising.

~~~~

+class CookieFactory
+{
+public:
+ CookieFactory(std::vector<uint8_t> const& secret);
+ ~CookieFactory() noexcept;
+
+ MirCookie timestamp_to_cookie(uint64_t const& timestamp);
+
+ bool attest_timestamp(MirCookie const& cookie);
+
+private:
+ class CookieImpl;
+ std::unique_ptr<CookieImpl> impl;
+};

What is the reason for preferring the Cheshire Cat idiom over Interface Class? This makes it far harder to substitute alternative implementations (e.g. for testing that cookies actually are validated when necessary).

I can also imagine a desire to provide a different verification model in a (hypothetical) downstream server.

~~~~~

+void mir::Server::set_cookie_secret(std::vector<uint8_t> const& secret)
+{
+ verify_setting_allowed(self->server_config);
+ self->cookie_factory = std::make_shared<CookieFactory>(secret);
+}

It is a little surprising that this sets the cookie factory, not the secret. I can't immediately think of anything this breaks but...

Between this and the previous, I think this would fit better into Mir's design patterns if:

1. CookieFactory were an interface and CookieImpl a derived class.
2. the configuration point were override_the_cookie_factory

~~~~~

=== added file 'tests/acceptance-tests/test_mir_cookie.cpp'

This reads more like a unit test

~~~~~

+ mir_discover_tests_with_fd_leak_detection(mir_acceptance_tests LD_PRELOAD=libumockdev-preload.so.0 G_SLICE=always-malloc G_DEBUG=gc-friendly)

The acceptance tests (before and after this MP) don't need libumockdev-preload.so.0 (which is convenient when running them by hand) why change that?

~~~~~

AFAICS the_cookie_factory() isn't used. I've not looked in the parent branch - I assume use (and real acceptance tests) is coming soon?

> Sorry about the long list here, most of it is about fitting in with the design
> styles that have grown in Mir and you would not yet be familiar with. I've
> voted "Needs Fixing" but many of the points might be addressed by discussion.
>
> ~~~~
>

No problem at all :), Thanks for going through in depth!

> src/server/default_server_configuration.cpp
>
> There's a lot of code added here (to generate a seed) that probably doesn't
> belong in a translation unit that is about constructing the right objects to
> configure the system. I'd prefer to see it put in a separate file. (Is there
> any reason it can't be part of the new library?)
>
> ~~~~

This is true, Im not 100% sure why it cant be in the library it self. Ill have to talk to Chris about that.

>
> +void fill_vector_with_random_data(std::vector<uint8_t>& buffer)
>
> Could we not use a return value instead of an out parameter?
>
> ~~~~

Changed!

>
> +std::string mir_test_framework::udev_recordings_path()
> +{
> + std::string share_path = MIR_INSTALL_PREFIX"/share/udev_recordings";
> + std::string bin_path = MIR_BUILD_PREFIX"/bin/udev_recordings";
> +
> + if (boost::filesystem::exists(share_path))
> + return share_path;
> + else if (boost::filesystem::exists(bin_path))
> + return bin_path;
> +
> + BOOST_THROW_EXCEPTION(std::runtime_error("Failed to find udev_recordings
> in standard search locations"));
> +}
>
> Can this be right? A development test binary looks in the location where it
> would be installed? Even though a developer may be making changes to the
> version in the build path.
>
> The older logic (based on the executable path) seems less surprising.
>
> ~~~~

Yes... Hmm so my overall thought here is do we need to always install the file to run the tests? Or should we ever be able to run the tests on a build directory? If we just want the test to run off the install location im 100% fine with that. All else I can think about is setting an env variable so we can run it to the build directory (and the test can set it).

Either way im happy to change it.

>
> +class CookieFactory
> +{
> +public:
> + CookieFactory(std::vector<uint8_t> const& secret);
> + ~CookieFactory() noexcept;
> +
> + MirCookie timestamp_to_cookie(uint64_t const& timestamp);
> +
> + bool attest_timestamp(MirCookie const& cookie);
> +
> +private:
> + class CookieImpl;
> + std::unique_ptr<CookieImpl> impl;
> +};
>
> What is the reason for preferring the Cheshire Cat idiom over Interface Class?
> This makes it far harder to substitute alternative implementations (e.g. for
> testing that cookies actually are validated when necessary).
>
> I can also imagine a desire to provide a different verification model in a
> (hypothetical) downstream server.
>
> ~~~~~

Not sure the reasoning here, Ill have to talk to Chris about it. Wouldnt be to hard to switch over to just an interface.
>
> +void mir::Server::set_cookie_secret(std::vector<uint8_t> const& secret)
> +{
> + verify_setting_allowed(self->server_config);
> + self->cookie_factory = std::make_shared<CookieFactory>(secret);
> +}
>
> It is a little surprising that this sets the cookie factory, n...

FAILED: Continuous integration, rev:2914
http://jenkins.qa.ubuntu.com/job/mir-ci/4858/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3910/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2815/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3854/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1007/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3854/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4858/rebuild

PASSED: Continuous integration, rev:2915
http://jenkins.qa.ubuntu.com/job/mir-ci/4859/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3912
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2817
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3856
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1008
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1008/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3856
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3856/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6579
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23221

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4859/rebuild

> What is the reason for preferring the Cheshire Cat idiom over Interface Class?
> This makes it far harder to substitute alternative implementations (e.g. for
> testing that cookies actually are validated when necessary).
>
> I can also imagine a desire to provide a different verification model in a
> (hypothetical) downstream server.

libmircookie is going to be used by Content Hub; Mir will share the secret with CH, and then CH will be able to verify cookies sent to it (for copy/paste and drag/drop operations). This is why it's a split-out library.

As such, it's actively harmful for downstream servers to override the implementation, as multiple processes need to agree on the method to verify cookies.

As an added bonus feature, it also means that libmircookie can have an actual ABI that's stable even under mild code churn :).

> Can this be right? A development test binary looks in the location where it
> would be installed? Even though a developer may be making changes to the
> version in the build path.
>
> The older logic (based on the executable path) seems less surprising.

Yeah, I'd have the test look first in the bin dir and *then* in the system-install location.

> src/server/default_server_configuration.cpp
>
> There's a lot of code added here (to generate a seed) that probably doesn't
> belong in a translation unit that is about constructing the right objects to
> configure the system. I'd prefer to see it put in a separate file. (Is there
> any reason it can't be part of the new library?)

I'd have no objections to it being in the new library.

Other comments:

+ * This is not in any way cryptographically secure. This DOES NOT provide security.

We should drop this bit of the comment.

Once the above are dealt with: approve.

We should probably add a debian/libmircookie1.symbols file, but that can easily be done later.

Oh, whitespace before '}':
362 + MirCookie cookie { timestamp, 0};

PASSED: Continuous integration, rev:2916
http://jenkins.qa.ubuntu.com/job/mir-ci/4864/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3919
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2824
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3863
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1013
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1013/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3863
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3863/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6585
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23231

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4864/rebuild

PASSED: Continuous integration, rev:2919
http://jenkins.qa.ubuntu.com/job/mir-ci/4865/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3920
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2825
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3864
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1014
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1014/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3864
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3864/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6587
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23234

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4865/rebuild

FAILED: Continuous integration, rev:2920
http://jenkins.qa.ubuntu.com/job/mir-ci/4869/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3925
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2830/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3869/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1018/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3869
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3869/artifact/work/output/*zip*/output.zip
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6590/console
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23238

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4869/rebuild

> > I can also imagine a desire to provide a different verification model in a
> > (hypothetical) downstream server.
>
> libmircookie is going to be used by Content Hub; Mir will share the secret
> with CH, and then CH will be able to verify cookies sent to it (for copy/paste
> and drag/drop operations). This is why it's a split-out library.
>
> As such, it's actively harmful for downstream servers to override the
> implementation, as multiple processes need to agree on the method to verify
> cookies.

Oh, I agree that within a UI stack it ought to be fixed. Just imagining that someone /could/ want a different implementation in a different stack.

> As an added bonus feature, it also means that libmircookie can have an actual
> ABI that's stable even under mild code churn :).

OK, that's an argument for a separate library. In fact, is it really something that will need to be released with every Mir release? Or should it be a separate project?

BTW this last argument doesn't address the "Cheshire Cat vs Interface" point. The ABI could easily be:

std::unique_ptr<CookieFactory> CookieFactory::create_with_secret(std::vector<uint8_t> const& secret);
std::unique_ptr<CookieFactory> CookieFactory::create_without_secret();

> > === added file 'tests/acceptance-tests/test_mir_cookie.cpp'
> >
> > This reads more like a unit test
> >
> > ~~~~~
> test_cookie_factory sound any better? (Im bad at names)

You misunderstand, I mean the test body reads like a unit test, not a test of the system.

O yeah sorry, I was planning on moving all those tests to unit tests in the client code ... but i should do that now and save on diff +/- :)

PASSED: Continuous integration, rev:2921
http://jenkins.qa.ubuntu.com/job/mir-ci/4878/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3937
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2842
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3881
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1027
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1027/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3881
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3881/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6602
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23262

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4878/rebuild

PASSED: Continuous integration, rev:2922
http://jenkins.qa.ubuntu.com/job/mir-ci/4880/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3940
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2845
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3884
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1029
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1029/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3884
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3884/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6606
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23270

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4880/rebuild

+namespace mir
+{
...
+class CookieFactory
...
+std::vector<uint8_t> get_random_data(unsigned size);

We reserve the general mir namespace for system setup. These could be in a "cookie" namespace.

~~~~

+class CookieFactory
+{
+public:
+ CookieFactory(std::vector<uint8_t> const& secret);
+ ~CookieFactory() noexcept;
+
+ MirCookie timestamp_to_cookie(uint64_t const& timestamp);
+
+ bool attest_timestamp(MirCookie const& cookie);
+
+private:
+ class CookieImpl;
+ std::unique_ptr<CookieImpl> impl;
+};

I'm still not convinced we should prefer the Cheshire Cat idiom (over Interface Class) here, but if we are taking this approach then impl should be const.

~~~~

+std::string mir_test_framework::udev_recordings_path()
+{
+ std::string bin_path = MIR_BUILD_PREFIX"/bin/udev_recordings";
+ std::string share_path = MIR_INSTALL_PREFIX"/share/udev_recordings";
+
+ if (boost::filesystem::exists(bin_path))
+ return bin_path;
+ else if (boost::filesystem::exists(share_path))
+ return share_path;
+
+ BOOST_THROW_EXCEPTION(std::runtime_error("Failed to find udev_recordings in standard search locations"));
+}

Can this really be the right behaviour? An installed test binary looks in the location where it was built? Even though a developer may be making changes there?

The older logic (based on the executable path) seems less surprising.

~~~~

+ CookieFactory(std::vector<uint8_t> const& secret);

This will throw if the secret is too small, but the behaviour and minimum size is not documented anywhere.

I suggest providing a static class member (minimum_secret_size) and documenting the requirement.

Is libmircookie really something that will need to be released in sync with every Mir release? Or should it be a separate project?

~~~~

+std::vector<uint8_t> get_random_data(unsigned size);

Could be:

CookieFactory::CookieFactory(unsigned size);

~~~~

+void mir::Server::set_cookie_secret(std::vector<uint8_t> const& secret)
+{
+ verify_setting_allowed(self->server_config);
+ self->cookie_factory = std::make_shared<CookieFactory>(secret);
+}

It is a little surprising that this sets the cookie factory, not the secret.

> Is libmircookie really something that will need to be released in sync with
> every Mir release? Or should it be a separate project?

I dont have a clear answer for this one. I just imagine since the project is pretty small it makes it easier to keep it in lp:mir atm? Will have to poke raof about that one.
>
> ~~~~
>
> +std::vector<uint8_t> get_random_data(unsigned size);
>
> Could be:
>
> CookieFactory::CookieFactory(unsigned size);
>

I had this at first, but switched up because one of the primary use-cases for CookieFactory is when you've shared the secret with another process, which you can't do if you've called CookieFactory(unsigned size)

> ~~~~
>
> +void mir::Server::set_cookie_secret(std::vector<uint8_t> const& secret)
> +{
> + verify_setting_allowed(self->server_config);
> + self->cookie_factory = std::make_shared<CookieFactory>(secret);
> +}
>
> It is a little surprising that this sets the cookie factory, not the secret.

I think this function should just be renamed to initialize_cookie_factory(..)

> +namespace mir
> +{
> ...
> +class CookieFactory
> ...
> +std::vector<uint8_t> get_random_data(unsigned size);
>
> We reserve the general mir namespace for system setup. These could be in a
> "cookie" namespace.
>
> ~~~~

Done.

>
> +class CookieFactory
> +{
> +public:
> + CookieFactory(std::vector<uint8_t> const& secret);
> + ~CookieFactory() noexcept;
> +
> + MirCookie timestamp_to_cookie(uint64_t const& timestamp);
> +
> + bool attest_timestamp(MirCookie const& cookie);
> +
> +private:
> + class CookieImpl;
> + std::unique_ptr<CookieImpl> impl;
> +};
>
> I'm still not convinced we should prefer the Cheshire Cat idiom (over
> Interface Class) here, but if we are taking this approach then impl should be
> const.
>
> ~~~~

Move to an NVI idiom:
http://www.gotw.ca/publications/mill18.htm
>
> +std::string mir_test_framework::udev_recordings_path()
> +{
> + std::string bin_path = MIR_BUILD_PREFIX"/bin/udev_recordings";
> + std::string share_path = MIR_INSTALL_PREFIX"/share/udev_recordings";
> +
> + if (boost::filesystem::exists(bin_path))
> + return bin_path;
> + else if (boost::filesystem::exists(share_path))
> + return share_path;
> +
> + BOOST_THROW_EXCEPTION(std::runtime_error("Failed to find udev_recordings
> in standard search locations"));
> +}
>
> Can this really be the right behaviour? An installed test binary looks in the
> location where it was built? Even though a developer may be making changes
> there?
>
> The older logic (based on the executable path) seems less surprising.
>
> ~~~~
Not sure what the correct answer is here. What would be the best solution?

>
> + CookieFactory(std::vector<uint8_t> const& secret);
>
> This will throw if the secret is too small, but the behaviour and minimum size
> is not documented anywhere.
>
> I suggest providing a static class member (minimum_secret_size) and
> documenting the requirement.

Done.

FAILED: Continuous integration, rev:2925
http://jenkins.qa.ubuntu.com/job/mir-ci/4894/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3965
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2872
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3906/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1044
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1044/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3907
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3907/artifact/work/output/*zip*/output.zip
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6624/console
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23309

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4894/rebuild

PASSED: Continuous integration, rev:2925
http://jenkins.qa.ubuntu.com/job/mir-ci/4896/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3968
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2875
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3910
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1046
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1046/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3911
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3911/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6628
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23313

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4896/rebuild

> > +std::vector<uint8_t> get_random_data(unsigned size);
> >
> > Could be:
> >
> > CookieFactory::CookieFactory(unsigned size);
> >
>
> I had this at first, but switched up because one of the primary use-cases for
> CookieFactory is when you've shared the secret with another process, which you
> can't do if you've called CookieFactory(unsigned size)

I was thinking two constructors would be:

   explicit CookieFactory(std::vector<uint8_t> const& secret);
   explicit CookieFactory(unsigned size);

But I take your point - you need access to the "random data" to share the secret.

> > Is libmircookie really something that will need to be released in sync with
> > every Mir release? Or should it be a separate project?
>
> I dont have a clear answer for this one. I just imagine since the project is
> pretty small it makes it easier to keep it in lp:mir atm? Will have to poke
> raof about that one.

A further thought, the header is dependent on MirCookie (introduced here into include/common/mir_toolkit/common.h). That makes client code (compile time) dependent on libmircommon-dev.

As we're introducing this dependency on mircommon, could we just put the code into libmircommon and not a separate library?

Or should MirCookie be defined in libmircookie-dev and not libmircommon-dev?

+#include <nettle/hmac.h>
...
+ struct hmac_sha1_ctx ctx;

Surely we don't want to introduce this dependency to user code? (See [1].)

There is no point in this class heirarchy if you are putting the derived class definition in the same header.

An option to consider here would the Named Constructor Idiom.

~~~~

+// Using the NVI Idiom

Nobody takes NVPI seriously - it is a solution in search of a problem.

The principle options to consider are Interface and Cheshire Cat (a.k.a. Pimpl). For a comparison of the different options see[2].

~~~~~

+ CookieFactoryNettle(std::vector<uint8_t> const& secret);

This will throw if the secret is too small, but the behaviour and minimum size is not documented in a doc comment on the function. (Having a non-doc comment in the private section of the class doesn't help the user.)

(But as I don't think this class should be made public anyway the documentation should go on the corresponding factory function.)

~~~~

> > The older logic (based on the executable path) seems less surprising.
> >
> > ~~~~
>
> Not sure what the correct answer is here. What would be the best solution?

I think to first check relative to the executable path (as it did before this MP), then to check the install location.

E.g. if running from a build directory it should pick up the one from e.g. <build>/bin/udev_recordings/ if not it picks up the installed version.

~~~~

[1] http://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf

[2] http://www.twonine.co.uk/articles/SeparatingInterfaceAndImplementation.pdf

> +#include <nettle/hmac.h>
> ...
> + struct hmac_sha1_ctx ctx;
>
> Surely we don't want to introduce this dependency to user code? (See [1].)
>
> There is no point in this class heirarchy if you are putting the derived class
> definition in the same header.
>
> An option to consider here would the Named Constructor Idiom.

Done.

>
> ~~~~
>
> +// Using the NVI Idiom
>
> Nobody takes NVPI seriously - it is a solution in search of a problem.
>
> The principle options to consider are Interface and Cheshire Cat (a.k.a.
> Pimpl). For a comparison of the different options see[2].
>
> ~~~~~

Done.

>
> + CookieFactoryNettle(std::vector<uint8_t> const& secret);
>
> This will throw if the secret is too small, but the behaviour and minimum size
> is not documented in a doc comment on the function. (Having a non-doc comment
> in the private section of the class doesn't help the user.)
>
> (But as I don't think this class should be made public anyway the
> documentation should go on the corresponding factory function.)
>
> ~~~~

Done.

>
> > > The older logic (based on the executable path) seems less surprising.
> > >
> > > ~~~~
> >
> > Not sure what the correct answer is here. What would be the best solution?
>
> I think to first check relative to the executable path (as it did before this
> MP), then to check the install location.
>
> E.g. if running from a build directory it should pick up the one from e.g.
> <build>/bin/udev_recordings/ if not it picks up the installed version.
>
> ~~~~

Done.

>
> [1] http://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf
>
> [2] http://www.twonine.co.uk/articles/SeparatingInterfaceAndImplementation.pdf

Thanks! Those were good reads. If you've more articles, I would be more then happy to read :).

> > > Is libmircookie really something that will need to be released in sync
> with
> > > every Mir release? Or should it be a separate project?
> >
> > I dont have a clear answer for this one. I just imagine since the project is
> > pretty small it makes it easier to keep it in lp:mir atm? Will have to poke
> > raof about that one.
>
> A further thought, the header is dependent on MirCookie (introduced here into
> include/common/mir_toolkit/common.h). That makes client code (compile time)
> dependent on libmircommon-dev.
>
> As we're introducing this dependency on mircommon, could we just put the code
> into libmircommon and not a separate library?
>
> Or should MirCookie be defined in libmircookie-dev and not libmircommon-dev?

Well I dont see why it couldnt be defined in libmircookie-dev. I think *if* we keep libmircookie-dev we should move the MirCookie into it (unless Im missing something for why this isnt possible). If we move to libmircommon-dev then we'll keep it :).

Need to talk with RAOF about it as well

FAILED: Continuous integration, rev:2927
http://jenkins.qa.ubuntu.com/job/mir-ci/4913/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3990
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2897/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3932/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1063/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3933/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4913/rebuild

FAILED: Continuous integration, rev:2928
http://jenkins.qa.ubuntu.com/job/mir-ci/4915/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3992
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2899/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3934/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1065/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3935/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4915/rebuild

PASSED: Continuous integration, rev:2929
http://jenkins.qa.ubuntu.com/job/mir-ci/4916/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3993
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2900
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3935
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1066
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1066/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3936
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3936/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6647
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23340

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4916/rebuild

PASSED: Continuous integration, rev:2928
http://jenkins.qa.ubuntu.com/job/mir-ci/4917/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3994
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2901
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3936
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1067
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1067/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3937
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3937/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6648
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23342

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4917/rebuild

PASSED: Continuous integration, rev:2931
http://jenkins.qa.ubuntu.com/job/mir-ci/4918/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/3995
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2902
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3937
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1068
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1068/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3938
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3938/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6649
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23344

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4918/rebuild

+class CookieFactory
...

Should delete copy constructor and assignment.

~~~~

+ static unsigned const minimum_secret_size;

1. Ought to be public, so that it can be accessed by client code.

2. Not providing the value in the header allows it to be changed without breaking ABI, but it would probably be more convenient for users to have the value visible.

~~~~

+ * Contruction function used to create a CookieFactory. The secret size must be
+ * greater then minimum_secret_size otherwise an expection will be thrown
...
+ * Contruction function used to create a CookieFactory as well as a secret.
+ * The secret size must be greater then minimum_secret_size otherwise an expection will be thrown

s/greater then/no less than/

~~~~

+/**
+* Checks entropy exists on the system, then fills in a vector with random numbers
+* up to size.
+*
+* \param [in] size The number of random numbers to generate.
+* \return A filled in vector with random numbers up to size
+*/
+std::vector<uint8_t> get_random_data(unsigned size);

Not needed in the API

~~~~

+unsigned const min_secret_size{8};

This isn't needed, minimum_secret_size should be initialized directly.

~~~~~

+namespace
+{
+ unsigned const secret_size{64};
+}

There ought to be a guarantee (e.g. a static assert) that this is greater than CookieFactory::minimum_secret_size. (And that is why I think CookieFactory::minimum_secret_size should be public and evaluate at compile time.)

~~~~

+TEST(MirCookieFactory, throw_when_secret_size_to_small)
+{
+ std::vector<uint8_t> bob{ 0x01 };
+ EXPECT_THROW({
+ auto factory = mir::cookie::CookieFactory::create(bob);
+ }, std::logic_error);
+}

OK, but it is better to test the "off by one" case. I.e. CookieFactory::minimum_secret_size (as the documentation says) or CookieFactory::minimum_secret_size-1 (as the code says).

~~~~

There are missing tests:

1. create(unsigned secret_size, std::vector<uint8_t>& save_secret);

This should be tested to check that a secret of the right size is saved, and that it throws if too small a size is requested.

2. get_random_data(unsigned size);

*If* this is in the API there should be corresponding tests.

~~~~

+MIR_COOKIE_1 {
+ global:
+ extern "C++" {
+ mir::cookie::CookieFactory::CookieFactory*;
+ mir::cookie::CookieFactory::?CookieFactory*;
+ mir::cookie::CookieFactory::create*;
+ mir::cookie::CookieFactory::timestamp_to_cookie*;
+ mir::cookie::CookieFactory::attest_timestamp*;
+ mir::cookie::get_random_data*;
+ };
+ local: *;
+};

The only functions that need to be exported are mir::cookie::CookieFactory::create*; (and, if it is in the API mir::cookie::get_random_data*;)

Just a bit of musing, not anything that requires action:

The create functions could be:

std::unique_ptr<CookieFactory> create_from_secret(std::vector<uint8_t> const& save_secret);
std::unique_ptr<CookieFactory> create_saving_secret(std::vector<uint8_t>& save_secret, unsigned secret_size = 2*minimum_secret_size);

That might be more convenient for code that doesn't care about the secret size. There could also be other variants:

std::unique_ptr<CookieFactory> create_keeping_secret(unsigned secret_size = 2*minimum_secret_size);

Which would support user code that just does:

    auto const cf = CookieFactory::create_keeping_secret();

Maybe not an important use case?

~~~~

It could also be convenient to include a definition of Secret:

    using Secret = std::vector<uint8_t>;

and use that in both the interface and user code.

+TEST(MirCookieFactory, timestamp_trusted_with_saved_secret_does_attest)
+{
+ uint64_t timestamp = 23;
+ unsigned secret_size = 64;
+ std::vector<uint8_t> secret;
+
+ auto factory = mir::cookie::CookieFactory::create_saving_secret(secret, secret_size);
+ auto cookie = factory->timestamp_to_cookie(timestamp);
+
+ EXPECT_TRUE(factory->attest_timestamp(cookie));
+}

Not unreasonable, but I was actually thinking of...

    uint64_t timestamp = 23;
    unsigned secret_size = 64;
    std::vector<uint8_t> secret;

    auto const source_factory = mir::cookie::CookieFactory::create_saving_secret(secret, secret_size);
    auto const sink_factory = mir::cookie::CookieFactory::create_from_secret(secret);
    auto cookie = source_factory->timestamp_to_cookie(timestamp);

    EXPECT_TRUE(sink_factory->attest_timestamp(cookie));

Which as one of the use cases we intend to support is something we should be testing.

For me, this is the remaining blocker:

> > > > Is libmircookie really something that will need to be released in sync
> > with
> > > > every Mir release? Or should it be a separate project?
> > >
> > > I dont have a clear answer for this one. I just imagine since the project
> is
> > > pretty small it makes it easier to keep it in lp:mir atm? Will have to
> poke
> > > raof about that one.
> >
> > A further thought, the header is dependent on MirCookie (introduced here
> into
> > include/common/mir_toolkit/common.h). That makes client code (compile time)
> > dependent on libmircommon-dev.
> >
> > As we're introducing this dependency on mircommon, could we just put the
> code
> > into libmircommon and not a separate library?
> >
> > Or should MirCookie be defined in libmircookie-dev and not libmircommon-dev?
>
> Well I dont see why it couldnt be defined in libmircookie-dev. I think *if* we
> keep libmircookie-dev we should move the MirCookie into it (unless Im missing
> something for why this isnt possible). If we move to libmircommon-dev then
> we'll keep it :).
>
> Need to talk with RAOF about it as well

It would be good for cookie clients to have a narrow, stable API.

To which end we should keep libmircookie as a separate project and make it independent of libmircommon-dev.

> It would be good for cookie clients to have a narrow, stable API.
>
> To which end we should keep libmircookie as a separate project and make it
> independent of libmircommon-dev.

Done. Is it fine to keep the entire mir cookie project inside lp:mir or should a new project be created?

PASSED: Continuous integration, rev:2932
http://jenkins.qa.ubuntu.com/job/mir-ci/4933/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/4012
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2919
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3954
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1083
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1083/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3955
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3955/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6664
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23376

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4933/rebuild

On Wednesday, 16 September 2015 20:47:24 BST, Brandon Schaefer wrote:
>> It would be good for cookie clients to have a narrow, stable API.
>>
>> To which end we should keep libmircookie as a separate project
>> and make it
>> independent of libmircommon-dev.
>
> Done. Is it fine to keep the entire mir cookie project inside
> lp:mir or should a new project be created?

Fine in mir tree. (For now anyway)

--
Alan Griffiths. +44 (0)798 9938 758
Octopull Limited. http://www.octopull.co.uk/

Hmm the only issue im not 100% sure about now. Is how we are going to expose the MirCookie to the mir_toolkit C api. I suppose Ill need to create a C api for the CookieFactory just to hold the MirCookie?

PASSED: Continuous integration, rev:2934
http://jenkins.qa.ubuntu.com/job/mir-ci/4938/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/4018
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2925
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3960
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1088
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1088/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3961
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3961/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6670
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23383

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4938/rebuild

PASSED: Continuous integration, rev:2935
http://jenkins.qa.ubuntu.com/job/mir-ci/4940/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/4020
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2927
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3962
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1090
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1090/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3963
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3963/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6672
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23387

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4940/rebuild

PASSED: Continuous integration, rev:2936
http://jenkins.qa.ubuntu.com/job/mir-ci/4942/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/4022
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2929
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3964
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1092
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1092/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3965
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3965/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6674
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23393

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4942/rebuild

Pushed trivial fixes:

1. src/CMakeLists.txt to build cookie independently of any other Mir code
2. include/cookie/mir_toolkit/cookie.h to compile standalone and add to mir_toolkit docs
3. include/cookie/mir/cookie_factory.h include include/cookie/mir_toolkit/cookie.h first (to ensure it compiles standalone) and move doc comment to correct type.

NB I think the server API needs extending to retrieve the generated secret, but that can come in the next MP.

PASSED: Continuous integration, rev:2942
http://jenkins.qa.ubuntu.com/job/mir-ci/4946/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-vivid-i386-build/4026
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-vivid-amd64-build/2933
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-vivid-touch/3968
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1096
        deb: http://jenkins.qa.ubuntu.com/job/mir-wily-amd64-ci/1096/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3969
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-vivid-armhf/3969/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/6678
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/23401

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-ci/4946/rebuild

+ static std::unique_ptr<CookieFactory> create_saving_secret(Secret& save_secret,
+ unsigned secret_size = 2 * minimum_secret_size);
+ static std::unique_ptr<CookieFactory> create_keeping_secret(unsigned secret_size = 2 * minimum_secret_size);

http://unity.ubuntu.com/mir/cppguide/index.html?showone=Default_Arguments#Default_Arguments

not too flummoxed by that, the rest lgtm

Looks good.

Not blocking, but I find the following API simpler to understand:

create_with_new_secret(unsigned int secret_size);
create_with_existing_secret(Secret const& secret);
Secret secret();

Of course, with this API the secret is no longer really "secret" (i.e. internal to the class), but I don't think it matters. If one has access to the class, then it doesn't really matter if one also has the secret (for our use cases at least).

Overall looks good for me.

This has changed quite a bit since the last time. When do we need override_the_cookie_factory(secret)?

nit :+ 470 braces of lambda functor..

> Looks good.
>
> Not blocking, but I find the following API simpler to understand:
>
> create_with_new_secret(unsigned int secret_size);
> create_with_existing_secret(Secret const& secret);
> Secret secret();
>
> Of course, with this API the secret is no longer really "secret" (i.e.
> internal to the class), but I don't think it matters. If one has access to the
> class, then it doesn't really matter if one also has the secret (for our use
> cases at least).

A main use of the API is to share the secret around once its been created. So we need to be able to expose the secret on creation so we can share it with another factory.

LGTM

> Overall looks good for me.
>
> This has changed quite a bit since the last time. When do we need
> override_the_cookie_factory(secret)?
>

This will be used in the client side of things. Not a perfect split from server/client but it will be used :).

> nit :+ 470 braces of lambda functor..

Hello - A review from the security team was requested and I've started to look at the code. However, I feel like I'm missing a lot of context from the greater design. It seems like this is only the very low-level building blocks needed by the greater design.

1) Does any documentation exist on the design? Thomas spoke with us about potential high-level designs months ago and I roughly understand which direction you all chose but this HMAC design was not one that we discussed at that time.

2) How will content-hub register itself with Mir? What's the flow of cookies between Mir, the foreground app, and content-hub during copy and paste events?

3) What prevents malicious apps from attempting to brute force cookies? I don't see any type of penalty implementation for repeated, bad guesses. Is content-hub expected to implement that?

1) The copy/paste doc is at https://docs.google.com/document/d/16qCQ8vYJmS7da1yfzBuKWnlUCrw_IXXsTIhWruPN0nk

2) The design is for content-hub to share a secret with Mir, and each construct their own instance of CookieFactory from that secret. Content-hub does not need to register itself with Mir. The copy/paste doc has some cookie flow examples.

3) The Mir calls which accept a MirCookie¹ will disconnect any client that submits an invalid cookie. Content-hub should probably do the same. Would it be better to (a) document that any attestation failure should be fatal to the client, and (b) rename “bool attest_timestamp(MirCookie const& cookie)” to “assert_timestamp()” and have it throw an exception on failure?

¹: Here's an example: https://code.launchpad.net/~mir-team/mir/cookie-raise-surface/+merge/274728

1) Thanks! The copy/paste doc helps a lot but it lacks implementation details. For example, "secret" isn't mentioned anywhere in the document. It does get me closer to understanding the design.

2) I'm confused by the "Content-hub does not need to register itself with Mir" bit since content-hub must share a secret with Mir and then Mir's CookieFactory is constructed from that secret. How does Mir know that the CookieFactory that it constructed was done so with a secret from Content-hub and not some other process?

3) If Mir disconnects a client that submits an invalid cookie, what prevents the client from reconnecting and submitting another invalid cookie?
  - Documenting that any attestation failure should be fatal to the client would be a good thing as long as a reconnecting is expensive.
  - IIUC, assert_timestamp() is in the address space of the client, correct? If so, throwing an exception on failure would do no good because a malicious client could link against a modified library that doesn't throw an exception.

1, 2) Yeah, that bit of the design is unspecified. I was assuming that we'd either go for:
 a) A parent process of unity8 and content-hub generates a secret and fd-passes it to both, or
 b) Unity8 and content-hub share a file readable only by them, or
 c) content-hub is started by unity8 and gets the secret fd-passed to it.

I'm not sufficiently familiar with the global design to know which one is most appropriate.

3) Unity8 only allows one connection per client. Actually, that's a lie; Unity8 effectively allows any client to connect to it, but in *theory* Unity8 only allows one connection per client. In theory, unity8 only allows applications started by upstart-app-launch and only allows one connection per launch, but in practice it allows anything that has --desktop-file-hint=valid.desktop on its commandline, or any binary whose name starts with maliit-server or which contains qt5/libexec/QtWebProcess.

So reconnection *should* be expensive, but currently isn't.

assert_timestamp() is in the server's address space; the secret required to assert a timestamp isn't available in the client address space.

1, 2) Ok, I'll follow up with tvoss on that aspect of the design.

3) We could probably do something as simple as adding a penalty delay after each failed attest attempt, before disconnecting the client.

Note that I also included a couple inline questions.

3) It'd be reasonably complex to add a penalty delay after a failed attest attempt, but possible. It's much simpler for us to just disconnect the client.

Replies inline.

Left some inline replies/comments.

One more inline comment...

Replies also inline.