Mir

Merge lp:~nick-dedekind/mir/trusted_sessions into lp:mir

trusted_sessions
Merge into development-branch

Proposed by Nick Dedekind on 2014-05-09

Status:	Merged
Merged at revision:	1701
Proposed branch:	lp:~nick-dedekind/mir/trusted_sessions
Merge into:	lp:mir
Prerequisite:	lp:~alan-griffiths/mir/spike-passing-out-client-fds
Diff against target:	4606 lines (+3344/-40) 79 files modified examples/CMakeLists.txt (+6/-2) examples/demo-inprocess-surface-client/inprocess_egl_client.cpp (+1/-1) examples/trust_session.c (+249/-0) include/client/mir_toolkit/mir_trust_session.h (+119/-0) include/server/mir/default_server_configuration.h (+3/-0) include/server/mir/frontend/event_sink.h (+2/-0) include/server/mir/frontend/session.h (+1/-0) include/server/mir/frontend/session_mediator_report.h (+6/-0) include/server/mir/frontend/shell.h (+9/-0) include/server/mir/frontend/trust_session.h (+53/-0) include/server/mir/scene/null_trust_session_listener.h (+50/-0) include/server/mir/scene/session.h (+3/-1) include/server/mir/scene/trust_session.h (+43/-0) include/server/mir/scene/trust_session_creation_parameters.h (+46/-0) include/server/mir/scene/trust_session_listener.h (+52/-0) include/shared/mir_toolkit/client_types.h (+26/-0) include/shared/mir_toolkit/common.h (+17/-0) include/shared/mir_toolkit/event.h (+10/-1) include/test/mir_test/test_protobuf_client.h (+18/-0) include/test/mir_test_doubles/mock_scene_session.h (+3/-0) include/test/mir_test_doubles/mock_shell.h (+9/-0) include/test/mir_test_doubles/mock_trust_session_listener.h (+48/-0) include/test/mir_test_doubles/null_trust_session.h (+69/-0) include/test/mir_test_doubles/stub_scene_session.h (+8/-0) include/test/mir_test_doubles/stub_session.h (+4/-0) include/test/mir_test_doubles/stub_shell.h (+15/-0) src/client/CMakeLists.txt (+4/-1) src/client/connection_configuration.h (+2/-0) src/client/default_connection_configuration.cpp (+11/-1) src/client/default_connection_configuration.h (+2/-0) src/client/event_distributor.cpp (+57/-0) src/client/event_distributor.h (+52/-0) src/client/mir_connection.cpp (+9/-2) src/client/mir_connection.h (+5/-0) src/client/mir_trust_session.cpp (+182/-0) src/client/mir_trust_session.h (+88/-0) src/client/mir_trust_session_api.cpp (+133/-0) src/client/rpc/make_rpc_channel.h (+3/-1) src/client/rpc/make_socket_rpc_channel.cpp (+4/-3) src/client/rpc/mir_socket_rpc_channel.cpp (+26/-7) src/client/rpc/mir_socket_rpc_channel.h (+6/-2) src/server/default_server_configuration.cpp (+11/-0) src/server/frontend/protobuf_message_processor.cpp (+12/-0) src/server/frontend/session_mediator.cpp (+95/-2) src/server/frontend/session_mediator.h (+17/-0) src/server/report/logging/session_mediator_report.cpp (+15/-0) src/server/report/logging/session_mediator_report.h (+6/-0) src/server/report/lttng/session_mediator_report.cpp (+11/-0) src/server/report/lttng/session_mediator_report.h (+3/-0) src/server/report/lttng/session_mediator_report_tp.h (+21/-0) src/server/report/null/session_mediator_report.cpp (+12/-0) src/server/report/null/session_mediator_report.h (+6/-0) src/server/scene/CMakeLists.txt (+3/-0) src/server/scene/application_session.cpp (+21/-0) src/server/scene/application_session.h (+3/-0) src/server/scene/default_configuration.cpp (+3/-2) src/server/scene/session_manager.cpp (+125/-3) src/server/scene/session_manager.h (+20/-1) src/server/scene/trust_session_container.cpp (+95/-0) src/server/scene/trust_session_container.h (+103/-0) src/server/scene/trust_session_creation_parameters.cpp (+51/-0) src/server/scene/trust_session_impl.cpp (+175/-0) src/server/scene/trust_session_impl.h (+74/-0) src/shared/protobuf/mir_protobuf.proto (+23/-2) tests/acceptance-tests/CMakeLists.txt (+1/-0) tests/acceptance-tests/test_client_trust_session_api.cpp (+106/-0) tests/acceptance-tests/test_nested_mir.cpp (+3/-0) tests/integration-tests/frontend/test_application_mediator_report.cpp (+181/-0) tests/integration-tests/test_session_manager.cpp (+3/-1) tests/mir_test_doubles/test_protobuf_client.cpp (+27/-1) tests/unit-tests/client/CMakeLists.txt (+1/-0) tests/unit-tests/client/test_mir_trust_session.cpp (+244/-0) tests/unit-tests/frontend/stress_protobuf_communicator.cpp (+3/-1) tests/unit-tests/graphics/mesa/test_drm_helper.cpp.moved (+65/-0) tests/unit-tests/scene/CMakeLists.txt (+2/-0) tests/unit-tests/scene/test_application_session.cpp (+45/-0) tests/unit-tests/scene/test_session_manager.cpp (+55/-5) tests/unit-tests/scene/test_trust_session.cpp (+82/-0) tests/unit-tests/scene/test_trust_session_container.cpp (+167/-0)
To merge this branch:	bzr merge lp:~nick-dedekind/mir/trusted_sessions
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Alan Griffiths		2014-05-09	Needs Fixing on 2014-05-16
PS Jenkins bot (community)	continuous-integration	2014-05-09	Needs Fixing on 2014-05-15
Alexandros Frantzis		2014-05-09	Pending
Andreas Pokorny		2014-05-09	Pending
Mir development team		2014-05-09	Pending
Review via email: mp+218975@code.launchpad.net

This proposal supersedes a proposal from 2014-03-04.

Description of the change

This adds/implements the API required for client & server to manage "trust sessions".

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-03-04: Posted in a previous version of this proposal

There's a lot of this to digest - and I don't know what feature(s) it is supposed to support.

Accordingly, I get bogged down in details like:

@SessionId - why is this useful (compared to, say, std::[shared|weak]_ptr<Session>)

@TrustedSessionCreationParameters - this has one public mutable member (which initializes itself). Why does it need a constructor? (And does it really belong in the shell namespace?)

Wrong year.

@examples/trusted_session_trusted_session.c

This is written using the original (async) APIs it would probably be clearer using the (slightly) more recent sync ones. (I suspect cut & paste from an example that should have been updated last year.)

review: Needs Information

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-04: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1397
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/209224/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/979/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/1114
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/1112
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/698/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/711/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/716/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/699/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/979/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-03-05: Posted in a previous version of this proposal

Wow, so much code. This will take a while...

(1) One quick note:
1196 +MirTrustedSession* mir_trusted_session_create(MirConnection* connection)
The pattern we use is "NAMESPACE_OBJECT_ACTION", so that should be:
MirTrustedSession* mir_connection_create_trusted_session(MirConnection* connection)
Although since "session" was never an object in the client API before, the word "trusted" is superfluous and could be removed. Even if only from the public client API.

review: Needs Fixing

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-03-05: Posted in a previous version of this proposal

(2) Quick requirements/analysis sanity check: Can you explain why this feature needs to be in Mir itself?

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-05: Posted in a previous version of this proposal

> Wow, so much code. This will take a while...
>
> (1) One quick note:
> 1196 +MirTrustedSession* mir_trusted_session_create(MirConnection*
> connection)
> The pattern we use is "NAMESPACE_OBJECT_ACTION", so that should be:
> MirTrustedSession* mir_connection_create_trusted_session(MirConnection*
> connection)
> Although since "session" was never an object in the client API before, the
> word "trusted" is superfluous and could be removed. Even if only from the
> public client API.

It doesn't mean the same thing without "trusted". The TrustedSession is "the object" we are creating. A "trusted session" describes the trust relationship between mir [server] sessions. https://wiki.ubuntu.com/Security/TrustStoreAndSessions

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-05: Posted in a previous version of this proposal

> (2) Quick requirements/analysis sanity check: Can you explain why this feature
> needs to be in Mir itself?

The trust session needs to be created by a mir client, and interpreted by the shell (in our case, the mirserver api shell layer - unity-mir).
Since it describes the relationship between sessions, it seems like the logical place. Without mir we would need to create a new framework for the client to communicate this with the shell.

tvoss may have a more speicific answer for you.

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-05: Posted in a previous version of this proposal

> > Wow, so much code. This will take a while...
> >
> > (1) One quick note:
> > 1196 +MirTrustedSession* mir_trusted_session_create(MirConnection*
> > connection)
> > The pattern we use is "NAMESPACE_OBJECT_ACTION", so that should be:
> > MirTrustedSession* mir_connection_create_trusted_session(MirConnection*
> > connection)
> > Although since "session" was never an object in the client API before, the
> > word "trusted" is superfluous and could be removed. Even if only from the
> > public client API.
>
> It doesn't mean the same thing without "trusted". The TrustedSession is "the
> object" we are creating. A "trusted session" describes the trust relationship
> between mir [server] sessions.
> https://wiki.ubuntu.com/Security/TrustStoreAndSessions

In retrospect, it's actually a "trust session". I'll change that.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-06: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1400
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/209224/+edit-commit-message

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1002/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-07: Posted in a previous version of this proposal

> There's a lot of this to digest - and I don't know what feature(s) it is
> supposed to support.

Thanks for the review.
This adds/implements the API required for client & server to manage "trust sessions" (as the name suggests).
The easiest way to get an overview of what this code "does" is by looking at the diagram:
https://docs.google.com/a/canonical.com/drawings/d/1Sx3Q6IugYY0DjrQfN3em6PBhyeNotXtYAa4UioVdT8c/edit

>
> Accordingly, I get bogged down in details like:
>
> @SessionId - why is this useful (compared to, say,
> std::[shared|weak]_ptr<Session>)

:/ This was a bit of a mixed implementation. The client side supports multiple trust sessions per connection, while the server does not. So [at least for now] I've removed support for multiple trust sessions (start refused). So removed the SessionId in favour of std::shared_ptr<TrustSession>

>
> @TrustedSessionCreationParameters - this has one public mutable member (which
> initializes itself). Why does it need a constructor? (And does it really
> belong in the shell namespace?)
>
> 61 + * Copyright © 2012 Canonical Ltd.
>
> Wrong year.
>
> @examples/trusted_session_trusted_session.c
>
> This is written using the original (async) APIs it would probably be clearer
> using the (slightly) more recent sync ones. (I suspect cut & paste from an
> example that should have been updated last year.)

Refactored example & added sync methods to trust session API.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-07: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1012/rebuild

review: Approve (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-07: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1016/rebuild

review: Approve (continuous-integration)

Revision history for this message

Andreas Pokorny (andreas-pokorny) wrote on 2014-03-08: Posted in a previous version of this proposal

First run on the public client side API

+ 399 wrong comment
+ 408 Really Lifecycle, not just "state"?
+ 443 wrong comment

In general - do we need to the start and stop states? Isnt create/destroy enough?

+ 399ff this means all sessions of the same process pid are trusted? Couldnt that be: mir_trust_session_trust_process(session, pid);

review: Needs Fixing

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-03-10: Posted in a previous version of this proposal

This isn't a full review, but some minor fixes to do in the mean time...

(1) Please follow the existing convention, which would mean:
396 +MirTrustSession* mir_trust_session_create(MirConnection* connection);
becomes:
MirTrustSession* mir_connection_create_trust_session(MirConnection* connection);

(2) Please put the details/justification you mentioned in the commit message or proposal description. A four word description for a 3713 line proposal is a bit brief...

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-10: Posted in a previous version of this proposal

> First run on the public client side API
>
> + 399 wrong comment
> + 408 Really Lifecycle, not just "state"?
> + 443 wrong comment

Fixed.

>
> In general - do we need to the start and stop states? Isnt create/destroy
> enough?
>
> + 399ff this means all sessions of the same process pid are trusted? Couldnt
> that be: mir_trust_session_trust_process(session, pid);

The trust sessions doesn't exist on the server until we call start. The trust session is set up (add pids), after which we call mir_trust_session_start (which creates the server side impl). And the server can manually stop the trust session as well, so that's why we need the state callback.

renamed to mir_trust_session_add_trusted_pid

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-10: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1023/rebuild

review: Approve (continuous-integration)

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-03-11: Posted in a previous version of this proposal

Overall, very nice. The size of the proposal however means the little issues are adding up to quite a list...

(1) 397 +MirTrustSession* mir_connection_trust_session_create(MirConnection* connection);
should be renamed to follow the existing convention:
MirTrustSession* mir_connection_create_trust_session(MirConnection* connection);

(2) Please expand on the commit message/description further. It's still too brief for a large enhancement.

(3) Please remove "handle_trust_session_event()". EventSink is only meant to have one method "handle_event" which handles any and all event types. The other methods of EventSink are mistakes we need to revert already. Sorry it's misleading.

(4) ABI bumps: The server ABI seems to have changed, but the client ABI is not broken by this proposal. Please revent the MIR_CLIENT_ABI bump.

(5) trust_session.c: The program prints messages referring to itself as "demo_client_trusted_helper" and "demo_client_app2". However the binary name is "mir_demo_client_trust_session". Maybe it should be printing that or just argv[0] to avoid confusion.

(6) trust_session.c: Forks into two processes, which is unusual for a client. Is that the expected/normal use case?

(7) read(STDIN_FILENO, &buff, 1) - Why not getchar()? It's simpler more portable too.

(8) Long lines - I prefer code wrapped before column 80 and so do plenty of people. Not just because that's what a terminal defaults to, but it's easier for the brain to follow line continuation when you avoid them getting too long.

(9) frontend/trust_session.h: Is std::vector necessary to maintain an ordered list? If not then the more appropriate container is std::unordered_set

(10) frontend/trust_session.h: a stop() method but no start() method? Is that a good idea? Is the start implicit in construction?

(11) MirTrustSessionAddTrustResult: The enum values are arguably too long. IMHO.

(12) Identical descriptions for different function types?
784 + * Callback member of MirTrustSession for handling of trust sessions.
791 + * Callback member of MirTrustSession for handling of trust sessions.

(13) We should avoid landing new code with known race conditions:
1618 + /* todo: race condition. protobuf does not guarantee that callbacks will be synchronized. potential
1619 + race in session, last_buffer_id */

(14) Superficially it's confusing as to why these with equivalent names should be separate classes:
1592 +struct MirTrustSession : public mir::client::TrustSession
But now I notice how simple mir::client::TrustSession is, they're clearly quite different things. So the class names should clarify the differences between them.

(15) What's a "Control"?
1885 +class TrustSessionControl
I'm not familiar with that abstraction. Even though there seems to be another "Control" class there already :S

(16) test_protobuf_client.cpp: A busy wait loop seems like a lazy approach to this (albeit a lazy approach we've already used in other tests). It would be cleaner to use a std::condition_variable with a std::mutex and bool. That would also avoid the expected Helgrind complaints about std::atomic being racy.

(17) test_trust_session.cpp: Wrong copyright year range.

Overall, very nice. The size of the proposal however means the little issues are adding up to quite a list...

(1) 397	+MirTrustSession* mir_connection_trust_session_create(MirConnection* connection);
should be renamed to follow the existing convention:
MirTrustSession* mir_connection_create_trust_session(MirConnection* connection);

(2) Please expand on the commit message/description further. It's still too brief for a large enhancement.

(4) ABI bumps: The server ABI seems to have changed, but the client ABI is not broken by this proposal. Please revent the MIR_CLIENT_ABI bump.

(6) trust_session.c: Forks into two processes, which is unusual for a client. Is that the expected/normal use case?

(7) read(STDIN_FILENO, &buff, 1) - Why not getchar()? It's simpler more portable too.

(9) frontend/trust_session.h: Is std::vector necessary to maintain an ordered list? If not then the more appropriate container is std::unordered_set

(10) frontend/trust_session.h: a stop() method but no start() method? Is that a good idea? Is the start implicit in construction?

(11) MirTrustSessionAddTrustResult: The enum values are arguably too long. IMHO.

(12) Identical descriptions for different function types?
784	+ * Callback member of MirTrustSession for handling of trust sessions.
791	+ * Callback member of MirTrustSession for handling of trust sessions.

(13) We should avoid landing new code with known race conditions:
1618	+    /* todo: race condition. protobuf does not guarantee that callbacks will be synchronized. potential
1619	+             race in session, last_buffer_id */

(14) Superficially it's confusing as to why these with equivalent names should be separate classes:
1592	+struct MirTrustSession : public mir::client::TrustSession
But now I notice how simple mir::client::TrustSession is, they're clearly quite different things. So the class names should clarify the differences between them.

(15) What's a "Control"?
1885	+class TrustSessionControl
I'm not familiar with that abstraction. Even though there seems to be another "Control" class there already :S

(17) test_trust_session.cpp: Wrong copyright year range.

review: Needs Fixing

Revision history for this message

Alexandros Frantzis (afrantzis) wrote on 2014-03-11: Posted in a previous version of this proposal

A first pass...

Since mir_client_library.cpp has started to become unwieldly I propose we follow the convention mir_screencast is using, i.e.:

1. Public header file goes in mir_toolkit/mir_trust_session.h
2. C API implementation goes in src/client/mir_trust_session_api.cpp
3. Internal classes as usual, src/client/mir_trust_session.{cpp,h}

148 +///\page trust_session.c trust_session.c: A mir client which starts a trust session and trusted client app.
149 +/// mir_demo_client_trust_session shows the use of mir trust session API.
150 +/// This program opens a mir connection and creates a trust session.
...

519 + virtual std::shared_ptr<TrustSession> start_trust_session_for(std::string& error,
520 + std::shared_ptr<Session> const& session,

Since this is a C file, the C(/Javadoc) format is preferred, like in the public files.

519 + virtual std::shared_ptr<TrustSession> start_trust_session_for(std::string& error,
520 + std::shared_ptr<Session> const& session,
...

Either use a 4-space indentation or align with char after '('.

567 + virtual ~TrustSession() {}
1129 + TrustSession() {}
1130 + virtual ~TrustSession() {}

Use '= default' instead;

744 +#include <string>

Not needed.

1239 +/**************************
1240 + * Trust session specific functions *
1241 + **************************/

This can be made prettier :)

1249 + pid_t pid)

1255 + mir_trust_session_callback callback,
1256 + void* context)

1272 + reinterpret_cast<mir_trust_session_callback>
1273 + (assign_result),
1274 + NULL));

1279 + mir_trust_session_callback callback,
1280 + void* context)

1296 + reinterpret_cast<mir_trust_session_callback>
1297 + (assign_result),
1298 + NULL));

1308 + mir_trust_session_event_callback callback,
1309 + void* context)

Either use a 4-space indentation or align with char after '(' on previous line.

1427 + [this]
1428 + (MirTrustSessionState new_state)

1501 + [this, callback, context]
1502 + (MirTrustSessionState state)

2771 + [this]
2772 + (std::shared_ptr<msh::Session> const& child_session)

We tend to prefer to keep the parameter list on the same line as the capture list:
[this] (MirTrustSessionState new_state), but that's not a hard and fast rule AFAIK.

1430 + std::lock_guard<std::recursive_mutex> lock(mutex);

Why do we need a recursive mutex?

1595 + MirTrustSession(mir::protobuf::DisplayServer::Stub & server,
1600 + MirTrustSession(MirTrustSession const &) = delete;
1601 + MirTrustSession& operator=(MirTrustSession const &) = delete;
... and others in the class

* and & go with the type (or 'const' if there is one).

1820 + std::unique_lock<std::mutex> lk(guard);

Since the lock is not used with condition variables or moved, we could use the simpler std::lock_guard<>.

1814 +mcl::TrustSessionControl::~TrustSessionControl()
1815 +{
1816 +}

Is this needed?

2737 + TrustSession* impl = new TrustSession(trusted_helper, parameters, sink);
2738 + std::shared_ptr<msh::TrustSession> ptr(impl);

auto const trust_session = std::make_shared<TrustSession>(trusted_helper, parameters, sink);

A first pass...

Since mir_client_library.cpp has started to become unwieldly I propose we follow the convention mir_screencast is using, i.e.:

1. Public header file goes in mir_toolkit/mir_trust_session.h
2. C API implementation goes in src/client/mir_trust_session_api.cpp
3. Internal classes as usual, src/client/mir_trust_session.{cpp,h}

148	+///\page trust_session.c trust_session.c: A mir client which starts a trust session and trusted client app.
149	+/// mir_demo_client_trust_session shows the use of mir trust session API.
150	+/// This program opens a mir connection and creates a trust session.
...

519	+ virtual std::shared_ptr<TrustSession> start_trust_session_for(std::string& error,
520	+ std::shared_ptr<Session> const& session,

Since this is a C file, the C(/Javadoc) format is preferred, like in the public files.

519 + virtual std::shared_ptr<TrustSession> start_trust_session_for(std::string& error,
520 + std::shared_ptr<Session> const& session,
...

Either use a 4-space indentation or align with char after '('.

567 + virtual ~TrustSession() {}
1129    + TrustSession() {}
1130    + virtual ~TrustSession() {}

Use '= default' instead;

744 +#include <string>

Not needed.

1239    +/**************************
1240    + * Trust session specific functions *
1241    + **************************/

This can be made prettier :)

1249    + pid_t pid)

1255    + mir_trust_session_callback callback,
1256    + void* context)

1272    + reinterpret_cast<mir_trust_session_callback>
1273    + (assign_result),
1274    + NULL));

1279    + mir_trust_session_callback callback,
1280    + void* context)

1296    + reinterpret_cast<mir_trust_session_callback>
1297    + (assign_result),
1298    + NULL));

1308    + mir_trust_session_event_callback callback,
1309    + void* context)

Either use a 4-space indentation or align with char after '(' on previous line.

1427    + [this]
1428    + (MirTrustSessionState new_state)

1501    + [this, callback, context]
1502    + (MirTrustSessionState state)

2771    + [this]
2772    + (std::shared_ptr<msh::Session> const& child_session)

We tend to prefer to keep the parameter list on the same line as the capture list:
[this] (MirTrustSessionState new_state), but that's not a hard and fast rule AFAIK.

1430    + std::lock_guard<std::recursive_mutex> lock(mutex);

Why do we need a recursive mutex?

1595    + MirTrustSession(mir::protobuf::DisplayServer::Stub & server,
1600    + MirTrustSession(MirTrustSession const &) = delete;
1601    + MirTrustSession& operator=(MirTrustSession const &) = delete;
... and others in the class

* and & go with the type (or 'const' if there is one).

1820    + std::unique_lock<std::mutex> lk(guard);

Since the lock is not used with condition variables or moved, we could use the simpler std::lock_guard<>.

1814    +mcl::TrustSessionControl::~TrustSessionControl()
1815    +{  
1816    +}

Is this needed?

2737	+ TrustSession* impl = new TrustSession(trusted_helper, parameters, sink);
2738	+ std::shared_ptr<msh::TrustSession> ptr(impl);

auto const trust_session = std::make_shared<TrustSession>(trusted_helper, parameters, sink);

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-12: Posted in a previous version of this proposal

Download full text (4.8 KiB)

> Overall, very nice. The size of the proposal however means the little issues
> are adding up to quite a list...
>
> (1) 397 +MirTrustSession* mir_connection_trust_session_create(MirConnection*
> connection);
> should be renamed to follow the existing convention:
> MirTrustSession* mir_connection_create_trust_session(MirConnection*
> connection);

My bad again. Done

>
> (2) Please expand on the commit message/description further. It's still too
> brief for a large enhancement.

Done

>
> (3) Please remove "handle_trust_session_event()". EventSink is only meant to
> have one method "handle_event" which handles any and all event types. The
> other methods of EventSink are mistakes we need to revert already. Sorry it's
> misleading.

Hmm. bit of an interesting one about this one. The only consumer for MirEvents are the surfaces.
Which means we'll need another consumer to push the events to clients without a surface.
I've removed the TrustSessionControl class, and added a mcl::EventDistributor class to the client library which does this.

>
> (4) ABI bumps: The server ABI seems to have changed, but the client ABI is not
> broken by this proposal. Please revent the MIR_CLIENT_ABI bump.

Done

>
> (5) trust_session.c: The program prints messages referring to itself as
> "demo_client_trusted_helper" and "demo_client_app2". However the binary name
> is "mir_demo_client_trust_session". Maybe it should be printing that or just
> argv[0] to avoid confusion.

Made references/stdout of each process more explicit.

>
> (6) trust_session.c: Forks into two processes, which is unusual for a client.
> Is that the expected/normal use case?

We need 2 processes for a trust session, the "trusted helper", and the "trusted app".
It would probably be more normal for the trusted helper to start an external process, but I it
better to enclose all behaviour in the single example.

>
> (7) read(STDIN_FILENO, &buff, 1) - Why not getchar()? It's simpler more
> portable too.

Done

>
> (8) Long lines - I prefer code wrapped before column 80 and so do plenty of
> people. Not just because that's what a terminal defaults to, but it's easier
> for the brain to follow line continuation when you avoid them getting too
> long.
>
> (9) frontend/trust_session.h: Is std::vector necessary to maintain an ordered
> list? If not then the more appropriate container is std::unordered_set

Needs to be ordered for the shell. (last session is on top)

>
> (10) frontend/trust_session.h: a stop() method but no start() method? Is that
> a good idea? Is the start implicit in construction?

It's not ideal, but there is a static start_for function on the src/server/scene/trust_session.cpp
Which essentially is implicit start on creation. Can't do what we need from a member start.

>
> (11) MirTrustSessionAddTrustResult: The enum values are arguably too long.
> IMHO.

Now shorter (kind of). Though there are some pretty long ones about still.

>
> (12) Identical descriptions for different function types?
> 784 + * Callback member of MirTrustSession for handling of trust sessions.
> 791 + * Callback member of MirTrustSession for handling of trust sessions.
>

Fixed.

> (13) We ...

> Overall, very nice. The size of the proposal however means the little issues
> are adding up to quite a list...
> 
> (1) 397 +MirTrustSession* mir_connection_trust_session_create(MirConnection*
> connection);
> should be renamed to follow the existing convention:
> MirTrustSession* mir_connection_create_trust_session(MirConnection*
> connection);

My bad again. Done

> 
> (2) Please expand on the commit message/description further. It's still too
> brief for a large enhancement.

Done

> 
> (3) Please remove "handle_trust_session_event()". EventSink is only meant to
> have one method "handle_event" which handles any and all event types. The
> other methods of EventSink are mistakes we need to revert already. Sorry it's
> misleading.

> 
> (4) ABI bumps: The server ABI seems to have changed, but the client ABI is not
> broken by this proposal. Please revent the MIR_CLIENT_ABI bump.

Done

> 
> (5) trust_session.c: The program prints messages referring to itself as
> "demo_client_trusted_helper" and "demo_client_app2". However the binary name
> is "mir_demo_client_trust_session". Maybe it should be printing that or just
> argv[0] to avoid confusion.

Made references/stdout of each process more explicit.

> 
> (6) trust_session.c: Forks into two processes, which is unusual for a client.
> Is that the expected/normal use case?

We need 2 processes for a trust session, the "trusted helper", and the "trusted app".
It would probably be more normal for the trusted helper to start an external process, but I it 
better to enclose all behaviour in the single example.

> 
> (7) read(STDIN_FILENO, &buff, 1) - Why not getchar()? It's simpler more
> portable too.

Done

> 
> (8) Long lines - I prefer code wrapped before column 80 and so do plenty of
> people. Not just because that's what a terminal defaults to, but it's easier
> for the brain to follow line continuation when you avoid them getting too
> long.
> 
> (9) frontend/trust_session.h: Is std::vector necessary to maintain an ordered
> list? If not then the more appropriate container is std::unordered_set

Needs to be ordered for the shell. (last session is on top)

> 
> (10) frontend/trust_session.h: a stop() method but no start() method? Is that
> a good idea? Is the start implicit in construction?

It's not ideal, but there is a static start_for function on the src/server/scene/trust_session.cpp
Which essentially is implicit start on creation. Can't do what we need from a member start.

> 
> (11) MirTrustSessionAddTrustResult: The enum values are arguably too long.
> IMHO.

Now shorter (kind of). Though there are some pretty long ones about still.

> 
> (12) Identical descriptions for different function types?
> 784     + * Callback member of MirTrustSession for handling of trust sessions.
> 791     + * Callback member of MirTrustSession for handling of trust sessions.
>

Fixed.

> (13) We should avoid landing new code with known race conditions:
> 1618    +    /* todo: race condition. protobuf does not guarantee that
> callbacks will be synchronized. potential
> 1619    +             race in session, last_buffer_id */

Removed comment. Copied over from src/client/mir_surface.h, which has similar usage.
Original comment was [now] incorrect as per alan_g/kdub in any case.

> 
> (14) Superficially it's confusing as to why these with equivalent names should
> be separate classes:
> 1592    +struct MirTrustSession : public mir::client::TrustSession
> But now I notice how simple mir::client::TrustSession is, they're clearly
> quite different things. So the class names should clarify the differences
> between them.

Removed abstract class. No idea why I abstracted it in the first place.

> 
> (15) What's a "Control"?
> 1885    +class TrustSessionControl
> I'm not familiar with that abstraction. Even though there seems to be another
> "Control" class there already :S

This is essentially just a marshalling object. It receives the state events from rpc and
calls handlers the registered client TrustSessions.
It's been renamed and repurposed as the generic EventDistributor object (to which the TrustSession registers for events)

> 
> (16) test_protobuf_client.cpp: A busy wait loop seems like a lazy approach to
> this (albeit a lazy approach we've already used in other tests). It would be
> cleaner to use a std::condition_variable with a std::mutex and bool. That
> would also avoid the expected Helgrind complaints about std::atomic being
> racy.

Done with existing WaitCondition class. I haven't changed the rest of the uses in the file though.

> 
> (17) test_trust_session.cpp: Wrong copyright year range.

Done.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-12: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1416
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1051/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/1213
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/1211
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/795
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/783/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/788
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/788/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/796
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/796/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/743
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/4718

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1051/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-12: Posted in a previous version of this proposal

Download full text (3.6 KiB)

> A first pass...
>
> Since mir_client_library.cpp has started to become unwieldly I propose we
> follow the convention mir_screencast is using, i.e.:
>
> 1. Public header file goes in mir_toolkit/mir_trust_session.h
> 2. C API implementation goes in src/client/mir_trust_session_api.cpp
> 3. Internal classes as usual, src/client/mir_trust_session.{cpp,h}

Done

>
> 148 +///\page trust_session.c trust_session.c: A mir client which starts a
> trust session and trusted client app.
> 149 +/// mir_demo_client_trust_session shows the use of mir trust session
> API.
> 150 +/// This program opens a mir connection and creates a trust session.
> ...
>
> 519 + virtual std::shared_ptr<TrustSession>
> start_trust_session_for(std::string& error,
> 520 + std::shared_ptr<Session> const& session,
>
> Since this is a C file, the C(/Javadoc) format is preferred, like in the
> public files.
>

This is using the same format as the other examples.

>
> 519 + virtual std::shared_ptr<TrustSession>
> start_trust_session_for(std::string& error,
> 520 + std::shared_ptr<Session> const& session,
> ...
>
> Either use a 4-space indentation or align with char after '('.

Done

>
> 567 + virtual ~TrustSession() {}
> 1129 + TrustSession() {}
> 1130 + virtual ~TrustSession() {}
>
> Use '= default' instead;

Done

>
> 744 +#include <string>
>
> Not needed.

Done

>
> 1239 +/**************************
> 1240 + * Trust session specific functions *
> 1241 + **************************/
>
> This can be made prettier :)

Removed with separation of client api source files

>
> 1249 + pid_t pid)
>
> 1255 + mir_trust_session_callback callback,
> 1256 + void* context)
>
> 1272 + reinterpret_cast<mir_trust_session_callback>
> 1273 + (assign_result),
> 1274 + NULL));
>
> 1279 + mir_trust_session_callback callback,
> 1280 + void* context)
>
> 1296 + reinterpret_cast<mir_trust_session_callback>
> 1297 + (assign_result),
> 1298 + NULL));
>
> 1308 + mir_trust_session_event_callback callback,
> 1309 + void* context)
>
> Either use a 4-space indentation or align with char after '(' on previous
> line.
>
> 1427 + [this]
> 1428 + (MirTrustSessionState new_state)
>
> 1501 + [this, callback, context]
> 1502 + (MirTrustSessionState state)
>
> 2771 + [this]
> 2772 + (std::shared_ptr<msh::Session> const& child_session)
>
> We tend to prefer to keep the parameter list on the same line as the capture
> list:
> [this] (MirTrustSessionState new_state), but that's not a hard and fast rule
> AFAIK.

Must have picked it up on some other project. Switched to single line

>
> 1430 + std::lock_guard<std::recursive_mutex> lock(mutex);
>
> Why do we need a recursive mutex?

Changed already

>
> 1595 + MirTrustSession(mir::protobuf::DisplayServer::Stub & server,
> 1600 + MirTrustSession(MirTrustSession const &) = delete;
> 1601 + MirTrustSession& operator=(MirTrustSession const &) = delete;
> ... and others in the class
>
> * and & go with the type (or 'const' if there is one).

Done

>
> 1820 + std::unique_lock<std::mutex> lk(guard);
>
> Since the lock is not used with condition...

> A first pass...
> 
> Since mir_client_library.cpp has started to become unwieldly I propose we
> follow the convention mir_screencast is using, i.e.:
> 
> 1. Public header file goes in mir_toolkit/mir_trust_session.h
> 2. C API implementation goes in src/client/mir_trust_session_api.cpp
> 3. Internal classes as usual, src/client/mir_trust_session.{cpp,h}

Done

> 
> 148     +///\page trust_session.c trust_session.c: A mir client which starts a
> trust session and trusted client app.
> 149     +/// mir_demo_client_trust_session shows the use of mir trust session
> API.
> 150     +/// This program opens a mir connection and creates a trust session.
> ...
> 
> 519     + virtual std::shared_ptr<TrustSession>
> start_trust_session_for(std::string& error,
> 520     + std::shared_ptr<Session> const& session,
> 
> Since this is a C file, the C(/Javadoc) format is preferred, like in the
> public files.
>

This is using the same format as the other examples.

> 
> 519 + virtual std::shared_ptr<TrustSession>
> start_trust_session_for(std::string& error,
> 520 + std::shared_ptr<Session> const& session,
> ...
> 
> Either use a 4-space indentation or align with char after '('.

Done

> 
> 567 + virtual ~TrustSession() {}
> 1129    + TrustSession() {}
> 1130    + virtual ~TrustSession() {}
> 
> Use '= default' instead;

Done

> 
> 744 +#include <string>
> 
> Not needed.

Done

> 
> 1239    +/**************************
> 1240    + * Trust session specific functions *
> 1241    + **************************/
> 
> This can be made prettier :)

Removed with separation of client api source files

> 
> 1249    + pid_t pid)
> 
> 1255    + mir_trust_session_callback callback,
> 1256    + void* context)
> 
> 1272    + reinterpret_cast<mir_trust_session_callback>
> 1273    + (assign_result),
> 1274    + NULL));
> 
> 1279    + mir_trust_session_callback callback,
> 1280    + void* context)
> 
> 1296    + reinterpret_cast<mir_trust_session_callback>
> 1297    + (assign_result),
> 1298    + NULL));
> 
> 1308    + mir_trust_session_event_callback callback,
> 1309    + void* context)
> 
> Either use a 4-space indentation or align with char after '(' on previous
> line.
> 
> 1427    + [this]
> 1428    + (MirTrustSessionState new_state)
> 
> 1501    + [this, callback, context]
> 1502    + (MirTrustSessionState state)
> 
> 2771    + [this]
> 2772    + (std::shared_ptr<msh::Session> const& child_session)
> 
> We tend to prefer to keep the parameter list on the same line as the capture
> list:
> [this] (MirTrustSessionState new_state), but that's not a hard and fast rule
> AFAIK.

Must have picked it up on some other project. Switched to single line

> 
> 1430    + std::lock_guard<std::recursive_mutex> lock(mutex);
> 
> Why do we need a recursive mutex?

Changed already

> 
> 1595    + MirTrustSession(mir::protobuf::DisplayServer::Stub & server,
> 1600    + MirTrustSession(MirTrustSession const &) = delete;
> 1601    + MirTrustSession& operator=(MirTrustSession const &) = delete;
> ... and others in the class
> 
> * and & go with the type (or 'const' if there is one).

Done

> 
> 1820    + std::unique_lock<std::mutex> lk(guard);
> 
> Since the lock is not used with condition variables or moved, we could use the
> simpler std::lock_guard<>.

Done

> 
> 1814    +mcl::TrustSessionControl::~TrustSessionControl()
> 1815    +{
> 1816    +}
> 
> Is this needed?

No. Removed (=default)

> 
> 2737    + TrustSession* impl = new TrustSession(trusted_helper, parameters,
> sink);
> 2738    + std::shared_ptr<msh::TrustSession> ptr(impl);
> 
> auto const trust_session = std::make_shared<TrustSession>(trusted_helper,
> parameters, sink);

Done

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-12: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1417
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1052/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/1214
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/1212
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/796
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/784/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/789
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/789/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/797
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/797/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/744
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/4721

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1052/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-12: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1053/rebuild

review: Approve (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-13: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1419
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1063/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/1227/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/1225/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/809/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/795/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/800/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/810/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1063/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-13: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1420
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1065/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/1229
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/1227
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/811/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/797/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/802/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/812/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1065/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-13: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1066/rebuild

review: Approve (continuous-integration)

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-03-14: Posted in a previous version of this proposal

Surely 2014 deserves a mention?

~~~~

534 === renamed file 'src/server/scene/session_container.h' => 'include/server/mir/scene/session_container.h'

Why is this interface being made public? It is internal to the Mir scene implementation and should be access via SessionManager (which has public interfaces frontend::Shell and shell::FocusController)

Oh, I see: it has an entirely new use with shell::Session::get_children(). That opens a whole new debate about procedural vs OO design:

In this instance, for example, in TrustSession::stop() we should be telling the trusted_helper that the session has stopped, not asking for this collection and manipulating it.

This isn't the only part of the design that makes use of manipulating state directly instead of tell what is going on. A quick search for [sg]et_ turns up more.

~~~~

There's a misuse of smart pointers - shared_ptr is about "ownership" and this needs to be a directed *acyclic* graph to correctly manage memory. Having the parent and child both "own" each other is wrong. At least one of these smart pointers should be a raw pointer.

review: Needs Fixing

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-03-17: Posted in a previous version of this proposal

> There's a misuse of smart pointers - shared_ptr is about "ownership" and this
> needs to be a directed *acyclic* graph to correctly manage memory. Having the
> parent and child both "own" each other is wrong. At least one of these smart
> pointers should be a raw pointer.

I've not checked the required semantics, but another solution that might be evaluated is to use weak_ptr.

Revision history for this message

Alberto Mardegan (mardy) wrote on 2014-03-17: Posted in a previous version of this proposal

I had a quick look at the proposed API; please consider adding an API to add an application by app-id, so that we can add applications which have not been started yet.
More about that here:

https://lists.launchpad.net/ubuntu-phone/msg06680.html

(I myself would have preferred a different approach, where an app could add itself to an existing session)

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-17: Posted in a previous version of this proposal

> > There's a misuse of smart pointers - shared_ptr is about "ownership" and
> this
> > needs to be a directed *acyclic* graph to correctly manage memory. Having
> the
> > parent and child both "own" each other is wrong. At least one of these smart
> > pointers should be a raw pointer.
>
> I've not checked the required semantics, but another solution that might be
> evaluated is to use weak_ptr.

Would have liked to use weak_ptr, but it wouldn't work for setting child parents from within Session::begin_trust_session.

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-17: Posted in a previous version of this proposal

> I had a quick look at the proposed API; please consider adding an API to add
> an application by app-id, so that we can add applications which have not been
> started yet.
> More about that here:
>
> https://lists.launchpad.net/ubuntu-phone/msg06680.html
>
> (I myself would have preferred a different approach, where an app could add
> itself to an existing session)

From when I've seen, a mir session has no concept of an app id, so we wouldn't be able to determine if we needed to add a newly started session to the existing trust session. There is a "Session::name", but that doesn't seem to equate to anything.
I'm not sure how we're supposed to deal with this.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-17: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1084/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-18: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1091/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-19: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1108/rebuild

review: Approve (continuous-integration)

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-03-20: Posted in a previous version of this proposal

I'm wondering why we have single "trust session" object managed by the client that can contain zero or more pids - wouldn't a more useful design be to have a collection of zero or more trusted pids that can be managed by the client?

Vis:

start_trust_session(pid1, pid2)
...
stop_trust_session(pid1)
...
start_trust_session(pid3)
...
stop_trust_session(pid2, pid3)

review: Needs Information

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-03-20: Posted in a previous version of this proposal

532 === renamed file 'src/server/scene/session_container.h' => 'include/server/mir/scene/session_container.h'

[Already discussed] above this interface should not be published. It is internal to the Mir scene implementation.

~~~~

424 +
425 + // TODO - remove these in favour of using handle_event

What has this to do with trust sessions?

~~~~

437 + virtual void session_start_trust_session_called(std::string const& app_name) = 0;

Is the name of the current session enough information to be useful? Would some information about what is trusted be appropriate?

~~~~

1902 + // only surface events have e.surface.id . Other events will throw exception.
1903 + try
1904 + {
1905 + surface_map->with_surface_do(e.surface.id,
1906 + [&e](MirSurface* surface)
1907 + {
1908 + surface->handle_event(e);
1909 + });
1910 + }
1911 + catch (std::exception const& x)
1912 + {
1913 + rpc_report->event_parsing_failed(event);
1914 + // Eat this exception as it doesn't affect other events
1915 + }

This looks suspiciously like using exceptions in the normal control path. We're not even logging information from x.

~~~~

2016 + BOOST_THROW_EXCEPTION(std::logic_error("Cannot start another trust session"));

If I read the surrounding code correctly, the client has requested a trust session while the server already has one associated with the client? That doesn't sound like a logic_error (in the Mir code), more like a runtime_error as the client code hasn't acted in the expected manner.

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-21: Posted in a previous version of this proposal

Moved the relationship information to the trust session, rather than being a property of the session itself.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-24: Posted in a previous version of this proposal

FAILED: Continuous integration, rev:1426
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1152/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/1352/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/1350/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/932/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/884/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/889/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/933/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1152/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-03-26: Posted in a previous version of this proposal

The conflicts are not as numerous as Launchpad reports, but still numerous:
Text conflict in CMakeLists.txt
Text conflict in debian/changelog
Text conflict in include/server/mir/shell/session.h
Text conflict in src/client/CMakeLists.txt
Text conflict in src/client/default_connection_configuration.cpp
Text conflict in src/client/rpc/mir_socket_rpc_channel.cpp
Text conflict in src/server/frontend/default_configuration.cpp
Text conflict in src/server/frontend/session_mediator.cpp
Text conflict in tests/unit-tests/scene/test_application_session.cpp
Text conflict in tests/unit-tests/scene/test_session_manager.cpp
Text conflict in tests/unit-tests/scene/test_surface_impl.cpp
11 conflicts encountered.

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-03-26: Posted in a previous version of this proposal

Fixed conflicts.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-03-26: Posted in a previous version of this proposal

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1174/rebuild

review: Approve (continuous-integration)

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-03-27: Posted in a previous version of this proposal

(18) Spurious (old) changes to debian/changelog have now crept in.

review: Needs Fixing

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-04-01: Posted in a previous version of this proposal

(19) Conflict:
Text conflict in tests/unit-tests/scene/test_session_manager.cpp
1 conflicts encountered.

review: Needs Fixing

Revision history for this message

Alberto Mardegan (mardy) wrote on 2014-04-01: Posted in a previous version of this proposal

Hi! I was asked to comment on the current approach, so here I am. :-)

I'll first recap what Online Accounts needs on a higher level (see also the description of bug 1230091):

The Online Accounts ("OA" for brevity) D-Bus service responds to client requests, and in response to these requests it's possible that we need to open the Online Accounts UI on top of the client application in a modal way: without blocking its process execution, but preventing it from getting mouse/keyboard input.

While the user is working with the OA window, it may be that we need to start other processes; these are not ordinary applications, but account plugins: there is a single binary which loads different QML UIs depending on the account provider (where provider is "google", "facebook", etc.). Also, the apparmor confinement under which the account plugin process is run depends on the account provider (we want to confine account plugins which come as part of click packages).

Note that different applications can talk to the OA API at the same time, and it's possible that at a certain given moment there are two different client applications involved in two different trust sessions, with two OA windows (each one being modal to one client application) and each one having an account plugin UI opened, which might be the same plugin for both sessions, or a different one.

We currently produce all the OA UIs from a single process (the OA D-Bus service); this bit of implementation can be changed if needed, and we can make so that each OA UI window leaves in a different process. This however would require more IPC and added complexity, and I believe that when Mir/Unity8 will hit the desktop it will anyway have to support the case of a single process creating multiple windows, so I hope that "1 pid = 1 window" won't be a requirement for the trust sessions.

Considering all the above, the API proposed in this branch doesn't seem to provide the functionality we need, since it only accepts PIDs as members of a session.

With no intention of sounding more expert than what I am, I'll quickly describe how my ideal API would look like, while indeed acknowledging that other implementations might exist and be better suited:
- refer to individual windows, not processes or applications
- API to request a window to be placed as modal of another window (possibly created by another process)
- such request might fail if the calling process is confined and has not been authorized
- API to authorize a process (by APP_ID) to set any of its window as modal to a given window
That is, mainly a couple of methods:
void Window::setTransientFor(WindowHandle obscuredWindow);
void Window::allowModalWindowsFromApplication(AppId app);
The first one for actually doing the reparenting work, and the latter to decide who can do that (besides unconfined apps).

Hi! I was asked to comment on the current approach, so here I am. :-)

I'll first recap what Online Accounts needs on a higher level (see also the description of bug 1230091):

Considering all the above, the API proposed in this branch doesn't seem to provide the functionality we need, since it only accepts PIDs as members of a session.

With no intention of sounding more expert than what I am, I'll quickly describe how my ideal API would look like, while indeed acknowledging that other implementations might exist and be better suited:
- refer to individual windows, not processes or applications
- API to request a window to be placed as modal of another window (possibly created by another process)
- such request might fail if the calling process is confined and has not been authorized
- API to authorize a process (by APP_ID) to set any of its window as modal to a given window
That is, mainly a couple of methods:
  void Window::setTransientFor(WindowHandle obscuredWindow);
  void Window::allowModalWindowsFromApplication(AppId app);
The first one for actually doing the reparenting work, and the latter to decide who can do that (besides unconfined apps).

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-03: Posted in a previous version of this proposal

Pushing to WIP as Nick's been off and the MP has yet to incorporate the results of various discussions.

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-03: Posted in a previous version of this proposal

Download full text (3.5 KiB)

> Hi! I was asked to comment on the current approach, so here I am. :-)
>
> I'll first recap what Online Accounts needs on a higher level (see also the
> description of bug 1230091):
>
> The Online Accounts ("OA" for brevity) D-Bus service responds to client
> requests, and in response to these requests it's possible that we need to open
> the Online Accounts UI on top of the client application in a modal way:
> without blocking its process execution, but preventing it from getting
> mouse/keyboard input.
>
> While the user is working with the OA window, it may be that we need to start
> other processes; these are not ordinary applications, but account plugins:
> there is a single binary which loads different QML UIs depending on the
> account provider (where provider is "google", "facebook", etc.). Also, the
> apparmor confinement under which the account plugin process is run depends on
> the account provider (we want to confine account plugins which come as part of
> click packages).
>
> Note that different applications can talk to the OA API at the same time, and
> it's possible that at a certain given moment there are two different client
> applications involved in two different trust sessions, with two OA windows
> (each one being modal to one client application) and each one having an
> account plugin UI opened, which might be the same plugin for both sessions, or
> a different one.
>
> We currently produce all the OA UIs from a single process (the OA D-Bus
> service); this bit of implementation can be changed if needed, and we can make
> so that each OA UI window leaves in a different process. This however would
> require more IPC and added complexity, and I believe that when Mir/Unity8 will
> hit the desktop it will anyway have to support the case of a single process
> creating multiple windows, so I hope that "1 pid = 1 window" won't be a
> requirement for the trust sessions.
>
> Considering all the above, the API proposed in this branch doesn't seem to
> provide the functionality we need, since it only accepts PIDs as members of a
> session.
>
>
> With no intention of sounding more expert than what I am, I'll quickly
> describe how my ideal API would look like, while indeed acknowledging that
> other implementations might exist and be better suited:
> - refer to individual windows, not processes or applications
> - API to request a window to be placed as modal of another window (possibly
> created by another process)
> - such request might fail if the calling process is confined and has not been
> authorized
> - API to authorize a process (by APP_ID) to set any of its window as modal to
> a given window
> That is, mainly a couple of methods:
> void Window::setTransientFor(WindowHandle obscuredWindow);
> void Window::allowModalWindowsFromApplication(AppId app);
> The first one for actually doing the reparenting work, and the latter to
> decide who can do that (besides unconfined apps).

> Hi! I was asked to comment on the current approach, so here I am. :-)
> 
> I'll first recap what Online Accounts needs on a higher level (see also the
> description of bug 1230091):
> 
> The Online Accounts ("OA" for brevity) D-Bus service responds to client
> requests, and in response to these requests it's possible that we need to open
> the Online Accounts UI on top of the client application in a modal way:
> without blocking its process execution, but preventing it from getting
> mouse/keyboard input.
> 
> While the user is working with the OA window, it may be that we need to start
> other processes; these are not ordinary applications, but account plugins:
> there is a single binary which loads different QML UIs depending on the
> account provider (where provider is "google", "facebook", etc.). Also, the
> apparmor confinement under which the account plugin process is run depends on
> the account provider (we want to confine account plugins which come as part of
> click packages).
> 
> Note that different applications can talk to the OA API at the same time, and
> it's possible that at a certain given moment there are two different client
> applications involved in two different trust sessions, with two OA windows
> (each one being modal to one client application) and each one having an
> account plugin UI opened, which might be the same plugin for both sessions, or
> a different one.
> 
> We currently produce all the OA UIs from a single process (the OA D-Bus
> service); this bit of implementation can be changed if needed, and we can make
> so that each OA UI window leaves in a different process. This however would
> require more IPC and added complexity, and I believe that when Mir/Unity8 will
> hit the desktop it will anyway have to support the case of a single process
> creating multiple windows, so I hope that "1 pid = 1 window" won't be a
> requirement for the trust sessions.
> 
> Considering all the above, the API proposed in this branch doesn't seem to
> provide the functionality we need, since it only accepts PIDs as members of a
> session.
> 
> 
> With no intention of sounding more expert than what I am, I'll quickly
> describe how my ideal API would look like, while indeed acknowledging that
> other implementations might exist and be better suited:
> - refer to individual windows, not processes or applications
> - API to request a window to be placed as modal of another window (possibly
> created by another process)
> - such request might fail if the calling process is confined and has not been
> authorized
> - API to authorize a process (by APP_ID) to set any of its window as modal to
> a given window
> That is, mainly a couple of methods:
>   void Window::setTransientFor(WindowHandle obscuredWindow);
>   void Window::allowModalWindowsFromApplication(AppId app);
> The first one for actually doing the reparenting work, and the latter to
> decide who can do that (besides unconfined apps).

As far as I'm aware, we're not doing any Qt API for trust sessions. This will be dealt with by dedicated trusted helpers which use the mir API directly.
[At the moment,] a trusted helper starts a trust session between 2 or more sessions. This list of applications is essentially an "sessions modality" list.
ie.
If trust session children = [app1, app2, app3]
then: sessions will be stacked in order of "last is top"

I'm working on putting session name in the works, but at the moment the qpa does not use this property in any useful manner. (all Qt sourced mir sessions are named "QtUbuntu")

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-17: Posted in a previous version of this proposal

Maybe quite a few changes.

1) The mir_trust_session_add_trusted_session should now be called after a mir_trust_session_start. Allows trusted helpers to dynamically add sessions to the trust session. This is more for phase 2.

use case:
Gallery -> ContentHub -> Facebook/Flickr/Twitter
   a) user starts gallery
   a.1) user view: gallery app pops up
   b) user selects picture and clicks "share"
   c) content hub creates destination picker
   c.1) user view: destination picker surface pops up
   d) user selects Facebook
   d.1) user view: Facebook pops up.

While it's possible for the trust session to know about the content hub + gallery, it doesn't know the user will select facebook when it starts.

2) I've separated out the trust session notifications from the SessionListener into it's own TrustSessionListener.

3) Added a trust session container, which has bidirectional mapping between process ids and TrustSessions. This allows quick lookup when we need to add/remove sessions from a trust session.
3.1) mir::Session now has no links to trust session/trusted helper.

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-23: Posted in a previous version of this proposal

Looking at the client API:

MirTrustSession* mir_connection_create_trust_session(MirConnection* connection);

I would expect "create_trust_session" to take parameters (such as the event callback) and create the server-side trust session (which would implicitly make it an async call).

AIUI this just creates a client-side object that still needs to be initialized before the server-side trust session is created using "mir_trust_session_start".

Is there any reason to separate out these create/set_event_callback/start calls?

~~~~

mir_trust_session_add_trusted_session

This is an async call - so presumably it is expected to be invoked after the trust session is started?

Does that imply a round trip for each pid added to the trust session? If so would it be better to accept a list of pids?

Can it be called on a created (but not started) trust session?

~~~~

Is there a missing mir_trust_session_remove_trusted_session() for revoking trust?

~~~~

mir_trust_session_set_event_callback

The only state changes appear to be "start" and "stop" - which are under the control of the client. So does this do any more than duplicate the functionality of the WaitHandles returned by the start/stop functions?

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-23: Posted in a previous version of this proposal

std::shared_ptr<TrustSession> Shell::start_trust_session_for(std::string& error,
std::shared_ptr<Session> const& session,
shell::TrustSessionCreationParameters const& params) = 0;

This "error" parameter is not an idiomatic way to handle failure. Simply throwing an exception derived from std::exception that returns the error in what() will result in invoke<>() setting the error.

review: Needs Fixing

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-23: Posted in a previous version of this proposal

bool shell::TrustSession::add_trusted_child(std::shared_ptr<shell::Session> const& session) = 0;

I'm not convinced that TrustSession *owns* Session is the correct model. It means that if a client disconnects while in a trust session the Mir Session remains alive. Which is confusing at best.

I note that in practice scene::TrustSession only keeps weak_ptr<Session> which is a better reflection of the relationship. However, I still think that the relationship between TrustSession and Session better modeled as an association than as attributes.

review: Needs Fixing

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-23: Posted in a previous version of this proposal

In TrustSession::add_trusted_child() there's a call "session->begin_trust_session();" which will send a mir_event_type_trust_session_state_change to the "child" process.

But AIUI the child isn't the "helper" process that created the trust session and can't have registered a mir_trust_session_event_callback (which needs a trust session).

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-23: Posted in a previous version of this proposal

+class TrustSession
+{
+public:
+ virtual ~TrustSession() = default;
+
+ virtual void for_each_trusted_client_process(std::function<void(pid_t pid)> f, bool reverse) const = 0;

I don't see what this function is for. It isn't used. Which is just as well because the implementation is useless:

+void ms::TrustSession::for_each_trusted_client_process(std::function<void(pid_t pid)>, bool) const
+{
+}

review: Needs Fixing

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-04-23: Posted in a previous version of this proposal

+class TrustSessionListener
+{
+public:
+ virtual void starting(std::shared_ptr<TrustSession> const& trust_session) = 0;
+ virtual void stopping(std::shared_ptr<TrustSession> const& trust_session) = 0;
+
+ virtual void trusted_session_beginning(TrustSession& trust_session, std::shared_ptr<Session> const& session) = 0;
+ virtual void trusted_session_ending(TrustSession& trust_session, std::shared_ptr<Session> const& session) = 0;

The listener shouldn't be given any ownership of the referenced objects. So the prototypes should be:

virtual void starting(TrustSession const& trust_session) = 0;
virtual void stopping(TrustSession const& trust_session) = 0;

virtual void trusted_session_beginning(TrustSession& trust_session, Session const& session) = 0;
virtual void trusted_session_ending(TrustSession& trust_session, Session const& session) = 0;

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-25: Posted in a previous version of this proposal

> Looking at the client API:
>
> MirTrustSession* mir_connection_create_trust_session(MirConnection*
> connection);
>
> I would expect "create_trust_session" to take parameters (such as the event
> callback) and create the server-side trust session (which would implicitly
> make it an async call).
>
> AIUI this just creates a client-side object that still needs to be initialized
> before the server-side trust session is created using
> "mir_trust_session_start".
>
> Is there any reason to separate out these create/set_event_callback/start
> calls?

I guess not anymore. Previously it would be possible to start and stop trust sessions multiple times; but I think with the "post-start" adding of participants, it's no longer a possibility.
I've merged all of these into a mir_connection_start_trust_session which async returns a MirTrustSession.
Not sure if the stop/release should be separate now. Left as is for now.

>
> ~~~~
>
> mir_trust_session_add_trusted_session
>
> This is an async call - so presumably it is expected to be invoked after the
> trust session is started?
>
> Does that imply a round trip for each pid added to the trust session? If so
> would it be better to accept a list of pids?
>
> Can it be called on a created (but not started) trust session?
>

It does have a round trip, but as I don't think it's an issue. We call the start_trust_session with the pid of the "source" participant (whatever is "using" the trust helper. eg. gallery application). From there, thinking about the flow, we would be layering the trust as the user makes decisions (eg. content hub "share with google+", then online accounts "log in to google+"). So practically speaking we only do one layer of trust at a time.

> ~~~~
>
> Is there a missing mir_trust_session_remove_trusted_session() for revoking
> trust?

Closing a session will remove it from the server trust session, but I'm not sure about the helper explicitly removing it. For the moment at least, I think we can do without it.

>
> ~~~~
>
> mir_trust_session_set_event_callback
>
> The only state changes appear to be "start" and "stop" - which are under the
> control of the client. So does this do any more than duplicate the
> functionality of the WaitHandles returned by the start/stop functions?

The server can also stop an active trust session (if the application closes, we don't want it hanging around). Also, for first iteration, we want to stop the trust session when switching away from the app.
So we need the helper to get a notification of this.

> Looking at the client API:
> 
>     MirTrustSession* mir_connection_create_trust_session(MirConnection*
> connection);
> 
> I would expect "create_trust_session" to take parameters (such as the event
> callback) and create the server-side trust session (which would implicitly
> make it an async call).
> 
> AIUI this just creates a client-side object that still needs to be initialized
> before the server-side trust session is created using
> "mir_trust_session_start".
> 
> Is there any reason to separate out these create/set_event_callback/start
> calls?

> 
> ~~~~
> 
> mir_trust_session_add_trusted_session
> 
> This is an async call - so presumably it is expected to be invoked after the
> trust session is started?
> 
> Does that imply a round trip for each pid added to the trust session? If so
> would it be better to accept a list of pids?
> 
> Can it be called on a created (but not started) trust session?
>

> ~~~~
> 
> Is there a missing mir_trust_session_remove_trusted_session() for revoking
> trust?

Closing a session will remove it from the server trust session, but I'm not sure about the helper explicitly removing it. For the moment at least, I think we can do without it.

> 
> ~~~~
> 
> mir_trust_session_set_event_callback
> 
> The only state changes appear to be "start" and "stop" - which are under the
> control of the client. So does this do any more than duplicate the
> functionality of the WaitHandles returned by the start/stop functions?

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-25: Posted in a previous version of this proposal

> std::shared_ptr<TrustSession> Shell::start_trust_session_for(std::string&
> error,
> std::shared_ptr<Session> const& session,
> shell::TrustSessionCreationParameters const& params) = 0;
>
> This "error" parameter is not an idiomatic way to handle failure. Simply
> throwing an exception derived from std::exception that returns the error in
> what() will result in invoke<>() setting the error.

Thanks, didn't know that.
Removed error parameter from interface.

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-25: Posted in a previous version of this proposal

> In TrustSession::add_trusted_child() there's a call
> "session->begin_trust_session();" which will send a
> mir_event_type_trust_session_state_change to the "child" process.
>
> But AIUI the child isn't the "helper" process that created the trust session
> and can't have registered a mir_trust_session_event_callback (which needs a
> trust session).

Right. this was so that the participants could be informed that a trust session has been started with them; if they need to do anything fancy. But at the moment, I don't think there's a client API for applying for general distributor events (only trust session & surface events I think), so I've removed the event send from the participants, but left it on the helper.

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-25: Posted in a previous version of this proposal

> +class TrustSession
> +{
> +public:
> + virtual ~TrustSession() = default;
> +
> + virtual void for_each_trusted_client_process(std::function<void(pid_t
> pid)> f, bool reverse) const = 0;
>
> I don't see what this function is for. It isn't used. Which is just as well
> because the implementation is useless:
>
> +void
> ms::TrustSession::for_each_trusted_client_process(std::function<void(pid_t
> pid)>, bool) const
> +{
> +}

old code from before the process<->trust_session bi-directional map.
removed.

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-04-25: Posted in a previous version of this proposal

> +class TrustSessionListener
> +{
> +public:
> + virtual void starting(std::shared_ptr<TrustSession> const& trust_session)
> = 0;
> + virtual void stopping(std::shared_ptr<TrustSession> const& trust_session)
> = 0;
> +
> + virtual void trusted_session_beginning(TrustSession& trust_session,
> std::shared_ptr<Session> const& session) = 0;
> + virtual void trusted_session_ending(TrustSession& trust_session,
> std::shared_ptr<Session> const& session) = 0;
>
> The listener shouldn't be given any ownership of the referenced objects. So
> the prototypes should be:
>
> virtual void starting(TrustSession const& trust_session) = 0;
> virtual void stopping(TrustSession const& trust_session) = 0;
>
> virtual void trusted_session_beginning(TrustSession& trust_session,
> Session const& session) = 0;
> virtual void trusted_session_ending(TrustSession& trust_session, Session
> const& session) = 0;

changed.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-05-09:

FAILED: Continuous integration, rev:1447
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/218975/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1580/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/129/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/130/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/130/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/99/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/97/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/281/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1580/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-05-09:

http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1581/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/131/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/132/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/132/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/100/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/98/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/284/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1581/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2014-05-12:

Just a quick note - We're dealing with a bunch of regressions in Mir 0.2.0 and already have a large set of changes arriving in that release. I think we should solidify and resolve Mir 0.2.0 before considering landing any more very large changes like this.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-05-13:

FAILED: Continuous integration, rev:1451
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/218975/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1608/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/168/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/169/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/169/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/127/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/125/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/396/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1608/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-05-13:

After fixing the (trivial) conflict in src/client/CMakeLists.txt there are test failures:

[ RUN ] SessionMediatorTest.client_socket_fd_calls_connector_client_socket_fd
unknown file: Failure
C++ exception with description "Invalid trust session" thrown in the test body.
/home/alan/display_server/development-branch/tests/unit-tests/frontend/test_session_mediator.cpp:733: Failure
Actual function call count doesn't match EXPECT_CALL(connector, client_socket_fd(_))...
         Expected: to be called once
           Actual: never called - unsatisfied and active
[ FAILED ] SessionMediatorTest.client_socket_fd_calls_connector_client_socket_fd (0 ms)
[ RUN ] SessionMediatorTest.client_socket_fd_allocates_requested_number_of_fds
unknown file: Failure
C++ exception with description "Invalid trust session" thrown in the test body.
/home/alan/display_server/development-branch/tests/unit-tests/frontend/test_session_mediator.cpp:758: Failure
Actual function call count doesn't match EXPECT_CALL(connector, client_socket_fd(_))...
         Expected: to be called 11 times
           Actual: never called - unsatisfied and active
[ FAILED ] SessionMediatorTest.client_socket_fd_allocates_requested_number_of_fds (0 ms)

~~~~

[ RUN ] TrustSessionHelper.gets_fds_for_trusted_clients
/home/alan/display_server/development-branch/tests/acceptance-tests/test_trust_session_helper.cpp:90: Failure
Value of: actual_fd_count
Expected: is equal to 3
Actual: 0 (of type unsigned long)
[ FAILED ] TrustSessionHelper.gets_fds_for_trusted_clients (12 ms)

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-05-14:

Fixed tests.
Due to IRC discussion about shell being able to track trust sessions through listeners,
I've reverted changes to the listener object ownership passing (using shared_ptrs).

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-05-14:

FAILED: Continuous integration, rev:1454
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/218975/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1620/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/185
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/186/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/186/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/139/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/138/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/457/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1620/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-05-14:

FAILED: Continuous integration, rev:1455
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/218975/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1621/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/186/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/187/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/187/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/140/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/139/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/461/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1621/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-05-15:

Out of step with latest landings. :(

Text conflict in src/server/frontend/session_mediator.cpp
1 conflicts encountered.

I pretty trivial - I fixed it like this:

std::function<void(std::shared_ptr<mf::Session> const&)> mf::SessionMediator::trusted_connect_handler() const
{
    return [this](std::shared_ptr<frontend::Session> const& session)
        {
            auto trust_session = weak_trust_session.lock();
            if (trust_session.get() == nullptr)
                BOOST_THROW_EXCEPTION(std::logic_error("Invalid trust session"));

shell->add_trusted_session_for(trust_session, session->process_id());
};
}

review: Needs Fixing

Revision history for this message

Nick Dedekind (nick-dedekind) wrote on 2014-05-15:

> Out of step with latest landings. :(
>
> Text conflict in src/server/frontend/session_mediator.cpp
> 1 conflicts encountered.
>
> I pretty trivial - I fixed it like this:
>
> std::function<void(std::shared_ptr<mf::Session> const&)>
> mf::SessionMediator::trusted_connect_handler() const
> {
> return [this](std::shared_ptr<frontend::Session> const& session)
> {
> auto trust_session = weak_trust_session.lock();
> if (trust_session.get() == nullptr)
> BOOST_THROW_EXCEPTION(std::logic_error("Invalid trust
> session"));
>
> shell->add_trusted_session_for(trust_session,
> session->process_id());
> };
> }

Thanks. Fixed.

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-05-15:

Download full text (5.4 KiB)

Just some quick notes:

I know this was first proposed months ago - but was it really written last year? And not changed this year?

~~~~

+TEST_F(MirClientTrustSessionAPITest, client_trust_session_api)
+{
+ struct ClientConfig : ClientConfigCommon
+ {
+ void exec()
+ {
+ mir_wait_for(mir_connect(mir_test_socket, __PRETTY_FUNCTION__, connection_callback, this));
+
+ ASSERT_TRUE(connection != NULL);
+ EXPECT_TRUE(mir_connection_is_valid(connection));
+ EXPECT_STREQ("", mir_connection_get_error_message(connection));
+
+ mir_wait_for(mir_connection_start_trust_session(connection, __LINE__, trust_session_start_callback, NULL, this));
+ ASSERT_TRUE(trust_session != NULL);
+ EXPECT_EQ(started, 1);
+
+ mir_wait_for(mir_trust_session_stop(trust_session, trust_session_stop_callback, this));
+ EXPECT_EQ(stopped, 1);
+
+ mir_connection_release(connection);
+ }
+ } client_config;
+
+ launch_client_process(client_config);
+}

This test has an unclear name and asserts things that are unrelated to the purpose of the test. It would also be simpler using InProcessServer as its basis, not DefaultDisplayServerTestFixture (side note: that name has become misleading.) It is also overcomplicated in its use of management of connection. It should look like:

TEST_F(TrustSessionClientAPI, can_start_and_stop_a_trust_session)
{
    mir_wait_for(mir_connection_start_trust_session(connection, arbitrarty_base_session_pid, trust_session_start_callback, null_event_callback, this));
    ASSERT_THAT(trust_session, Ne(NULL));
    EXPECT_THAT(started, Eq(1));

mir_wait_for(mir_trust_session_stop(trust_session, trust_session_stop_callback, this));
EXPECT_THAT(stopped, Eq(1));
}

~~~~

+struct TrustSession : public testing::Test
+{
+ TrustSession()
+ {
+ }
+
+ testing::NiceMock<mtd::MockTrustSessionListener> trust_session_listener;
+ testing::NiceMock<mtd::MockSceneSession> trusted_helper;
+ testing::NiceMock<mtd::MockSceneSession> trusted_app1;
+ testing::NiceMock<mtd::MockSceneSession> trusted_app2;

NiceMock is inappropriate as these are the interactions under test.

+};
+}
+
+TEST_F(TrustSession, start_and_stop)

the name doesn't reflect what the test is about. There is no mention of adding and removing apps.

+{
+ using namespace testing;
+
+ auto shared_helper = mt::fake_shared(trusted_helper);
+ std::shared_ptr<ms::Session> shared_app1 = mt::fake_shared(trusted_app1);
+ std::shared_ptr<ms::Session> shared_app2 = mt::fake_shared(trusted_app2);
+
+ ms::TrustSessionImpl trust_session(shared_helper,
+ ms::a_trust_session(),
+ mt::fake_shared(trust_session_listener));

All the above initialization could be in the fixture

Just some quick notes:

I know this was first proposed months ago - but was it really written last year? And not changed this year?

~~~~

+TEST_F(MirClientTrustSessionAPITest, client_trust_session_api)
+{
+    struct ClientConfig : ClientConfigCommon
+    {
+        void exec()
+        {
+            mir_wait_for(mir_connect(mir_test_socket, __PRETTY_FUNCTION__, connection_callback, this));
+
+            ASSERT_TRUE(connection != NULL);
+            EXPECT_TRUE(mir_connection_is_valid(connection));
+            EXPECT_STREQ("", mir_connection_get_error_message(connection));
+
+            mir_wait_for(mir_connection_start_trust_session(connection, __LINE__, trust_session_start_callback, NULL, this));
+            ASSERT_TRUE(trust_session != NULL);
+            EXPECT_EQ(started, 1);
+
+            mir_wait_for(mir_trust_session_stop(trust_session, trust_session_stop_callback, this));
+            EXPECT_EQ(stopped, 1);
+
+            mir_connection_release(connection);
+        }
+    } client_config;
+
+    launch_client_process(client_config);
+}

mir_wait_for(mir_trust_session_stop(trust_session, trust_session_stop_callback, this));
    EXPECT_THAT(stopped, Eq(1));
}

~~~~

+struct TrustSession : public testing::Test
+{
+    TrustSession()
+    {
+    }
+
+    testing::NiceMock<mtd::MockTrustSessionListener> trust_session_listener;
+    testing::NiceMock<mtd::MockSceneSession> trusted_helper;
+    testing::NiceMock<mtd::MockSceneSession> trusted_app1;
+    testing::NiceMock<mtd::MockSceneSession> trusted_app2;

NiceMock is inappropriate as these are the interactions under test.

+};
+}
+
+TEST_F(TrustSession, start_and_stop)

the name doesn't reflect what the test is about. There is no mention of adding and removing apps.

+{
+    using namespace testing;
+
+    auto shared_helper = mt::fake_shared(trusted_helper);
+    std::shared_ptr<ms::Session> shared_app1 = mt::fake_shared(trusted_app1);
+    std::shared_ptr<ms::Session> shared_app2 = mt::fake_shared(trusted_app2);
+
+    ms::TrustSessionImpl trust_session(shared_helper,
+                                   ms::a_trust_session(),
+                                   mt::fake_shared(trust_session_listener));

All the above initialization could be in the fixture

+    EXPECT_CALL(trusted_helper, begin_trust_session()).Times(1);
+    EXPECT_CALL(trusted_helper, end_trust_session()).Times(1);
+
+    EXPECT_CALL(trusted_app1, begin_trust_session()).Times(0);
+    EXPECT_CALL(trusted_app1, end_trust_session()).Times(0);
+
+    EXPECT_CALL(trusted_app2, begin_trust_session()).Times(0);
+    EXPECT_CALL(trusted_app2, end_trust_session()).Times(0);

These Times(0) are only relevant because of NiceMock

+    EXPECT_CALL(trust_session_listener, trusted_session_beginning(_, shared_app1)).Times(1);
+    EXPECT_CALL(trust_session_listener, trusted_session_beginning(_, shared_app2)).Times(1);
+
+    EXPECT_CALL(trust_session_listener, trusted_session_ending(_, shared_app1)).Times(1);
+    EXPECT_CALL(trust_session_listener, trusted_session_ending(_, shared_app2)).Times(1);
+
+    trust_session.start();
+    trust_session.add_trusted_child(shared_app1);
+    trust_session.add_trusted_child(shared_app2);
+    trust_session.stop();
+}

Really the test is:

TEST_F(TrustSession, trusted_child_apps_get_start_and_stop_notifications)
{
    EXPECT_CALL(trust_session_listener, trusted_session_beginning(_, shared_app1)).Times(1);
    EXPECT_CALL(trust_session_listener, trusted_session_beginning(_, shared_app2)).Times(1);

EXPECT_CALL(trust_session_listener, trusted_session_ending(_, shared_app1)).Times(1);
    EXPECT_CALL(trust_session_listener, trusted_session_ending(_, shared_app2)).Times(1);

trust_session.add_trusted_child(shared_app1);
    trust_session.add_trusted_child(shared_app2);
}

And the fixture:

struct TrustSession : public testing::Test
{
    testing::NiceMock<mtd::MockTrustSessionListener> trust_session_listener;
    mtd::MockSceneSession trusted_helper;
    mtd::MockSceneSession trusted_app1;
    mtd::MockSceneSession trusted_app2;

std::shared_ptr<ms::Session> shared_helper = mt::fake_shared(trusted_helper);
    std::shared_ptr<ms::Session> shared_app1 = mt::fake_shared(trusted_app1);
    std::shared_ptr<ms::Session> shared_app2 = mt::fake_shared(trusted_app2);

ms::TrustSessionImpl trust_session{shared_helper,
                                   ms::a_trust_session(),
                                   mt::fake_shared(trust_session_listener)};

void SetUp()
    {
        InSequence seq;
        EXPECT_CALL(trusted_helper, begin_trust_session()).Times(1);
        EXPECT_CALL(trusted_helper, end_trust_session()).Times(1);

trust_session.start();
    }

void TearDown()
    {
        trust_session.stop();
    }
};

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-05-15:

FAILED: Continuous integration, rev:1456
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~nick-dedekind/mir/trusted_sessions/+merge/218975/+edit-commit-message

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1634/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-05-16:

4082 === added file 'tests/unit-tests/graphics/mesa/test_drm_helper.cpp.moved'

review: Needs Fixing

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2014-05-16:

Setting to WIP as shifting focus to lp:~mir-team/mir/trusted_sessions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Emanuele Antonio Faraone

Gerry Boland

Mir development team

Nick Dedekind

 === modified file 'examples/CMakeLists.txt'
 --- examples/CMakeLists.txt	2014-05-05 03:36:45 +0000
 +++ examples/CMakeLists.txt	2014-05-15 13:19:23 +0000
@@ -92,6 +92,9 @@
+ )
++add_executable(mir_demo_client_trust_session trust_session.c)
++target_link_libraries(mir_demo_client_trust_session mirclient)
++
  add_library(mirdraw STATIC graphics_utils.cpp)
  target_link_libraries(mirdraw ${GLESv2_LIBRARIES})
@@ -143,7 +146,7 @@
    server_configuration.cpp
+ )
--target_link_libraries(mir_demo_standalone_input_filter
++target_link_libraries(mir_demo_standalone_input_filter
    mirserver
+ )
@@ -158,8 +161,9 @@
    mir_demo_client_multiwin
    mir_demo_client_display_config
    mir_demo_client_progressbar
++  mir_demo_client_trust_session
    mir_demo_standalone_input_filter
--  mir_demo_standalone_render_to_fb
++  mir_demo_standalone_render_to_fb
    mir_demo_standalone_render_surfaces
+ )
 === modified file 'examples/demo-inprocess-surface-client/inprocess_egl_client.cpp'
 --- examples/demo-inprocess-surface-client/inprocess_egl_client.cpp	2014-04-15 05:31:19 +0000
 +++ examples/demo-inprocess-surface-client/inprocess_egl_client.cpp	2014-05-15 13:19:23 +0000
@@ -102,7 +102,7 @@
      auto input_platform = mircv::InputPlatform::create();
      input_thread = input_platform->create_input_thread(
--        surface->client_input_fd(),
++        surface->client_input_fd(),
              std::bind(std::mem_fn(&me::InprocessEGLClient::handle_event), this, std::placeholders::_1));
      input_thread->start();
 === added file 'examples/trust_session.c'
 --- examples/trust_session.c	1970-01-01 00:00:00 +0000
 +++ examples/trust_session.c	2014-05-15 13:19:23 +0000
@@ -0,0 +1,249 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind <nick.dedekind@canonical.com>
++ */
++
++#define _POSIX_SOURCE
++
++#include "mir_toolkit/mir_client_library.h"
++#include "mir_toolkit/mir_trust_session.h"
++
++#include <assert.h>
++#include <string.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <unistd.h>
++#include <errno.h>
++#include <sys/wait.h>
++#include <sys/types.h>
++#include <signal.h>
++
++///\page trust_session.c trust_session.c: A mir client which starts a trust session and trusted client app.
++/// mir_demo_client_trust_session shows the use of mir trust session API.
++/// This program opens a mir connection and creates a trust session.
++///\section trusted_helper trusted_helper()
++/// Opens a mir connection and creates a trust session
++/// before closing the trust session and connection.
++///\section trust_session_app trust_session_app()
++/// Opens a mir connection and creates a surface
++/// before releasing the surface and closing the connection.
++///\example trust_session.c A mir client demonstrating trust sessions.
++///\section MirDemoState MirDemoState
++/// The handles needs to be accessible both to callbacks and to the control function.
++///\snippet trust_session.c MirDemoState_tag
++///\section Callbacks Callbacks
++///\snippet trust_session.c Callback_tag
++/// This program creates two processes, both opening a mir connection, one starting
++/// a trust session with the other process.
++
++///\internal [MirDemoState_tag]
++// Utility structure for the state of a single session.
++typedef struct MirDemoState
++{
++    MirConnection *connection;
++    MirSurface *surface;
++    MirTrustSession *trust_session;
++    pid_t  child_pid;
++} MirDemoState;
++///\internal [MirDemoState_tag]
++
++
++///\internal [Callback_tag]
++// Callback to update MirDemoState on trust_session_event
++static void trust_session_event_callback(MirTrustSession* trust_session,
++                                         MirTrustSessionState state,
++                                         void* context)
++{
++    (void)trust_session;
++    MirDemoState* demo_state = (MirDemoState*)context;
++
++    printf("Trust Session state updated to %d\n", state);
++    if (state == mir_trust_session_state_stopped)
++    {
++        kill(demo_state->child_pid, SIGINT);
++    }
++}
++///\internal [Callback_tag]
++
++void start_session(const char* server, const char* name, MirDemoState* mcd)
++{
++    // Call mir_connect synchronously
++    mcd->connection = mir_connect_sync(server, name);
++
++    // We expect a connection handle;
++    // we expect it to be valid; and,
++    // we don't expect an error description
++    assert(mcd->connection != NULL);
++    assert(mir_connection_is_valid(mcd->connection));
++    assert(strcmp(mir_connection_get_error_message(mcd->connection), "") == 0);
++    printf("%s: Connected\n", name);
++
++    // We can query information about the platform we're running on
++    {
++        MirPlatformPackage platform_package;
++        platform_package.data_items = -1;
++        platform_package.fd_items = -1;
++
++        mir_connection_get_platform(mcd->connection, &platform_package);
++        assert(0 <= platform_package.data_items);
++        assert(0 <= platform_package.fd_items);
++    }
++}
++
++void stop_session(MirDemoState* mcd, const char* name)
++{
++    if (mcd->trust_session)
++    {
++        mir_trust_session_release(mcd->trust_session);
++        mcd->trust_session = 0;
++        printf("%s: Trust session released \n", name);
++    }
++
++    if (mcd->surface)
++    {
++        // We should release our surface
++        mir_surface_release_sync(mcd->surface);
++        mcd->surface = 0;
++        printf("%s: Surface released\n", name);
++    }
++
++    // We should release our connection
++    mir_connection_release(mcd->connection);
++    printf("%s: Connection released\n", name);
++}
++
++void trusted_helper(const char* server, pid_t child_pid)
++{
++    MirDemoState mcd;
++    mcd.connection = 0;
++    mcd.surface = 0;
++    mcd.trust_session = 0;
++    mcd.child_pid = child_pid;
++    start_session(server, "trusted_helper", &mcd);
++
++    // We create a trust session
++    mcd.trust_session = mir_connection_start_trust_session_sync(mcd.connection, getpid(), trust_session_event_callback, &mcd);
++    assert(mcd.trust_session != NULL);
++
++    assert(mir_trust_session_get_state(mcd.trust_session) == mir_trust_session_state_started);
++    puts("trusted_helper: Started trust session");
++
++    MirTrustSessionAddTrustResult add_result = mir_trust_session_add_trusted_session_sync(mcd.trust_session, child_pid);
++    assert(add_result == mir_trust_session_add_tust_succeeded);
++    printf("trusted_helper: added trusted session pid: %d\n", child_pid);
++
++    int status;
++    printf("trusted_helper: waiting on child app: %d\n", child_pid);
++    waitpid(child_pid, &status, 0);
++
++    if (mir_trust_session_get_state(mcd.trust_session) == mir_trust_session_state_started)
++    {
++        mir_trust_session_stop_sync(mcd.trust_session);
++        assert(mir_trust_session_get_state(mcd.trust_session) == mir_trust_session_state_stopped);
++        puts("trusted_helper: Stopped trust session");
++    }
++    else
++    {
++        puts("trusted_helper: Trusted session stoped by server");
++    }
++    puts("trusted_helper: Done");
++
++    stop_session(&mcd, "trusted_helper");
++}
++
++void trust_session_app(const char* server)
++{
++    MirDemoState mcd;
++    mcd.connection = 0;
++    mcd.surface = 0;
++    mcd.trust_session = 0;
++    start_session(server, "trust_session_app", &mcd);
++
++    // Identify a supported pixel format
++    MirPixelFormat pixel_format;
++    unsigned int valid_formats;
++    mir_connection_get_available_surface_formats(mcd.connection, &pixel_format, 1, &valid_formats);
++    MirSurfaceParameters const request_params =
++        {__PRETTY_FUNCTION__, 640, 480, pixel_format,
++         mir_buffer_usage_hardware, mir_display_output_id_invalid};
++
++    // ...we create a surface using that format and wait for callback to complete.
++    mcd.surface = mir_connection_create_surface_sync(mcd.connection, &request_params);
++
++    // We expect a surface handle;
++    // we expect it to be valid; and,
++    // we don't expect an error description
++    assert(mcd.surface != NULL);
++    assert(mir_surface_is_valid(mcd.surface));
++    assert(strcmp(mir_surface_get_error_message(mcd.surface), "") == 0);
++    puts("trust_session_app: Surface created");
++
++    puts("trust_session_app: Press any key to exit");
++    // Wait for stdin
++    getchar();
++    puts("trust_session_app: Done");
++
++    stop_session(&mcd, "trust_session_app");
++}
++
++// The main() function deals with parsing arguments and defaults
++int main(int argc, char* argv[])
++{
++    // Some variables for holding command line options
++    char const *server = NULL;
++
++    // Parse the command line
++    {
++        int arg;
++        opterr = 0;
++        while ((arg = getopt (argc, argv, "c:hm:")) != -1)
++        {
++            switch (arg)
++            {
++            case 'm':
++                server = optarg;
++                break;
++
++            case '?':
++            case 'h':
++            default:
++                puts(argv[0]);
++                puts("Usage:");
++                puts("    -m <Mir server socket>");
++                puts("    -h: this help text");
++                return -1;
++            }
++        }
++    }
++
++    // Start a new process.
++    // This simulates the helper starting a new application which it adds to the trusted session.
++    pid_t pid = fork();
++
++    if (pid == 0)
++    {
++        sleep(1);
++        trust_session_app(server);
++    }
++    else if (pid > 0)
++    {
++        printf("trusted_helper: pid:%d , child:%d\n", getpid(), pid);
++        trusted_helper(server, pid);
++    }
++
++    return 0;
++}
 === added file 'include/client/mir_toolkit/mir_trust_session.h'
 --- include/client/mir_toolkit/mir_trust_session.h	1970-01-01 00:00:00 +0000
 +++ include/client/mir_toolkit/mir_trust_session.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,119 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef MIR_TOOLKIT_MIR_TRUST_SESSION_H_
++#define MIR_TOOLKIT_MIR_TRUST_SESSION_H_
++
++#include "mir_toolkit/mir_client_library.h"
++
++#include <sys/types.h>
++
++#ifdef __cplusplus
++/**
++ * \addtogroup mir_toolkit
++ * @{
++ */
++extern "C" {
++#endif
++
++/**
++ * Create an new trust session
++ *   \param [in] connection        The connection
++ *   \param [in] base_session_pid  The process id of the initiating application
++ *   \param [in] start_callback    Callback function to be invoked when request
++ *                                 completes
++ *   \param [in] start_callback    The function to be called when the trust session event occurs
++ *   \param [in,out] context       User data passed to the callback functions
++ *   \return                       A handle that can be passed to mir_wait_for
++ */
++MirWaitHandle *mir_connection_start_trust_session(MirConnection* connection,
++    pid_t base_session_pid,
++    mir_trust_session_callback start_callback,
++    mir_trust_session_event_callback event_callback,
++    void* context);
++
++/**
++ * Create an new trust session
++ *   \param [in] connection  The connection
++ *   \param [in] base_session_pid The process id of the initiating application
++ *   \param [in] callback         Callback function to be invoked when request
++ *                                completes
++ *   \param [in,out] context      User data passed to the callback function
++ *   \param [in] callback         The function to be called when the trust session event occurs
++ *   \return                      A handle that can be passed to mir_wait_for
++ */
++MirTrustSession *mir_connection_start_trust_session_sync(MirConnection* connection,
++    pid_t base_session_pid,
++    mir_trust_session_event_callback event_callback,
++    void* context);
++
++/**
++ * Add a process id to the trust session relationship
++ *   \param [in] trust_session  The trust session
++ *   \param [in] session_pid    The process id of the application to add
++ *   \param [in] callback       Callback function to be invoked when request
++ *                              completes
++ *   \return                    A MirTrustSessionAddTrustResult result of the call
++ */
++MirWaitHandle *mir_trust_session_add_trusted_session(MirTrustSession *trust_session,
++    pid_t session_pid,
++    mir_trust_session_add_trusted_session_callback callback,
++    void* context);
++
++/**
++ * Perform a mir_trust_session_add_trusted_pid() but also wait for and return the result.
++ *   \param [in] trust_session  The trust session
++ *   \param [in] pid            The process id of the application to add
++ *   \return                    A MirTrustSessionAddTrustResult result of the call
++ */
++MirTrustSessionAddTrustResult mir_trust_session_add_trusted_session_sync(MirTrustSession *trust_session,
++    pid_t pid);
++
++/**
++ * Request the cancellation of a trust session
++ *   \param [in] trust_session  The trust session
++ *   \return                    True if the request was made successfully,
++ *                              false otherwise
++ */
++MirWaitHandle *mir_trust_session_stop(MirTrustSession *trust_session, mir_trust_session_callback callback, void* context);
++
++/**
++ * Perform a mir_trust_session_stop() but also wait for and return the result.
++ *   \param [in] trust_session  The trust session
++ *   \return                    True if the request was made successfully,
++ *                              false otherwise
++ */
++MirBool mir_trust_session_stop_sync(MirTrustSession *trust_session);
++
++/**
++ * Return the state of trust session
++ * \param [in] trust_session  The trust session
++ * \return                    The state of the trust session
++ */
++MirTrustSessionState mir_trust_session_get_state(MirTrustSession *trust_session);
++
++/**
++ * Release a trust session
++ *   \param [in] trust_session  The trust session to release
++ */
++void mir_trust_session_release(MirTrustSession* trust_session);
++
++#ifdef __cplusplus
++}
++/**@}*/
++#endif
++
++#endif /* MIR_TOOLKIT_MIR_TRUST_SESSION_H_ */
 === modified file 'include/server/mir/default_server_configuration.h'
 --- include/server/mir/default_server_configuration.h	2014-05-12 15:46:07 +0000
 +++ include/server/mir/default_server_configuration.h	2014-05-15 13:19:23 +0000
@@ -85,6 +85,7 @@
  class SurfaceStack;
  class InputRegistrar;
  class SceneReport;
++class TrustSessionListener;
+ }
  namespace graphics
+ {
@@ -215,6 +216,7 @@
      virtual std::shared_ptr<scene::PlacementStrategy>   the_placement_strategy();
      virtual std::shared_ptr<scene::SessionListener>     the_session_listener();
      virtual std::shared_ptr<shell::DisplayLayout>       the_shell_display_layout();
++    virtual std::shared_ptr<scene::TrustSessionListener>     the_trust_session_listener();
      /** @} */
      /** @name internal scene configuration
@@ -326,6 +328,7 @@
      CachedPtr<scene::MediatingDisplayChanger> mediating_display_changer;
      CachedPtr<graphics::GLProgramFactory> gl_program_factory;
      CachedPtr<graphics::GLConfig> gl_config;
++    CachedPtr<scene::TrustSessionListener> trust_session_listener;
  private:
      std::shared_ptr<options::Configuration> const configuration_options;
 === modified file 'include/server/mir/frontend/event_sink.h'
 --- include/server/mir/frontend/event_sink.h	2013-08-28 03:41:48 +0000
 +++ include/server/mir/frontend/event_sink.h	2014-05-15 13:19:23 +0000
@@ -35,6 +35,8 @@
      virtual ~EventSink() = default;
      virtual void handle_event(MirEvent const& e) = 0;
++
++    // TODO - remove these in favour of using handle_event
      virtual void handle_lifecycle_event(MirLifecycleState state) = 0;
      virtual void handle_display_config_change(graphics::DisplayConfiguration const& config) = 0;
 === modified file 'include/server/mir/frontend/session.h'
 --- include/server/mir/frontend/session.h	2014-05-06 16:54:43 +0000
 +++ include/server/mir/frontend/session.h	2014-05-15 13:19:23 +0000
@@ -50,6 +50,7 @@
      virtual void destroy_surface(SurfaceId surface) = 0;
      virtual std::shared_ptr<Surface> get_surface(SurfaceId surface) const = 0;
++    virtual pid_t process_id() const = 0;
      virtual std::string name() const = 0;
      virtual void hide() = 0;
 === modified file 'include/server/mir/frontend/session_mediator_report.h'
 --- include/server/mir/frontend/session_mediator_report.h	2014-03-06 06:05:17 +0000
 +++ include/server/mir/frontend/session_mediator_report.h	2014-05-15 13:19:23 +0000
@@ -48,6 +48,12 @@
      virtual void session_configure_display_called(std::string const& app_name) = 0;
++    virtual void session_start_trust_session_called(std::string const& app_name, std::string const& trust_info) = 0;
++
++    virtual void session_add_trusted_session_called(std::string const& app_name, std::string const& trust_info) = 0;
++
++    virtual void session_stop_trust_session_called(std::string const& app_name) = 0;
++
      virtual void session_error(
          std::string const& app_name,
          char const* method,
 === modified file 'include/server/mir/frontend/shell.h'
 --- include/server/mir/frontend/shell.h	2014-04-15 05:31:19 +0000
 +++ include/server/mir/frontend/shell.h	2014-05-15 13:19:23 +0000
@@ -20,6 +20,7 @@
  #define MIR_FRONTEND_SHELL_H_
  #include "mir/frontend/surface_id.h"
++#include "mir_toolkit/common.h"
  #include <sys/types.h>
@@ -30,11 +31,13 @@
  namespace scene
+ {
  struct SurfaceCreationParameters;
++struct TrustSessionCreationParameters;
+ }
  namespace frontend
+ {
  class EventSink;
  class Session;
++class TrustSession;
  class Shell
+ {
@@ -54,6 +57,12 @@
      virtual void handle_surface_created(std::shared_ptr<Session> const& session) = 0;
++    virtual std::shared_ptr<TrustSession> start_trust_session_for(std::shared_ptr<Session> const& session,
++                                                                  scene::TrustSessionCreationParameters const& params) = 0;
++    virtual MirTrustSessionAddTrustResult add_trusted_session_for(std::shared_ptr<TrustSession> const& trust_session,
++                                                                  pid_t session_pid) = 0;
++    virtual void stop_trust_session(std::shared_ptr<TrustSession> const& trust_session) = 0;
++
  protected:
      Shell() = default;
      Shell(const Shell&) = delete;
 === added file 'include/server/mir/frontend/trust_session.h'
 --- include/server/mir/frontend/trust_session.h	1970-01-01 00:00:00 +0000
 +++ include/server/mir/frontend/trust_session.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,53 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_FRONTEND_TRUST_SESSION_H_
++#define MIR_FRONTEND_TRUST_SESSION_H_
++
++#include "mir_toolkit/common.h"
++
++#include <sys/types.h>
++#include <vector>
++#include <string>
++#include <memory>
++
++namespace mir
++{
++
++namespace frontend
++{
++class TrustSession
++{
++public:
++    virtual ~TrustSession() = default;
++
++    virtual MirTrustSessionState get_state() const = 0;
++
++    virtual void start() = 0;
++    virtual void stop() = 0;
++
++protected:
++    TrustSession() = default;
++    TrustSession(const TrustSession&) = delete;
++    TrustSession& operator=(const TrustSession&) = delete;
++};
++
++}
++}
++
++#endif // MIR_FRONTEND_TRUST_SESSION_H_
 === added file 'include/server/mir/scene/null_trust_session_listener.h'
 --- include/server/mir/scene/null_trust_session_listener.h	1970-01-01 00:00:00 +0000
 +++ include/server/mir/scene/null_trust_session_listener.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,50 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_SCENE_NULL_TRUST_SESSION_LISTENER_H_
++#define MIR_SCENE_NULL_TRUST_SESSION_LISTENER_H_
++
++#include "mir/scene/trust_session_listener.h"
++
++namespace mir
++{
++namespace scene
++{
++
++class NullTrustSessionListener : public TrustSessionListener
++{
++public:
++    NullTrustSessionListener() = default;
++    virtual ~NullTrustSessionListener() noexcept(true) = default;
++
++    void starting(std::shared_ptr<TrustSession> const&) override {};
++    void stopping(std::shared_ptr<TrustSession> const&) override {};
++
++    void trusted_session_beginning(TrustSession const&, std::shared_ptr<Session> const&) override {};
++    void trusted_session_ending(TrustSession const&, std::shared_ptr<Session> const&) override {};
++
++protected:
++    NullTrustSessionListener(const NullTrustSessionListener&) = delete;
++    NullTrustSessionListener& operator=(const NullTrustSessionListener&) = delete;
++};
++
++}
++}
++
++
++#endif // MIR_SHELL_NULL_TRUST_SESSION_LISTENER_H_
 === modified file 'include/server/mir/scene/session.h'
 --- include/server/mir/scene/session.h	2014-04-15 05:31:19 +0000
 +++ include/server/mir/scene/session.h	2014-05-15 13:19:23 +0000
@@ -34,12 +34,14 @@
+ {
  public:
      virtual void force_requests_to_complete() = 0;
--    virtual pid_t process_id() const = 0;
      virtual void take_snapshot(SnapshotCallback const& snapshot_taken) = 0;
      virtual std::shared_ptr<Surface> default_surface() const = 0;
      virtual void set_lifecycle_state(MirLifecycleState state) = 0;
      virtual void send_display_config(graphics::DisplayConfiguration const&) = 0;
++
++    virtual void begin_trust_session() = 0;
++    virtual void end_trust_session() = 0;
  };
+ }
+ }
 === added file 'include/server/mir/scene/trust_session.h'
 --- include/server/mir/scene/trust_session.h	1970-01-01 00:00:00 +0000
 +++ include/server/mir/scene/trust_session.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,43 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_SCENE_TRUST_SESSION_H_
++#define MIR_SCENE_TRUST_SESSION_H_
++
++#include "mir/frontend/trust_session.h"
++
++namespace mir
++{
++namespace scene
++{
++class Session;
++
++class TrustSession : public frontend::TrustSession
++{
++public:
++    virtual std::weak_ptr<Session> get_trusted_helper() const = 0;
++
++    virtual bool add_trusted_child(std::shared_ptr<Session> const& session) = 0;
++    virtual void remove_trusted_child(std::shared_ptr<Session> const& session) = 0;
++    virtual void for_each_trusted_child(std::function<void(std::shared_ptr<Session> const&)> f) const = 0;
++};
++
++}
++}
++
++#endif // MIR_SHELL_TRUST_SESSION_H_
 === added file 'include/server/mir/scene/trust_session_creation_parameters.h'
 --- include/server/mir/scene/trust_session_creation_parameters.h	1970-01-01 00:00:00 +0000
 +++ include/server/mir/scene/trust_session_creation_parameters.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,46 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_SCENE_TRUSTED_SESSION_CREATION_PARAMETERS_H_
++#define MIR_SCENE_TRUSTED_SESSION_CREATION_PARAMETERS_H_
++
++#include <sys/types.h>
++#include <vector>
++
++namespace mir
++{
++namespace scene
++{
++
++struct TrustSessionCreationParameters
++{
++    TrustSessionCreationParameters();
++
++    TrustSessionCreationParameters& set_base_process_id(pid_t process_id);
++
++    pid_t base_process_id;
++};
++
++bool operator==(const TrustSessionCreationParameters& lhs, const TrustSessionCreationParameters& rhs);
++bool operator!=(const TrustSessionCreationParameters& lhs, const TrustSessionCreationParameters& rhs);
++
++TrustSessionCreationParameters a_trust_session();
++}
++}
++
++#endif /* MIR_SCENE_TRUSTED_SESSION_CREATION_PARAMETERS_H_ */
 === added file 'include/server/mir/scene/trust_session_listener.h'
 --- include/server/mir/scene/trust_session_listener.h	1970-01-01 00:00:00 +0000
 +++ include/server/mir/scene/trust_session_listener.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,52 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_SCENE_TRUST_SESSION_LISTENER_H_
++#define MIR_SCENE_TRUST_SESSION_LISTENER_H_
++
++#include <memory>
++
++namespace mir
++{
++namespace scene
++{
++class Session;
++class TrustSession;
++
++class TrustSessionListener
++{
++public:
++    virtual void starting(std::shared_ptr<TrustSession> const& trust_session) = 0;
++    virtual void stopping(std::shared_ptr<TrustSession> const& trust_session) = 0;
++
++    virtual void trusted_session_beginning(TrustSession const& trust_session, std::shared_ptr<Session> const& session) = 0;
++    virtual void trusted_session_ending(TrustSession const& trust_session, std::shared_ptr<Session> const& session) = 0;
++
++protected:
++    TrustSessionListener() = default;
++    virtual ~TrustSessionListener() = default;
++
++    TrustSessionListener(const TrustSessionListener&) = delete;
++    TrustSessionListener& operator=(const TrustSessionListener&) = delete;
++};
++
++}
++}
++
++
++#endif // MIR_SCENE_TRUST_SESSION_LISTENER_H_
 === modified file 'include/shared/mir_toolkit/client_types.h'
 --- include/shared/mir_toolkit/client_types.h	2014-05-08 11:48:23 +0000
 +++ include/shared/mir_toolkit/client_types.h	2014-05-15 13:19:23 +0000
@@ -46,6 +46,7 @@
  typedef struct MirConnection MirConnection;
  typedef struct MirSurface MirSurface;
  typedef struct MirScreencast MirScreencast;
++typedef struct MirTrustSession MirTrustSession;
  /**
   * Returned by asynchronous functions. Must not be free'd by
@@ -319,6 +320,31 @@
   */
  typedef void (*mir_screencast_callback)(MirScreencast *screencast, void *client_context);
++/**
++ * Callback member of MirTrustSession for handling of trust sessions.
++ *   \param [in] tps            The trust session associated with the callback
++ *   \param [in,out] context    The context provided by the client
++ */
++typedef void (*mir_trust_session_callback)(MirTrustSession* tps, void* context);
++
++/**
++ * Callback member of MirTrustSession for adding trusted sessions
++ *   \param [in] trusted_session  The trust session associated with the callback
++ *   \param [in] result           The result of adding a trusted session
++ *   \param [in,out] context      The context provided by the client
++ */
++typedef void (*mir_trust_session_add_trusted_session_callback)(
++    MirTrustSession* trusted_session, MirTrustSessionAddTrustResult result, void* context);
++
++/**
++ * Callback member of MirTrustSession for handling of trust sessions events.
++ *   \param [in] trusted_session  The trust session associated with the callback
++ *   \param [in] state            The state of the trust session
++ *   \param [in,out] context      The context provided by the client
++ */
++typedef void (*mir_trust_session_event_callback)(
++    MirTrustSession* trusted_session, MirTrustSessionState state, void* context);
++
  #ifdef __cplusplus
+ }
  /**@}*/
 === modified file 'include/shared/mir_toolkit/common.h'
 --- include/shared/mir_toolkit/common.h	2014-03-06 06:05:17 +0000
 +++ include/shared/mir_toolkit/common.h	2014-05-15 13:19:23 +0000
@@ -87,6 +87,23 @@
      mir_power_mode_off /* Powered down. */
  } MirPowerMode;
++typedef enum MirTrustSessionState
++{
++    mir_trust_session_state_stopped = 0,
++    mir_trust_session_state_started
++} MirTrustSessionState;
++
++/**
++ * MirTrustSessionAddTrustResult specifies the result of a
++ * call to add an app id to a trust session
++ */
++typedef enum
++{
++    mir_trust_session_add_tust_failed,
++    mir_trust_session_add_tust_duplicate,
++    mir_trust_session_add_tust_succeeded
++} MirTrustSessionAddTrustResult;
++
  /**
   * The order of components in a format enum matches the
   * order of the components as they would be written in an
 === modified file 'include/shared/mir_toolkit/event.h'
 --- include/shared/mir_toolkit/event.h	2014-03-06 06:05:17 +0000
 +++ include/shared/mir_toolkit/event.h	2014-05-15 13:19:23 +0000
@@ -40,7 +40,8 @@
      mir_event_type_key,
      mir_event_type_motion,
      mir_event_type_surface,
--    mir_event_type_resize
++    mir_event_type_resize,
++    mir_event_type_trust_session_state_change
  } MirEventType;
  typedef enum {
@@ -204,6 +205,13 @@
      int height;
  } MirResizeEvent;
++typedef struct
++{
++    MirEventType type;
++
++    MirTrustSessionState new_state;
++} MirTrustSessionEvent;
++
  typedef union
+ {
      MirEventType    type;
@@ -211,6 +219,7 @@
      MirMotionEvent  motion;
      MirSurfaceEvent surface;
      MirResizeEvent  resize;
++    MirTrustSessionEvent  trust_session;
  } MirEvent;
  #ifdef __cplusplus
 === modified file 'include/test/mir_test/test_protobuf_client.h'
 --- include/test/mir_test/test_protobuf_client.h	2013-08-28 03:41:48 +0000
 +++ include/test/mir_test/test_protobuf_client.h	2014-05-15 13:19:23 +0000
@@ -21,6 +21,7 @@
  #define MIR_TEST_TEST_CLIENT_H_
  #include "mir_protobuf.pb.h"
++#include "wait_condition.h"
  #include <gmock/gmock.h>
@@ -49,6 +50,10 @@
      mir::protobuf::Connection connection;
      mir::protobuf::DisplayConfiguration disp_config;
      mir::protobuf::DisplayConfiguration disp_config_response;
++    mir::protobuf::TrustSessionParameters trust_session_parameters;
++    mir::protobuf::TrustedSession trusted_session;
++    mir::protobuf::TrustSession trust_session;
++    mir::protobuf::TrustSessionAddResult add_trust_result;
      MOCK_METHOD0(connect_done, void());
      MOCK_METHOD0(create_surface_done, void());
@@ -57,6 +62,9 @@
      MOCK_METHOD0(disconnect_done, void());
      MOCK_METHOD0(drm_auth_magic_done, void());
      MOCK_METHOD0(display_configure_done, void());
++    MOCK_METHOD0(trust_session_start_done, void());
++    MOCK_METHOD0(trust_session_add_trusted_session_done, void());
++    MOCK_METHOD0(trust_session_stop_done, void());
      void on_connect_done();
@@ -94,6 +102,12 @@
      void wait_for_configure_display_done();
++    void wait_for_trust_session_start_done();
++
++    void wait_for_trust_session_add_trusted_session_done();
++
++    void wait_for_trust_session_stop_done();
++
      const int maxwait;
      std::atomic<bool> connect_done_called;
      std::atomic<bool> create_surface_called;
@@ -104,6 +118,10 @@
      std::atomic<bool> configure_display_done_called;
      std::atomic<bool> tfd_done_called;
++    WaitCondition wc_trust_session_start;
++    WaitCondition wc_trust_session_add;
++    WaitCondition wc_trust_session_stop;
++
      std::atomic<int> connect_done_count;
      std::atomic<int> create_surface_done_count;
      std::atomic<int> disconnect_done_count;
 === modified file 'include/test/mir_test_doubles/mock_scene_session.h'
 --- include/test/mir_test_doubles/mock_scene_session.h	2014-05-07 14:25:45 +0000
 +++ include/test/mir_test_doubles/mock_scene_session.h	2014-05-15 13:19:23 +0000
@@ -52,6 +52,9 @@
      MOCK_METHOD3(configure_surface, int(frontend::SurfaceId, MirSurfaceAttrib, int));
      MOCK_METHOD1(set_lifecycle_state, void(MirLifecycleState state));
++
++    MOCK_METHOD0(begin_trust_session, void());
++    MOCK_METHOD0(end_trust_session, void());
  };
+ }
 === modified file 'include/test/mir_test_doubles/mock_shell.h'
 --- include/test/mir_test_doubles/mock_shell.h	2014-04-15 05:31:19 +0000
 +++ include/test/mir_test_doubles/mock_shell.h	2014-05-15 13:19:23 +0000
@@ -22,6 +22,7 @@
  #include "mir/scene/surface_creation_parameters.h"
  #include "mir/frontend/shell.h"
  #include "mir/frontend/surface_id.h"
++#include "mir/scene/trust_session_creation_parameters.h"
  #include <gmock/gmock.h>
@@ -43,6 +44,14 @@
      MOCK_METHOD2(create_surface_for, frontend::SurfaceId(std::shared_ptr<frontend::Session> const&, scene::SurfaceCreationParameters const&));
      MOCK_METHOD1(handle_surface_created, void(std::shared_ptr<frontend::Session> const&));
++
++    MOCK_METHOD2(start_trust_session_for, std::shared_ptr<frontend::TrustSession>(
++        std::shared_ptr<frontend::Session> const&,
++        scene::TrustSessionCreationParameters const&));
++    MOCK_METHOD2(add_trusted_session_for, MirTrustSessionAddTrustResult(
++        std::shared_ptr<frontend::TrustSession> const&,
++        pid_t));
++    MOCK_METHOD1(stop_trust_session, void(std::shared_ptr<frontend::TrustSession> const&));
  };
+ }
 === added file 'include/test/mir_test_doubles/mock_trust_session_listener.h'
 --- include/test/mir_test_doubles/mock_trust_session_listener.h	1970-01-01 00:00:00 +0000
 +++ include/test/mir_test_doubles/mock_trust_session_listener.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,48 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_TEST_DOUBLES_MOCK_TRUST_SESSION_LISTENER_H_
++#define MIR_TEST_DOUBLES_MOCK_TRUST_SESSION_LISTENER_H_
++
++#include "mir/scene/trust_session_listener.h"
++
++#include <gmock/gmock.h>
++
++namespace mir
++{
++namespace test
++{
++namespace doubles
++{
++
++struct MockTrustSessionListener : public scene::TrustSessionListener
++{
++    virtual ~MockTrustSessionListener() noexcept(true) {}
++
++    MOCK_METHOD1(starting, void(std::shared_ptr<scene::TrustSession> const&));
++    MOCK_METHOD1(stopping, void(std::shared_ptr<scene::TrustSession> const&));
++
++    MOCK_METHOD2(trusted_session_beginning, void(scene::TrustSession const&, std::shared_ptr<scene::Session> const&));
++    MOCK_METHOD2(trusted_session_ending, void(scene::TrustSession const&, std::shared_ptr<scene::Session> const&));
++};
++
++}
++}
++} // namespace mir
++
++#endif // MIR_TEST_DOUBLES_MOCK_TRUST_SESSION_LISTENER_H_
 === added file 'include/test/mir_test_doubles/null_trust_session.h'
 --- include/test/mir_test_doubles/null_trust_session.h	1970-01-01 00:00:00 +0000
 +++ include/test/mir_test_doubles/null_trust_session.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,69 @@
++/*
++ * Copyright © 2013 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Alexandros Frantzis <alexandros.frantzis@canonical.com>
++ */
++
++#ifndef MIR_TEST_DOUBLES_NULL_TRUST_SESSION_H_
++#define MIR_TEST_DOUBLES_NULL_TRUST_SESSION_H_
++
++#include "mir/scene/trust_session.h"
++
++namespace mir
++{
++namespace test
++{
++namespace doubles
++{
++
++class NullTrustSession : public scene::TrustSession
++{
++    MirTrustSessionState get_state() const override
++    {
++      return mir_trust_session_state_stopped;
++    }
++
++    void start() override
++    {
++    }
++
++    void stop() override
++    {
++    }
++
++    std::weak_ptr<scene::Session> get_trusted_helper() const override
++    {
++      return std::weak_ptr<scene::Session>();
++    }
++
++    bool add_trusted_child(std::shared_ptr<scene::Session> const&) override
++    {
++        return false;
++    }
++
++    void remove_trusted_child(std::shared_ptr<scene::Session> const&) override
++    {
++    }
++
++    void for_each_trusted_child(std::function<void(std::shared_ptr<scene::Session> const&)>) const override
++    {
++    }
++};
++
++}
++}
++}
++
++#endif /* MIR_TEST_DOUBLES_NULL_TRUST_SESSION_H_ */
 === modified file 'include/test/mir_test_doubles/stub_scene_session.h'
 --- include/test/mir_test_doubles/stub_scene_session.h	2014-05-06 16:54:43 +0000
 +++ include/test/mir_test_doubles/stub_scene_session.h	2014-05-15 13:19:23 +0000
@@ -76,6 +76,14 @@
      void set_lifecycle_state(MirLifecycleState /*state*/)
+     {
+     }
++
++    void begin_trust_session() override
++    {
++    }
++
++    void end_trust_session() override
++    {
++    }
  };
+ }
 === modified file 'include/test/mir_test_doubles/stub_session.h'
 --- include/test/mir_test_doubles/stub_session.h	2014-05-06 16:54:43 +0000
 +++ include/test/mir_test_doubles/stub_session.h	2014-05-15 13:19:23 +0000
@@ -41,6 +41,10 @@
+     {
          return std::shared_ptr<frontend::Surface>();
+     }
++    pid_t process_id() const override
++    {
++        return 0;
++    }
      std::string name() const override
+     {
          return std::string();
 === modified file 'include/test/mir_test_doubles/stub_shell.h'
 --- include/test/mir_test_doubles/stub_shell.h	2014-04-15 05:31:19 +0000
 +++ include/test/mir_test_doubles/stub_shell.h	2014-05-15 13:19:23 +0000
@@ -49,6 +49,21 @@
      void handle_surface_created(std::shared_ptr<frontend::Session> const& /* session */) override
+     {
+     }
++    std::shared_ptr<frontend::TrustSession> start_trust_session_for(std::shared_ptr<frontend::Session> const& /* session */,
++        scene::TrustSessionCreationParameters const& /* params */)
++    {
++        return std::shared_ptr<frontend::TrustSession>();
++    }
++    MirTrustSessionAddTrustResult add_trusted_session_for(
++        std::shared_ptr<frontend::TrustSession> const&  /* trust_session */,
++        pid_t /* session_pid */)
++    {
++        return mir_trust_session_add_tust_failed;
++    }
++    void stop_trust_session(std::shared_ptr<frontend::TrustSession>  const& /* trust_session */)
++    {
++    }
++
      std::shared_ptr<StubSession> const stub_session;
  };
 === modified file 'src/client/CMakeLists.txt'
 --- src/client/CMakeLists.txt	2014-04-29 18:40:27 +0000
 +++ src/client/CMakeLists.txt	2014-05-15 13:19:23 +0000
@@ -48,6 +48,9 @@
    mir_screencast.cpp
    mir_screencast_api.cpp
    mir_cursor_api.cpp
++  mir_trust_session.cpp
++  mir_trust_session_api.cpp
++  event_distributor.cpp
+ )
  add_library(
@@ -82,7 +85,7 @@
    mirclientlttngstatic
    ${MIR_COMMON_PLATFORM_LIBRARIES}
--
++
 rd_party
+ )
 === modified file 'src/client/connection_configuration.h'
 --- src/client/connection_configuration.h	2014-03-06 06:05:17 +0000
 +++ src/client/connection_configuration.h	2014-05-15 13:19:23 +0000
@@ -47,6 +47,7 @@
  class ClientPlatformFactory;
  class DisplayConfiguration;
  class LifecycleControl;
++class EventDistributor;
  class ConnectionConfiguration
+ {
@@ -60,6 +61,7 @@
      virtual std::shared_ptr<input::receiver::InputPlatform> the_input_platform() = 0;
      virtual std::shared_ptr<DisplayConfiguration> the_display_configuration() = 0;
      virtual std::shared_ptr<LifecycleControl> the_lifecycle_control() = 0;
++    virtual std::shared_ptr<EventDistributor> the_event_distributor() = 0;
  protected:
      ConnectionConfiguration() = default;
 === modified file 'src/client/default_connection_configuration.cpp'
 --- src/client/default_connection_configuration.cpp	2014-03-26 05:48:59 +0000
 +++ src/client/default_connection_configuration.cpp	2014-05-15 13:19:23 +0000
@@ -32,6 +32,7 @@
  #include "lifecycle_control.h"
  #include "mir/shared_library.h"
  #include "client_platform_factory.h"
++#include "event_distributor.h"
  namespace mcl = mir::client;
@@ -81,7 +82,7 @@
          [this]
+         {
              return mcl::rpc::make_rpc_channel(
--                the_socket_file(), the_surface_map(), the_display_configuration(), the_rpc_report(), the_lifecycle_control());
++                the_socket_file(), the_surface_map(), the_display_configuration(), the_rpc_report(), the_lifecycle_control(), the_event_distributor());
          });
+ }
@@ -182,3 +183,12 @@
              return std::make_shared<mcl::LifecycleControl>();
          });
+ }
++
++std::shared_ptr<mcl::EventDistributor> mcl::DefaultConnectionConfiguration::the_event_distributor()
++{
++    return event_distributor(
++        []
++        {
++            return std::make_shared<mcl::EventDistributor>();
++        });
++}
 === modified file 'src/client/default_connection_configuration.h'
 --- src/client/default_connection_configuration.h	2014-03-06 06:05:17 +0000
 +++ src/client/default_connection_configuration.h	2014-05-15 13:19:23 +0000
@@ -54,6 +54,7 @@
      std::shared_ptr<input::receiver::InputPlatform> the_input_platform();
      std::shared_ptr<DisplayConfiguration> the_display_configuration();
      std::shared_ptr<LifecycleControl> the_lifecycle_control();
++    std::shared_ptr<EventDistributor> the_event_distributor();
      virtual std::string the_socket_file();
      virtual std::shared_ptr<rpc::RpcReport> the_rpc_report();
@@ -67,6 +68,7 @@
      CachedPtr<ConnectionSurfaceMap> surface_map;
      CachedPtr<DisplayConfiguration> display_configuration;
      CachedPtr<LifecycleControl> lifecycle_control;
++    CachedPtr<EventDistributor> event_distributor;
      CachedPtr<rpc::RpcReport> rpc_report;
      CachedPtr<input::receiver::InputReceiverReport> input_receiver_report;
 === added file 'src/client/event_distributor.cpp'
 --- src/client/event_distributor.cpp	1970-01-01 00:00:00 +0000
 +++ src/client/event_distributor.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,57 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind@gmail.com>
++ */
++
++#include "event_distributor.h"
++
++namespace mcl = mir::client;
++
++mcl::EventDistributor::EventDistributor() :
++    next_fn_id(0)
++{
++}
++
++int mcl::EventDistributor::register_event_handler(std::function<void(MirEvent const&)> const& fn)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    int id = next_id();
++    event_handlers[id] = fn;
++    return id;
++}
++
++void mcl::EventDistributor::unregister_event_handler(int id)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    event_handlers.erase(id);
++}
++
++void mcl::EventDistributor::handle_event(MirEvent const& event)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    for (auto const& fn : event_handlers)
++    {
++        fn.second(event);
++    }
++}
++
++int mcl::EventDistributor::next_id()
++{
++    return ++next_fn_id;
++}
 \ No newline at end of file
 === added file 'src/client/event_distributor.h'
 --- src/client/event_distributor.h	1970-01-01 00:00:00 +0000
 +++ src/client/event_distributor.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,52 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind@gmail.com>
++ */
++
++#ifndef MIR_CLIENT_EVENT_DISTRIBUTOR_H
++
++#include "mir_toolkit/event.h"
++
++#include <functional>
++#include <mutex>
++#include <map>
++
++namespace mir
++{
++namespace client
++{
++class EventDistributor
++{
++public:
++    EventDistributor();
++    ~EventDistributor() = default;
++
++    int register_event_handler(std::function<void(MirEvent const&)> const&);
++    void unregister_event_handler(int id);
++
++    void handle_event(MirEvent const& event);
++
++private:
++    int next_id();
++
++    mutable std::mutex mutex;
++    std::map<int, std::function<void(MirEvent const&)>> event_handlers;
++    int next_fn_id;
++};
++}
++}
++
++#endif /* MIR_CLIENT_EVENT_DISTRIBUTOR_H */
 === modified file 'src/client/mir_connection.cpp'
 --- src/client/mir_connection.cpp	2014-05-07 13:51:38 +0000
 +++ src/client/mir_connection.cpp	2014-05-15 13:19:23 +0000
@@ -18,6 +18,7 @@
  #include "mir_connection.h"
  #include "mir_surface.h"
++#include "mir_trust_session.h"
  #include "client_platform.h"
  #include "client_platform_factory.h"
  #include "rpc/mir_basic_rpc_channel.h"
@@ -82,7 +83,8 @@
          input_platform(conf.the_input_platform()),
          display_configuration(conf.the_display_configuration()),
          lifecycle_control(conf.the_lifecycle_control()),
--        surface_map(conf.the_surface_map())
++        surface_map(conf.the_surface_map()),
++        event_distributor(conf.the_event_distributor())
+ {
      connect_result.set_error("connect not called");
+     {
@@ -193,6 +195,11 @@
      return new_wait_handle;
+ }
++MirTrustSession* MirConnection::create_trust_session()
++{
++    return new MirTrustSession(display_server(), event_distributor);
++}
++
  namespace
+ {
  void default_lifecycle_event_handler(MirLifecycleState transition)
@@ -522,6 +529,6 @@
+ }
  mir::protobuf::DisplayServer& MirConnection::display_server()
--{
++{
      return server;
+ }
 === modified file 'src/client/mir_connection.h'
 --- src/client/mir_connection.h	2014-05-07 13:51:38 +0000
 +++ src/client/mir_connection.h	2014-05-15 13:19:23 +0000
@@ -45,6 +45,7 @@
  class ConnectionSurfaceMap;
  class DisplayConfiguration;
  class LifecycleControl;
++class EventDistributor;
  namespace rpc
+ {
@@ -86,6 +87,8 @@
              mir_surface_callback callback,
              void *context);
++    MirTrustSession* create_trust_session();
++
      char const * get_error_message();
      MirWaitHandle* connect(
@@ -172,6 +175,8 @@
      std::shared_ptr<mir::client::ConnectionSurfaceMap> const surface_map;
++    std::shared_ptr<mir::client::EventDistributor> const event_distributor;
++
      std::vector<int> extra_platform_data;
      struct SurfaceRelease;
 === added file 'src/client/mir_trust_session.cpp'
 --- src/client/mir_trust_session.cpp	1970-01-01 00:00:00 +0000
 +++ src/client/mir_trust_session.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,182 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind@gmail.com>
++ */
++
++#include "mir_trust_session.h"
++#include "event_distributor.h"
++
++namespace mp = mir::protobuf;
++namespace mcl = mir::client;
++
++MirTrustSession::MirTrustSession(
++    mp::DisplayServer& server,
++    std::shared_ptr<mcl::EventDistributor> const& event_distributor)
++    : server(server),
++      event_distributor(event_distributor),
++      state(mir_trust_session_state_stopped)
++{
++    event_distributor_fn_id = event_distributor->register_event_handler(
++        [this](MirEvent const& event)
++        {
++            if (event.type != mir_event_type_trust_session_state_change)
++                return;
++
++            std::lock_guard<decltype(mutex_event_handler)> lock(mutex_event_handler);
++
++            set_state(event.trust_session.new_state);
++            if (handle_trust_session_event) {
++                handle_trust_session_event(event.trust_session.new_state);
++            }
++        }
++    );
++}
++
++MirTrustSession::~MirTrustSession()
++{
++    event_distributor->unregister_event_handler(event_distributor_fn_id);
++}
++
++MirTrustSessionState MirTrustSession::get_state() const
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    return state;
++}
++
++void MirTrustSession::set_state(MirTrustSessionState new_state)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    state = new_state;
++}
++
++MirWaitHandle* MirTrustSession::start(pid_t pid, mir_trust_session_callback callback, void* context)
++{
++    mir::protobuf::TrustSessionParameters parameters;
++    parameters.mutable_base_trusted_session()->set_pid(pid);
++
++    server.start_trust_session(
++        0,
++        &parameters,
++        &session,
++        google::protobuf::NewCallback(this, &MirTrustSession::done_start,
++                                      callback, context));
++
++    return &start_wait_handle;
++}
++
++MirWaitHandle* MirTrustSession::stop(mir_trust_session_callback callback, void* context)
++{
++    server.stop_trust_session(
++        0,
++        &protobuf_void,
++        &protobuf_void,
++        google::protobuf::NewCallback(this, &MirTrustSession::done_stop,
++                                      callback, context));
++
++    return &stop_wait_handle;
++}
++
++MirWaitHandle* MirTrustSession::add_trusted_session(pid_t pid,
++    mir_trust_session_add_trusted_session_callback callback,
++    void* context)
++{
++    mir::protobuf::TrustedSession trusted_session;
++    trusted_session.set_pid(pid);
++
++    server.add_trusted_session(
++        0,
++        &trusted_session,
++        &add_result,
++        google::protobuf::NewCallback(this, &MirTrustSession::done_add_trusted_session,
++                                      callback, context));
++
++    return &add_result_wait_handle;
++}
++
++void MirTrustSession::register_trust_session_event_callback(
++    mir_trust_session_event_callback callback,
++    void* context)
++{
++    std::lock_guard<decltype(mutex_event_handler)> lock(mutex_event_handler);
++
++    handle_trust_session_event =
++        [this, callback, context](MirTrustSessionState new_state)
++        {
++            callback(this, new_state, context);
++        };
++}
++
++void MirTrustSession::done_start(mir_trust_session_callback callback, void* context)
++{
++    std::string error;
++    MirTrustSessionState new_state = mir_trust_session_state_stopped;
++    {
++        std::lock_guard<decltype(mutex)> lock(mutex);
++
++        if (session.has_state())
++            new_state = (MirTrustSessionState)session.state();
++
++        error = session.error();
++    }
++    set_error_message(error);
++    set_state(new_state);
++
++    callback(this, context);
++    start_wait_handle.result_received();
++}
++
++void MirTrustSession::done_stop(mir_trust_session_callback callback, void* context)
++{
++    set_state(mir_trust_session_state_stopped);
++
++    callback(this, context);
++    stop_wait_handle.result_received();
++}
++
++void MirTrustSession::done_add_trusted_session(mir_trust_session_add_trusted_session_callback callback, void* context)
++{
++    MirTrustSessionAddTrustResult result = static_cast<MirTrustSessionAddTrustResult>(add_result.result());
++    if (add_result.has_error())
++    {
++        set_error_message(add_result.error());
++        result = mir_trust_session_add_tust_failed;
++    }
++    callback(this, result, context);
++    add_result_wait_handle.result_received();
++}
++
++char const* MirTrustSession::get_error_message()
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    if (session.has_error())
++    {
++        return session.error().c_str();
++    }
++    else
++    {
++        return error_message.c_str();
++    }
++}
++
++void MirTrustSession::set_error_message(std::string const& error)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    error_message = error;
++}
 === added file 'src/client/mir_trust_session.h'
 --- src/client/mir_trust_session.h	1970-01-01 00:00:00 +0000
 +++ src/client/mir_trust_session.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,88 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind@gmail.com>
++ */
++
++#ifndef MIR_CLIENT_MIR_TRUST_SESSION_H_
++#define MIR_CLIENT_MIR_TRUST_SESSION_H_
++
++#include "mir_toolkit/mir_client_library.h"
++
++#include "mir_protobuf.pb.h"
++#include "mir_wait_handle.h"
++
++#include <mutex>
++#include <memory>
++#include <atomic>
++
++namespace mir
++{
++/// The client-side library implementation namespace
++namespace client
++{
++class EventDistributor;
++}
++}
++
++struct MirTrustSession
++{
++public:
++    MirTrustSession(mir::protobuf::DisplayServer& server,
++                    std::shared_ptr<mir::client::EventDistributor> const& event_distributor);
++
++    ~MirTrustSession();
++
++    MirTrustSession(MirTrustSession const&) = delete;
++    MirTrustSession& operator=(MirTrustSession const&) = delete;
++
++    MirWaitHandle* start(pid_t pid, mir_trust_session_callback callback, void* context);
++    MirWaitHandle* stop(mir_trust_session_callback callback, void* context);
++    MirWaitHandle* add_trusted_session(pid_t pid, mir_trust_session_add_trusted_session_callback callback, void* context);
++
++    void register_trust_session_event_callback(mir_trust_session_event_callback callback, void* context);
++
++    char const* get_error_message();
++    void set_error_message(std::string const& error);
++
++    MirTrustSessionState get_state() const;
++    void set_state(MirTrustSessionState new_state);
++
++private:
++    mutable std::mutex mutex; // Protects members of *this
++    mutable std::mutex mutex_event_handler; // Need another mutex for callback access to members
++
++    mir::protobuf::DisplayServer& server;
++    mir::protobuf::TrustSession session;
++    mir::protobuf::TrustSessionAddResult add_result;
++    mir::protobuf::Void protobuf_void;
++    std::string error_message;
++
++    std::shared_ptr<mir::client::EventDistributor> const event_distributor;
++    std::function<void(MirTrustSessionState)> handle_trust_session_event;
++    int event_distributor_fn_id;
++
++    MirWaitHandle start_wait_handle;
++    MirWaitHandle stop_wait_handle;
++    MirWaitHandle add_result_wait_handle;
++    MirTrustSessionState state;
++
++    void done_start(mir_trust_session_callback callback, void* context);
++    void done_stop(mir_trust_session_callback callback, void* context);
++    void done_add_trusted_session(mir_trust_session_add_trusted_session_callback callback, void* context);
++};
++
++#endif /* MIR_CLIENT_MIR_TRUST_SESSION_H_ */
++
 === added file 'src/client/mir_trust_session_api.cpp'
 --- src/client/mir_trust_session_api.cpp	1970-01-01 00:00:00 +0000
 +++ src/client/mir_trust_session_api.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,133 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "mir_toolkit/mir_trust_session.h"
++#include "mir_trust_session.h"
++#include "mir_connection.h"
++
++#include <stdexcept>
++#include <boost/throw_exception.hpp>
++
++namespace
++{
++
++// assign_result is compatible with all 2-parameter callbacks
++void assign_result(void *result, void **context)
++{
++    if (context)
++        *context = result;
++}
++
++void add_trusted_session_callback(MirTrustSession*,
++                                  MirTrustSessionAddTrustResult result,
++                                  void* context)
++{
++    if (context)
++        *(MirTrustSessionAddTrustResult*)context = result;
++}
++
++}
++
++MirWaitHandle *mir_connection_start_trust_session(MirConnection* connection,
++                                                  pid_t base_session_pid,
++                                                  mir_trust_session_callback start_callback,
++                                                  mir_trust_session_event_callback event_callback,
++                                                  void* context)
++{
++    auto trust_session = connection->create_trust_session();
++    if (event_callback)
++        trust_session->register_trust_session_event_callback(event_callback, context);
++    return trust_session->start(base_session_pid, start_callback, context);
++}
++
++MirTrustSession *mir_connection_start_trust_session_sync(MirConnection* connection,
++                                                         pid_t base_session_pid,
++                                                         mir_trust_session_event_callback event_callback,
++                                                         void* context)
++{
++    auto trust_session = connection->create_trust_session();
++    if (event_callback)
++        trust_session->register_trust_session_event_callback(event_callback, context);
++
++    mir_wait_for(trust_session->start(base_session_pid,
++                                      reinterpret_cast<mir_trust_session_callback>(assign_result),
++                                      nullptr));
++    return trust_session;
++}
++
++MirTrustSession* mir_connection_create_trust_session(MirConnection* connection)
++{
++    return connection->create_trust_session();
++}
++
++MirWaitHandle *mir_trust_session_add_trusted_session(MirTrustSession *trust_session,
++                                                     pid_t session_pid,
++                                                     mir_trust_session_add_trusted_session_callback callback,
++                                                     void* context)
++{
++    try
++    {
++        return trust_session->add_trusted_session(session_pid, callback, context);
++    }
++    catch (std::exception const&)
++    {
++        // TODO callback with an error
++        return nullptr;
++    }
++}
++
++MirTrustSessionAddTrustResult mir_trust_session_add_trusted_session_sync(MirTrustSession *trust_session, pid_t base_session_pid)
++{
++    MirTrustSessionAddTrustResult result;
++    mir_wait_for(mir_trust_session_add_trusted_session(trust_session,
++        base_session_pid,
++        add_trusted_session_callback,
++        &result));
++    return result;
++}
++
++MirWaitHandle *mir_trust_session_stop(MirTrustSession *trust_session,
++                                      mir_trust_session_callback callback,
++                                      void* context)
++{
++    try
++    {
++        return trust_session->stop(callback, context);
++    }
++    catch (std::exception const&)
++    {
++        // TODO callback with an error
++        return nullptr;
++    }
++}
++
++MirBool mir_trust_session_stop_sync(MirTrustSession *trust_session)
++{
++    mir_wait_for(mir_trust_session_stop(trust_session,
++        reinterpret_cast<mir_trust_session_callback>(assign_result),
++        NULL));
++    return trust_session->get_state() == mir_trust_session_state_stopped ? mir_true : mir_false;
++}
++
++MirTrustSessionState mir_trust_session_get_state(MirTrustSession *trust_session)
++{
++    return trust_session->get_state();
++}
++
++void mir_trust_session_release(MirTrustSession* trust_session)
++{
++    delete trust_session;
++}
 === modified file 'src/client/rpc/make_rpc_channel.h'
 --- src/client/rpc/make_rpc_channel.h	2014-03-06 06:05:17 +0000
 +++ src/client/rpc/make_rpc_channel.h	2014-05-15 13:19:23 +0000
@@ -29,6 +29,7 @@
  class SurfaceMap;
  class DisplayConfiguration;
  class LifecycleControl;
++class EventDistributor;
  namespace rpc
+ {
@@ -39,7 +40,8 @@
                   std::shared_ptr<SurfaceMap> const& map,
                   std::shared_ptr<DisplayConfiguration> const& disp_conf,
                   std::shared_ptr<RpcReport> const& rpc_report,
--                 std::shared_ptr<LifecycleControl> const& lifecycle_control);
++                 std::shared_ptr<LifecycleControl> const& lifecycle_control,
++                 std::shared_ptr<EventDistributor> const& event_distributor);
+ }
+ }
+ }
 === modified file 'src/client/rpc/make_socket_rpc_channel.cpp'
 --- src/client/rpc/make_socket_rpc_channel.cpp	2014-03-06 06:05:17 +0000
 +++ src/client/rpc/make_socket_rpc_channel.cpp	2014-05-15 13:19:23 +0000
@@ -44,13 +44,14 @@
                         std::shared_ptr<mcl::SurfaceMap> const& map,
                         std::shared_ptr<mcl::DisplayConfiguration> const& disp_conf,
                         std::shared_ptr<RpcReport> const& rpc_report,
--                       std::shared_ptr<mcl::LifecycleControl> const& lifecycle_control)
++                       std::shared_ptr<mcl::LifecycleControl> const& lifecycle_control,
++                       std::shared_ptr<mcl::EventDistributor> const& event_distributor)
+ {
      if (fd_prefix.is_start_of(name))
+     {
          auto const fd = atoi(name.c_str()+fd_prefix.size);
--        return std::make_shared<MirSocketRpcChannel>(fd, map, disp_conf, rpc_report, lifecycle_control);
++        return std::make_shared<MirSocketRpcChannel>(fd, map, disp_conf, rpc_report, lifecycle_control, event_distributor);
+     }
--    return std::make_shared<MirSocketRpcChannel>(name, map, disp_conf, rpc_report, lifecycle_control);
++    return std::make_shared<MirSocketRpcChannel>(name, map, disp_conf, rpc_report, lifecycle_control, event_distributor);
+ }
 === modified file 'src/client/rpc/mir_socket_rpc_channel.cpp'
 --- src/client/rpc/mir_socket_rpc_channel.cpp	2014-05-06 14:53:36 +0000
 +++ src/client/rpc/mir_socket_rpc_channel.cpp	2014-05-15 13:19:23 +0000
@@ -24,6 +24,7 @@
  #include "../mir_surface.h"
  #include "../display_configuration.h"
  #include "../lifecycle_control.h"
++#include "../event_distributor.h"
  #include "mir_protobuf.pb.h"  // For Buffer frig
  #include "mir_protobuf_wire.pb.h"
@@ -49,7 +50,8 @@
      std::shared_ptr<mcl::SurfaceMap> const& surface_map,
      std::shared_ptr<DisplayConfiguration> const& disp_config,
      std::shared_ptr<RpcReport> const& rpc_report,
--    std::shared_ptr<LifecycleControl> const& lifecycle_control) :
++    std::shared_ptr<LifecycleControl> const& lifecycle_control,
++    std::shared_ptr<EventDistributor> const& event_distributor) :
      rpc_report(rpc_report),
      pending_calls(rpc_report),
      work(io_service),
@@ -57,6 +59,7 @@
      surface_map(surface_map),
      display_configuration(disp_config),
      lifecycle_control(lifecycle_control),
++    event_distributor(event_distributor),
      disconnected(false)
+ {
      socket.connect(endpoint);
@@ -68,7 +71,8 @@
      std::shared_ptr<mcl::SurfaceMap> const& surface_map,
      std::shared_ptr<DisplayConfiguration> const& disp_config,
      std::shared_ptr<RpcReport> const& rpc_report,
--    std::shared_ptr<LifecycleControl> const& lifecycle_control) :
++    std::shared_ptr<LifecycleControl> const& lifecycle_control,
++    std::shared_ptr<EventDistributor> const& event_distributor) :
      rpc_report(rpc_report),
      pending_calls(rpc_report),
      work(io_service),
@@ -76,6 +80,7 @@
      surface_map(surface_map),
      display_configuration(disp_config),
      lifecycle_control(lifecycle_control),
++    event_distributor(event_distributor),
      disconnected(false)
+ {
      socket.assign(boost::asio::local::stream_protocol(), native_socket);
@@ -405,11 +410,25 @@
                  rpc_report->event_parsing_succeeded(e);
--                surface_map->with_surface_do(e.surface.id,
--                    [&e](MirSurface* surface)
--                    {
--                        surface->handle_event(e);
--                    });
++                event_distributor->handle_event(e);
++
++                // todo - surfaces should register with the event distributor.
++                if (e.type == mir_event_type_surface)
++                {
++                    surface_map->with_surface_do(e.surface.id,
++                        [&e](MirSurface* surface)
++                        {
++                            surface->handle_event(e);
++                        });
++                }
++                else if (e.type == mir_event_type_resize)
++                {
++                    surface_map->with_surface_do(e.resize.surface_id,
++                        [&e](MirSurface* surface)
++                        {
++                            surface->handle_event(e);
++                        });
++                }
+             }
              else
+             {
 === modified file 'src/client/rpc/mir_socket_rpc_channel.h'
 --- src/client/rpc/mir_socket_rpc_channel.h	2014-05-05 03:36:45 +0000
 +++ src/client/rpc/mir_socket_rpc_channel.h	2014-05-15 13:19:23 +0000
@@ -44,6 +44,7 @@
  class DisplayConfiguration;
  class SurfaceMap;
  class LifecycleControl;
++class EventDistributor;
  namespace rpc
+ {
@@ -56,13 +57,15 @@
                          std::shared_ptr<SurfaceMap> const& surface_map,
                          std::shared_ptr<DisplayConfiguration> const& disp_config,
                          std::shared_ptr<RpcReport> const& rpc_report,
--                        std::shared_ptr<LifecycleControl> const& lifecycle_control);
++                        std::shared_ptr<LifecycleControl> const& lifecycle_control,
++                        std::shared_ptr<EventDistributor> const& event_distributor);
      MirSocketRpcChannel(int native_socket,
                          std::shared_ptr<SurfaceMap> const& surface_map,
                          std::shared_ptr<DisplayConfiguration> const& disp_config,
                          std::shared_ptr<RpcReport> const& rpc_report,
--                        std::shared_ptr<LifecycleControl> const& lifecycle_control);
++                        std::shared_ptr<LifecycleControl> const& lifecycle_control,
++                        std::shared_ptr<EventDistributor> const& event_distributor);
      ~MirSocketRpcChannel();
  private:
@@ -102,6 +105,7 @@
      std::shared_ptr<SurfaceMap> surface_map;
      std::shared_ptr<DisplayConfiguration> display_configuration;
      std::shared_ptr<LifecycleControl> lifecycle_control;
++    std::shared_ptr<EventDistributor> event_distributor;
      std::atomic<bool> disconnected;
  };
 === modified file 'src/server/default_server_configuration.cpp'
 --- src/server/default_server_configuration.cpp	2014-05-12 15:46:07 +0000
 +++ src/server/default_server_configuration.cpp	2014-05-15 13:19:23 +0000
@@ -36,6 +36,7 @@
  #include "mir/time/high_resolution_clock.h"
  #include "mir/geometry/rectangles.h"
  #include "mir/default_configuration.h"
++#include "mir/scene/null_trust_session_listener.h"
  #include <map>
@@ -87,6 +88,16 @@
          });
+ }
++std::shared_ptr<ms::TrustSessionListener>
++mir::DefaultServerConfiguration::the_trust_session_listener()
++{
++    return trust_session_listener(
++        [this]
++        {
++            return std::make_shared<ms::NullTrustSessionListener>();
++        });
++}
++
  std::shared_ptr<mi::CursorListener>
  mir::DefaultServerConfiguration::the_cursor_listener()
+ {
 === modified file 'src/server/frontend/protobuf_message_processor.cpp'
 --- src/server/frontend/protobuf_message_processor.cpp	2014-05-13 11:59:40 +0000
 +++ src/server/frontend/protobuf_message_processor.cpp	2014-05-15 13:19:23 +0000
@@ -187,6 +187,18 @@
+         {
              invoke(this, display_server.get(), &protobuf::DisplayServer::new_fds_for_trusted_clients, invocation);
+         }
++        else if ("start_trust_session" == invocation.method_name())
++        {
++            invoke(this, display_server.get(), &protobuf::DisplayServer::start_trust_session, invocation);
++        }
++        else if ("add_trusted_session" == invocation.method_name())
++        {
++            invoke(this, display_server.get(), &protobuf::DisplayServer::add_trusted_session, invocation);
++        }
++        else if ("stop_trust_session" == invocation.method_name())
++        {
++            invoke(this, display_server.get(), &protobuf::DisplayServer::stop_trust_session, invocation);
++        }
          else if ("disconnect" == invocation.method_name())
+         {
              invoke(this, display_server.get(), &DisplayServer::disconnect, invocation);
 === modified file 'src/server/frontend/session_mediator.cpp'
 --- src/server/frontend/session_mediator.cpp	2014-05-13 11:59:40 +0000
 +++ src/server/frontend/session_mediator.cpp	2014-05-15 13:19:23 +0000
@@ -40,6 +40,8 @@
  #include "mir/frontend/client_constants.h"
  #include "mir/frontend/event_sink.h"
  #include "mir/frontend/screencast.h"
++#include "mir/frontend/trust_session.h"
++#include "mir/scene/trust_session_creation_parameters.h"
  #include "mir/geometry/rectangles.h"
  #include "client_buffer_tracker.h"
@@ -422,7 +424,14 @@
  std::function<void(std::shared_ptr<mf::Session> const&)> mf::SessionMediator::trusted_connect_handler() const
+ {
--    return [](std::shared_ptr<frontend::Session> const&) {};
++    return [this](std::shared_ptr<frontend::Session> const& session)
++    {
++        auto trust_session = weak_trust_session.lock();
++        if (trust_session.get() == nullptr)
++            BOOST_THROW_EXCEPTION(std::logic_error("Invalid trust session"));
++
++        shell->add_trusted_session_for(trust_session, session->process_id());
++    };
+ }
  void mf::SessionMediator::configure_cursor(
@@ -448,7 +457,6 @@
          if (session.get() == nullptr)
              BOOST_THROW_EXCEPTION(std::logic_error("Invalid application session"));
--        // TODO write a handler that connects the new session to our trust session
          auto const connect_handler = trusted_connect_handler();
          auto const fds_requested = parameters->number();
@@ -506,6 +514,91 @@
      done->Run();
+ }
++void mf::SessionMediator::start_trust_session(::google::protobuf::RpcController*,
++    const ::mir::protobuf::TrustSessionParameters* request,
++    ::mir::protobuf::TrustSession* response,
++    ::google::protobuf::Closure* done)
++{
++    {
++        std::unique_lock<std::mutex> lock(session_mutex);
++        auto session = weak_session.lock();
++
++        if (session.get() == nullptr)
++            BOOST_THROW_EXCEPTION(std::logic_error("Invalid application session"));
++
++        ms::TrustSessionCreationParameters parameters;
++        parameters.set_base_process_id(request->base_trusted_session().pid());
++
++        std::ostringstream stream;
++        stream << "process id: " << parameters.base_process_id;
++        report->session_start_trust_session_called(session->name(), stream.str());
++
++        auto current_trust_session = weak_trust_session.lock();
++        if (current_trust_session.get() != nullptr)
++            BOOST_THROW_EXCEPTION(std::runtime_error("Cannot start another trust session"));
++
++        auto trust_session = shell->start_trust_session_for(session, parameters);
++        weak_trust_session = trust_session;
++
++        if (trust_session)
++        {
++            response->set_state(trust_session->get_state());
++        }
++    }
++    done->Run();
++}
++
++void mf::SessionMediator::add_trusted_session(::google::protobuf::RpcController*,
++    const ::mir::protobuf::TrustedSession* request,
++    ::mir::protobuf::TrustSessionAddResult* response,
++    ::google::protobuf::Closure* done)
++{
++    {
++        std::unique_lock<std::mutex> lock(session_mutex);
++        auto session = weak_session.lock();
++
++        if (session.get() == nullptr)
++            BOOST_THROW_EXCEPTION(std::logic_error("Invalid application session"));
++
++        auto trust_session = weak_trust_session.lock();
++
++        if (trust_session.get() == nullptr)
++            BOOST_THROW_EXCEPTION(std::logic_error("Invalid trust session"));
++
++        std::ostringstream stream;
++        stream << "process id: " << request->pid();
++        report->session_add_trusted_session_called(session->name(), stream.str());
++
++        response->set_result(shell->add_trusted_session_for(trust_session, request->pid()));
++    }
++    done->Run();
++}
++
++void mf::SessionMediator::stop_trust_session(::google::protobuf::RpcController*,
++    const ::mir::protobuf::Void*,
++    ::mir::protobuf::Void*,
++    ::google::protobuf::Closure* done)
++{
++    {
++        std::unique_lock<std::mutex> lock(session_mutex);
++        auto session = weak_session.lock();
++
++        if (session.get() == nullptr)
++            BOOST_THROW_EXCEPTION(std::logic_error("Invalid application session"));
++
++        auto trust_session = weak_trust_session.lock();
++        weak_trust_session.reset();
++
++        if (trust_session.get() == nullptr)
++            BOOST_THROW_EXCEPTION(std::logic_error("Invalid trusted session"));
++
++        report->session_stop_trust_session_called(session->name());
++
++        shell->stop_trust_session(trust_session);
++    }
++    done->Run();
++}
++
  void mf::SessionMediator::pack_protobuf_buffer(
      protobuf::Buffer& protobuf_buffer,
      graphics::Buffer* graphics_buffer,
 === modified file 'src/server/frontend/session_mediator.h'
 --- src/server/frontend/session_mediator.h	2014-05-13 11:59:40 +0000
 +++ src/server/frontend/session_mediator.h	2014-05-15 13:19:23 +0000
@@ -53,6 +53,7 @@
  class EventSink;
  class DisplayChanger;
  class Screencast;
++class TrustSession;
  // SessionMediator relays requests from the client process into the server.
  class SessionMediator : public detail::DisplayServer
@@ -131,6 +132,21 @@
                            mir::protobuf::Void*,
                            google::protobuf::Closure* done);
++    void start_trust_session(::google::protobuf::RpcController* controller,
++                            const ::mir::protobuf::TrustSessionParameters* request,
++                            ::mir::protobuf::TrustSession* response,
++                            ::google::protobuf::Closure* done);
++
++    void add_trusted_session(::google::protobuf::RpcController* controller,
++                             const ::mir::protobuf::TrustedSession* request,
++                             ::mir::protobuf::TrustSessionAddResult* response,
++                             ::google::protobuf::Closure* done);
++
++    void stop_trust_session(::google::protobuf::RpcController* controller,
++                            const ::mir::protobuf::Void* request,
++                            ::mir::protobuf::Void* response,
++                            ::google::protobuf::Closure* done);
++
      /* Platform specific requests */
      void drm_auth_magic(google::protobuf::RpcController* controller,
                          const mir::protobuf::DRMMagic* request,
@@ -169,6 +185,7 @@
      std::mutex session_mutex;
      std::weak_ptr<Session> weak_session;
++    std::weak_ptr<TrustSession> weak_trust_session;
      ConnectionContext const connection_context;
  };
 === modified file 'src/server/report/logging/session_mediator_report.cpp'
 --- src/server/report/logging/session_mediator_report.cpp	2014-03-06 06:05:17 +0000
 +++ src/server/report/logging/session_mediator_report.cpp	2014-05-15 13:19:23 +0000
@@ -73,6 +73,21 @@
      log->log(ml::Logger::informational, "session_configure_display_called(\"" + app_name + "\")", component);
+ }
++void mrl::SessionMediatorReport::session_start_trust_session_called(std::string const& app_name, std::string const& trust_info)
++{
++    log->log(ml::Logger::informational, "session_start_trust_session_called(\"" + app_name + "\"):\n" + trust_info, component);
++}
++
++void mrl::SessionMediatorReport::session_add_trusted_session_called(std::string const& app_name, std::string const& trust_info)
++{
++    log->log(ml::Logger::informational, "session_add_trusted_session_called(\"" + app_name + "\"):\n" + trust_info, component);
++}
++
++void mrl::SessionMediatorReport::session_stop_trust_session_called(std::string const& app_name)
++{
++    log->log(ml::Logger::informational, "session_stop_trust_session_called(\"" + app_name + "\")", component);
++}
++
  void mrl::SessionMediatorReport::session_error(
          std::string const& app_name,
          char const* method,
 === modified file 'src/server/report/logging/session_mediator_report.h'
 --- src/server/report/logging/session_mediator_report.h	2014-03-06 06:05:17 +0000
 +++ src/server/report/logging/session_mediator_report.h	2014-05-15 13:19:23 +0000
@@ -57,6 +57,12 @@
      virtual void session_configure_display_called(std::string const& app_name);
++    virtual void session_start_trust_session_called(std::string const& app_name, std::string const& trust_info);
++
++    virtual void session_add_trusted_session_called(std::string const& app_name, std::string const& trust_info);
++
++    virtual void session_stop_trust_session_called(std::string const& app_name);
++
      virtual void session_error(
          std::string const& app_name,
          char const* method,
 === modified file 'src/server/report/lttng/session_mediator_report.cpp'
 --- src/server/report/lttng/session_mediator_report.cpp	2014-02-09 16:18:16 +0000
 +++ src/server/report/lttng/session_mediator_report.cpp	2014-05-15 13:19:23 +0000
@@ -38,6 +38,17 @@
  MIR_SESSION_MEDIATOR_EVENT_METHOD(session_drm_auth_magic_called)
  MIR_SESSION_MEDIATOR_EVENT_METHOD(session_configure_surface_called)
  MIR_SESSION_MEDIATOR_EVENT_METHOD(session_configure_display_called)
++MIR_SESSION_MEDIATOR_EVENT_METHOD(session_stop_trust_session_called)
++
++void mir::report::lttng::SessionMediatorReport::session_start_trust_session_called(std::string const& app_name, std::string const& trust_info)
++{
++    mir_tracepoint(mir_server_session_mediator, session_start_trust_session_called, app_name.c_str(), trust_info.c_str());
++}
++
++void mir::report::lttng::SessionMediatorReport::session_add_trusted_session_called(std::string const& app_name, std::string const& trust_info)
++{
++    mir_tracepoint(mir_server_session_mediator, session_add_trusted_session_called, app_name.c_str(), trust_info.c_str());
++}
  void mir::report::lttng::SessionMediatorReport::session_error(std::string const& app_name, char const* method, std::string const& what)
+ {
 === modified file 'src/server/report/lttng/session_mediator_report.h'
 --- src/server/report/lttng/session_mediator_report.h	2014-02-09 16:18:16 +0000
 +++ src/server/report/lttng/session_mediator_report.h	2014-05-15 13:19:23 +0000
@@ -41,6 +41,9 @@
      void session_drm_auth_magic_called(std::string const& app_name) override;
      void session_configure_surface_called(std::string const& app_name) override;
      void session_configure_display_called(std::string const& app_name) override;
++    void session_start_trust_session_called(std::string const& app_name, std::string const& trust_info) override;
++    void session_add_trusted_session_called(std::string const& app_name, std::string const& trust_info) override;
++    void session_stop_trust_session_called(std::string const& app_name) override;
      void session_error(std::string const& app_name, char const* method, std::string const& what) override;
  private:
 === modified file 'src/server/report/lttng/session_mediator_report_tp.h'
 --- src/server/report/lttng/session_mediator_report_tp.h	2014-02-03 11:44:32 +0000
 +++ src/server/report/lttng/session_mediator_report_tp.h	2014-05-15 13:19:23 +0000
@@ -47,6 +47,27 @@
  MIR_SESSION_MEDIATOR_EVENT(session_drm_auth_magic_called)
  MIR_SESSION_MEDIATOR_EVENT(session_configure_surface_called)
  MIR_SESSION_MEDIATOR_EVENT(session_configure_display_called)
++MIR_SESSION_MEDIATOR_EVENT(session_stop_trust_session_called)
++
++TRACEPOINT_EVENT(
++    mir_server_session_mediator,
++    session_start_trust_session_called,
++    TP_ARGS(char const*, application, char const*, trust_info),
++    TP_FIELDS(
++        ctf_string(application, application)
++        ctf_string(trust_info, trust_info)
++        )
++    )
++
++TRACEPOINT_EVENT(
++    mir_server_session_mediator,
++    session_add_trusted_session_called,
++    TP_ARGS(char const*, application, char const*, trust_info),
++    TP_FIELDS(
++        ctf_string(application, application)
++        ctf_string(trust_info, trust_info)
++        )
++    )
  TRACEPOINT_EVENT(
      mir_server_session_mediator,
 === modified file 'src/server/report/null/session_mediator_report.cpp'
 --- src/server/report/null/session_mediator_report.cpp	2014-03-06 06:05:17 +0000
 +++ src/server/report/null/session_mediator_report.cpp	2014-05-15 13:19:23 +0000
@@ -50,6 +50,18 @@
+ {
+ }
++void mir::report::null::SessionMediatorReport::session_start_trust_session_called(std::string const&, std::string const&)
++{
++}
++
++void mir::report::null::SessionMediatorReport::session_add_trusted_session_called(std::string const&, std::string const&)
++{
++}
++
++void mir::report::null::SessionMediatorReport::session_stop_trust_session_called(std::string const&)
++{
++}
++
  void mir::report::null::SessionMediatorReport::session_error(
          std::string const&,
          char const* ,
 === modified file 'src/server/report/null/session_mediator_report.h'
 --- src/server/report/null/session_mediator_report.h	2014-02-09 16:18:16 +0000
 +++ src/server/report/null/session_mediator_report.h	2014-05-15 13:19:23 +0000
@@ -51,6 +51,12 @@
      void session_configure_display_called(std::string const& app_name) override;
++    void session_start_trust_session_called(std::string const& app_name, std::string const& trust_info) override;
++
++    void session_add_trusted_session_called(std::string const& app_name, std::string const& trust_info) override;
++
++    void session_stop_trust_session_called(std::string const& app_name) override;
++
      void session_error(
          std::string const& app_name,
          char const* method,
 === modified file 'src/server/scene/CMakeLists.txt'
 --- src/server/scene/CMakeLists.txt	2014-05-06 03:33:05 +0000
 +++ src/server/scene/CMakeLists.txt	2014-05-15 13:19:23 +0000
@@ -20,4 +20,7 @@
    threaded_snapshot_strategy.cpp
    legacy_scene_change_notification.cpp
    legacy_surface_change_notification.cpp
++  trust_session_impl.cpp
++  trust_session_container.cpp
++  trust_session_creation_parameters.cpp
+ )
 === modified file 'src/server/scene/application_session.cpp'
 --- src/server/scene/application_session.cpp	2014-05-06 16:54:43 +0000
 +++ src/server/scene/application_session.cpp	2014-05-15 13:19:23 +0000
@@ -23,6 +23,7 @@
  #include "snapshot_strategy.h"
  #include "mir/scene/session_listener.h"
  #include "mir/frontend/event_sink.h"
++#include "default_session_container.h"
  #include <boost/throw_exception.hpp>
@@ -30,6 +31,7 @@
  #include <memory>
  #include <cassert>
  #include <algorithm>
++#include <cstring>
  namespace mf = mir::frontend;
  namespace ms = mir::scene;
@@ -181,3 +183,22 @@
+ {
      event_sink->handle_lifecycle_event(state);
+ }
++
++void ms::ApplicationSession::begin_trust_session()
++{
++    // All sessions which are part of the trust session get this event.
++    MirEvent start_event;
++    memset(&start_event, 0, sizeof start_event);
++    start_event.type = mir_event_type_trust_session_state_change;
++    start_event.trust_session.new_state = mir_trust_session_state_started;
++    event_sink->handle_event(start_event);
++}
++
++void ms::ApplicationSession::end_trust_session()
++{
++    MirEvent stop_event;
++    memset(&stop_event, 0, sizeof stop_event);
++    stop_event.type = mir_event_type_trust_session_state_change;
++    stop_event.trust_session.new_state = mir_trust_session_state_stopped;
++    event_sink->handle_event(stop_event);
++}
 === modified file 'src/server/scene/application_session.h'
 --- src/server/scene/application_session.h	2014-05-06 16:54:43 +0000
 +++ src/server/scene/application_session.h	2014-05-15 13:19:23 +0000
@@ -71,6 +71,9 @@
      void set_lifecycle_state(MirLifecycleState state);
++    void begin_trust_session() override;
++    void end_trust_session() override;
++
  protected:
      ApplicationSession(ApplicationSession const&) = delete;
      ApplicationSession& operator=(ApplicationSession const&) = delete;
 === modified file 'src/server/scene/default_configuration.cpp'
 --- src/server/scene/default_configuration.cpp	2014-05-12 15:46:07 +0000
 +++ src/server/scene/default_configuration.cpp	2014-05-15 13:19:23 +0000
@@ -24,12 +24,12 @@
  #include "mir/abnormal_exit.h"
  #include "mir/scene/session.h"
++#include "session_container.h"
  #include "broadcasting_session_event_sink.h"
  #include "default_session_container.h"
  #include "gl_pixel_buffer.h"
  #include "global_event_sender.h"
  #include "mediating_display_changer.h"
--#include "session_container.h"
  #include "session_manager.h"
  #include "surface_allocator.h"
  #include "surface_controller.h"
@@ -169,7 +169,8 @@
                  the_shell_focus_setter(),
                  the_snapshot_strategy(),
                  the_session_event_sink(),
--                the_session_listener());
++                the_session_listener(),
++                the_trust_session_listener());
          });
+ }
 === modified file 'src/server/scene/session_manager.cpp'
 --- src/server/scene/session_manager.cpp	2014-04-15 05:31:19 +0000
 +++ src/server/scene/session_manager.cpp	2014-05-15 13:19:23 +0000
@@ -24,6 +24,12 @@
  #include "mir/scene/session.h"
  #include "mir/scene/session_listener.h"
  #include "session_event_sink.h"
++#include "mir/scene/trust_session_creation_parameters.h"
++#include "trust_session_impl.h"
++#include "trust_session_container.h"
++#include "mir/scene/trust_session_listener.h"
++
++#include <boost/throw_exception.hpp>
  #include <memory>
  #include <cassert>
@@ -38,13 +44,16 @@
      std::shared_ptr<msh::FocusSetter> const& focus_setter,
      std::shared_ptr<SnapshotStrategy> const& snapshot_strategy,
      std::shared_ptr<SessionEventSink> const& session_event_sink,
--    std::shared_ptr<SessionListener> const& session_listener) :
++    std::shared_ptr<SessionListener> const& session_listener,
++    std::shared_ptr<TrustSessionListener> const& trust_session_listener) :
      surface_coordinator(surface_factory),
      app_container(container),
      focus_setter(focus_setter),
      snapshot_strategy(snapshot_strategy),
      session_event_sink(session_event_sink),
--    session_listener(session_listener)
++    session_listener(session_listener),
++    trust_session_listener(trust_session_listener),
++    trust_session_container(std::make_shared<TrustSessionContainer>())
+ {
      assert(surface_factory);
      assert(container);
@@ -85,6 +94,16 @@
      session_listener->starting(new_session);
++    {
++        trust_session_container->for_each_trust_session_for_process(client_pid,
++            [client_pid, new_session](std::shared_ptr<frontend::TrustSession> const& trust_session)
++            {
++                auto scene_trust_session = std::dynamic_pointer_cast<ms::TrustSession>(trust_session);
++
++                scene_trust_session->add_trusted_child(new_session);
++            });
++    }
++
      set_focus_to(new_session);
      return new_session;
@@ -122,12 +141,45 @@
      scene_session->force_requests_to_complete();
      session_event_sink->handle_session_stopping(scene_session);
++
++    {
++        std::unique_lock<std::mutex> lock(trust_sessions_mutex);
++
++        std::vector<std::shared_ptr<frontend::TrustSession>> trust_sessions;
++        trust_session_container->for_each_trust_session_for_process(scene_session->process_id(),
++            [&](std::shared_ptr<frontend::TrustSession> const& trust_session)
++            {
++                trust_sessions.push_back(trust_session);
++            });
++
++        for(auto trust_session : trust_sessions)
++        {
++            auto scene_trust_session = std::dynamic_pointer_cast<ms::TrustSession>(trust_session);
++
++            if (scene_trust_session->get_trusted_helper().lock() == scene_session)
++            {
++                stop_trust_session_locked(lock, scene_trust_session);
++            }
++            else
++            {
++                scene_trust_session->remove_trusted_child(scene_session);
++
++                trust_session_container->remove_process(scene_session->process_id());
++            }
++        }
++    }
++
      session_listener->stopping(scene_session);
      app_container->remove_session(scene_session);
      std::unique_lock<std::mutex> lock(mutex);
--    set_focus_to_locked(lock, app_container->successor_of(std::shared_ptr<Session>()));
++    auto old_focus = focus_application.lock();
++    if (old_focus == scene_session)
++    {
++        // only reset the focus if this session had focus
++        set_focus_to_locked(lock, app_container->successor_of(std::shared_ptr<ms::Session>()));
++    }
+ }
  void ms::SessionManager::focus_next()
@@ -169,3 +221,73 @@
+ {
      set_focus_to(std::dynamic_pointer_cast<Session>(session));
+ }
++
++std::shared_ptr<mf::TrustSession> ms::SessionManager::start_trust_session_for(std::shared_ptr<mf::Session> const& session,
++    TrustSessionCreationParameters const& params)
++{
++    std::unique_lock<std::mutex> lock(trust_sessions_mutex);
++
++    auto shell_session = std::dynamic_pointer_cast<ms::Session>(session);
++
++    auto const trust_session = std::make_shared<TrustSessionImpl>(shell_session, params, trust_session_listener);
++
++    trust_session_container->insert(trust_session, shell_session->process_id());
++
++    trust_session->start();
++    trust_session_listener->starting(trust_session);
++
++    add_trusted_session_for_locked(lock, trust_session, params.base_process_id);
++    return trust_session;
++}
++
++MirTrustSessionAddTrustResult ms::SessionManager::add_trusted_session_for(std::shared_ptr<mf::TrustSession> const& trust_session,
++    pid_t session_pid)
++{
++    std::unique_lock<std::mutex> lock(trust_sessions_mutex);
++
++    return add_trusted_session_for_locked(lock, trust_session, session_pid);
++}
++
++MirTrustSessionAddTrustResult ms::SessionManager::add_trusted_session_for_locked(std::unique_lock<std::mutex> const&,
++    std::shared_ptr<mf::TrustSession> const& trust_session,
++    pid_t session_pid)
++{
++    auto scene_trust_session = std::dynamic_pointer_cast<ms::TrustSession>(trust_session);
++
++    if (!trust_session_container->insert(trust_session, session_pid))
++    {
++        // TODO - remove comment once we have pid update for child fd created sessions.
++        // BOOST_THROW_EXCEPTION(std::runtime_error("failed to add trusted session"));
++    }
++
++    app_container->for_each(
++        [&](std::shared_ptr<ms::Session> const& container_session)
++        {
++            if (container_session->process_id() == session_pid)
++            {
++                scene_trust_session->add_trusted_child(container_session);
++            }
++        });
++
++    return mir_trust_session_add_tust_succeeded;
++}
++
++void ms::SessionManager::stop_trust_session(std::shared_ptr<mf::TrustSession> const& trust_session)
++{
++    std::unique_lock<std::mutex> lock(trust_sessions_mutex);
++
++    stop_trust_session_locked(lock, trust_session);
++}
++
++void ms::SessionManager::stop_trust_session_locked(std::unique_lock<std::mutex> const&,
++    std::shared_ptr<mf::TrustSession> const& trust_session)
++{
++    auto scene_trust_session = std::dynamic_pointer_cast<ms::TrustSession>(trust_session);
++
++    trust_session->stop();
++
++    trust_session_container->remove_trust_session(trust_session);
++
++    trust_session_listener->stopping(scene_trust_session);
++}
++
 === modified file 'src/server/scene/session_manager.h'
 --- src/server/scene/session_manager.h	2014-04-15 05:31:19 +0000
 +++ src/server/scene/session_manager.h	2014-05-15 13:19:23 +0000
@@ -26,6 +26,7 @@
  #include <mutex>
  #include <memory>
  #include <vector>
++#include <map>
  namespace mir
+ {
@@ -42,6 +43,8 @@
  class SessionListener;
  class SnapshotStrategy;
  class SurfaceCoordinator;
++class TrustSessionContainer;
++class TrustSessionListener;
  class SessionManager : public frontend::Shell, public shell::FocusController
+ {
@@ -51,7 +54,8 @@
                              std::shared_ptr<shell::FocusSetter> const& focus_setter,
                              std::shared_ptr<SnapshotStrategy> const& snapshot_strategy,
                              std::shared_ptr<SessionEventSink> const& session_event_sink,
--                            std::shared_ptr<SessionListener> const& session_listener);
++                            std::shared_ptr<SessionListener> const& session_listener,
++                            std::shared_ptr<TrustSessionListener> const& trust_session_listener);
      virtual ~SessionManager();
      virtual std::shared_ptr<frontend::Session> open_session(
@@ -71,6 +75,12 @@
      void handle_surface_created(std::shared_ptr<frontend::Session> const& session) override;
++    std::shared_ptr<frontend::TrustSession> start_trust_session_for(std::shared_ptr<frontend::Session> const& session,
++                                                  TrustSessionCreationParameters const& params) override;
++    MirTrustSessionAddTrustResult add_trusted_session_for(std::shared_ptr<frontend::TrustSession> const& trust_session,
++                                                          pid_t session_pid) override;
++    void stop_trust_session(std::shared_ptr<frontend::TrustSession> const& trust_session) override;
++
  protected:
      SessionManager(const SessionManager&) = delete;
      SessionManager& operator=(const SessionManager&) = delete;
@@ -82,11 +92,20 @@
      std::shared_ptr<SnapshotStrategy> const snapshot_strategy;
      std::shared_ptr<SessionEventSink> const session_event_sink;
      std::shared_ptr<SessionListener> const session_listener;
++    std::shared_ptr<TrustSessionListener> const trust_session_listener;
++    std::shared_ptr<TrustSessionContainer> trust_session_container;
      std::mutex mutex;
      std::weak_ptr<Session> focus_application;
      void set_focus_to_locked(std::unique_lock<std::mutex> const& lock, std::shared_ptr<Session> const& next_focus);
++
++    MirTrustSessionAddTrustResult add_trusted_session_for_locked(std::unique_lock<std::mutex> const&,
++                                                                 std::shared_ptr<frontend::TrustSession> const& trust_session,
++                                                                 pid_t session_pid);
++    void stop_trust_session_locked(std::unique_lock<std::mutex> const& lock,
++                                   std::shared_ptr<frontend::TrustSession> const& trust_session);
++    std::mutex mutable trust_sessions_mutex;
  };
+ }
 === added file 'src/server/scene/trust_session_container.cpp'
 --- src/server/scene/trust_session_container.cpp	1970-01-01 00:00:00 +0000
 +++ src/server/scene/trust_session_container.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,95 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "trust_session_container.h"
++
++namespace ms = mir::scene;
++namespace mf = mir::frontend;
++
++uint insertion_order = 0;
++
++ms::TrustSessionContainer::TrustSessionContainer()
++    : trust_session_index(process_map)
++    , process_index(get<1>(process_map))
++{
++}
++
++bool ms::TrustSessionContainer::insert(std::shared_ptr<mf::TrustSession> const& trust_session, ClientProcess const& process)
++{
++    std::unique_lock<std::mutex> lk(mutex);
++
++    object_by_trust_session::iterator it;
++    bool valid = false;
++
++    Object obj{trust_session, process, insertion_order++};
++    boost::tie(it,valid) = process_map.insert(obj);
++
++    return valid;
++}
++
++void ms::TrustSessionContainer::for_each_process_for_trust_session(
++    std::shared_ptr<mf::TrustSession> const& trust_session,
++    std::function<void(ClientProcess const& id)> f)
++{
++    std::unique_lock<std::mutex> lk(mutex);
++
++    object_by_trust_session::iterator it,end;
++    boost::tie(it,end) = trust_session_index.equal_range(trust_session);
++
++    for (; it != end; ++it)
++    {
++        Object const& obj = *it;
++        f(obj.client_process);
++    }
++}
++
++void ms::TrustSessionContainer::for_each_trust_session_for_process(
++    ClientProcess const& process,
++    std::function<void(std::shared_ptr<mf::TrustSession> const&)> f)
++{
++    std::unique_lock<std::mutex> lk(mutex);
++
++    object_by_process::iterator it,end;
++    boost::tie(it,end) = process_index.equal_range(process);
++
++    for (; it != end; ++it)
++    {
++        Object const& obj = *it;
++        f(obj.trust_session);
++    }
++}
++
++void ms::TrustSessionContainer::remove_trust_session(std::shared_ptr<frontend::TrustSession> const& trust_session)
++{
++    std::unique_lock<std::mutex> lk(mutex);
++
++    object_by_trust_session::iterator it,end;
++    boost::tie(it,end) = trust_session_index.equal_range(trust_session);
++
++    trust_session_index.erase(it, end);
++}
++
++void ms::TrustSessionContainer::remove_process(ClientProcess const& process)
++{
++    std::unique_lock<std::mutex> lk(mutex);
++
++    object_by_process::iterator it,end;
++    boost::tie(it,end) = process_index.equal_range(process);
++
++    process_index.erase(it, end);
++}
 === added file 'src/server/scene/trust_session_container.h'
 --- src/server/scene/trust_session_container.h	1970-01-01 00:00:00 +0000
 +++ src/server/scene/trust_session_container.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,103 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_SCENE_TRUST_SESSION_CONTAINER_H_
++#define MIR_SCENE_TRUST_SESSION_CONTAINER_H_
++
++#include <sys/types.h>
++#include <mutex>
++#include <map>
++
++#include <boost/multi_index_container.hpp>
++#include <boost/multi_index/member.hpp>
++#include <boost/multi_index/ordered_index.hpp>
++#include <boost/multi_index/hashed_index.hpp>
++#include <boost/multi_index/composite_key.hpp>
++
++namespace mir
++{
++namespace frontend
++{
++class TrustSession;
++class Session;
++}
++
++using boost::multi_index_container;
++using namespace boost::multi_index;
++
++namespace scene
++{
++
++class TrustSessionContainer
++{
++public:
++    TrustSessionContainer();
++    virtual ~TrustSessionContainer() = default;
++
++    typedef pid_t ClientProcess;
++
++    bool insert(std::shared_ptr<frontend::TrustSession> const& trust_session, ClientProcess const& process);
++
++    void for_each_process_for_trust_session(std::shared_ptr<frontend::TrustSession> const& trust_session, std::function<void(ClientProcess const&)> f);
++    void for_each_trust_session_for_process(ClientProcess const& process, std::function<void(std::shared_ptr<frontend::TrustSession> const&)> f);
++
++    void remove_trust_session(std::shared_ptr<frontend::TrustSession> const& trust_session);
++    void remove_process(ClientProcess const& process);
++
++private:
++    std::mutex mutable mutex;
++
++    typedef struct {
++        std::shared_ptr<frontend::TrustSession> trust_session;
++        ClientProcess client_process;
++        uint insert_order;
++    } Object;
++
++    typedef multi_index_container<
++        Object,
++        indexed_by<
++            ordered_non_unique<
++                composite_key<
++                    Object,
++                    member<Object, std::shared_ptr<frontend::TrustSession>, &Object::trust_session>,
++                    member<Object, uint, &Object::insert_order>
++                >
++            >,
++            ordered_unique<
++                composite_key<
++                    Object,
++                    member<Object, ClientProcess, &Object::client_process>,
++                    member<Object, std::shared_ptr<frontend::TrustSession>, &Object::trust_session>
++                >
++            >
++        >
++    > TrustSessionsProcesses;
++
++    typedef nth_index<TrustSessionsProcesses,0>::type object_by_trust_session;
++    typedef nth_index<TrustSessionsProcesses,1>::type object_by_process;
++
++
++    TrustSessionsProcesses process_map;
++    object_by_trust_session& trust_session_index;
++    object_by_process& process_index;
++};
++
++}
++}
++
++#endif // MIR_SCENE_TRUST_SESSION_CONTAINER_H_
 === added file 'src/server/scene/trust_session_creation_parameters.cpp'
 --- src/server/scene/trust_session_creation_parameters.cpp	1970-01-01 00:00:00 +0000
 +++ src/server/scene/trust_session_creation_parameters.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,51 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "mir/scene/trust_session_creation_parameters.h"
++
++namespace ms = mir::scene;
++
++ms::TrustSessionCreationParameters::TrustSessionCreationParameters()
++    : base_process_id(0)
++{
++}
++
++ms::TrustSessionCreationParameters& ms::TrustSessionCreationParameters::set_base_process_id(pid_t process_id)
++{
++    base_process_id = process_id;
++    return *this;
++}
++
++bool ms::operator==(
++    const TrustSessionCreationParameters& lhs,
++    const TrustSessionCreationParameters& rhs)
++{
++    return lhs.base_process_id == rhs.base_process_id;
++}
++
++bool ms::operator!=(
++    const TrustSessionCreationParameters& lhs,
++    const TrustSessionCreationParameters& rhs)
++{
++    return !(lhs == rhs);
++}
++
++ms::TrustSessionCreationParameters ms::a_trust_session()
++{
++    return TrustSessionCreationParameters();
++}
 === added file 'src/server/scene/trust_session_impl.cpp'
 --- src/server/scene/trust_session_impl.cpp	1970-01-01 00:00:00 +0000
 +++ src/server/scene/trust_session_impl.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,175 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "trust_session_impl.h"
++#include "mir/scene/session.h"
++#include "mir/scene/trust_session_creation_parameters.h"
++#include "mir/scene/trust_session_listener.h"
++#include "session_container.h"
++
++#include <sstream>
++#include <algorithm>
++
++namespace ms = mir::scene;
++
++int next_unique_id = 0;
++
++ms::TrustSessionImpl::TrustSessionImpl(
++    std::weak_ptr<ms::Session> const& session,
++    TrustSessionCreationParameters const&,
++    std::shared_ptr<TrustSessionListener> const& trust_session_listener) :
++    trusted_helper(session),
++    trust_session_listener(trust_session_listener),
++    state(mir_trust_session_state_stopped)
++{
++}
++
++ms::TrustSessionImpl::~TrustSessionImpl()
++{
++    TrustSessionImpl::stop();
++}
++
++MirTrustSessionState ms::TrustSessionImpl::get_state() const
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    return state;
++}
++
++std::weak_ptr<ms::Session> ms::TrustSessionImpl::get_trusted_helper() const
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    return trusted_helper;
++}
++
++void ms::TrustSessionImpl::start()
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    if (state == mir_trust_session_state_started)
++        return;
++
++    state = mir_trust_session_state_started;
++
++    auto helper = trusted_helper.lock();
++    if (helper) {
++        helper->begin_trust_session();
++    }
++}
++
++void ms::TrustSessionImpl::stop()
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    if (state == mir_trust_session_state_stopped)
++        return;
++
++    state = mir_trust_session_state_stopped;
++
++    auto helper = trusted_helper.lock();
++    if (helper) {
++        helper->end_trust_session();
++    }
++
++    std::vector<std::shared_ptr<ms::Session>> children;
++    {
++        std::lock_guard<decltype(mutex_children)> child_lock(mutex_children);
++
++        for (auto rit = trusted_children.rbegin(); rit != trusted_children.rend(); ++rit)
++        {
++            auto session = (*rit).lock();
++            if (session)
++            {
++                children.push_back(session);
++            }
++        }
++        trusted_children.clear();
++    }
++
++    for (auto session : children)
++    {
++        trust_session_listener->trusted_session_ending(*this, session);
++    }
++}
++
++bool ms::TrustSessionImpl::add_trusted_child(std::shared_ptr<ms::Session> const& session)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    if (state == mir_trust_session_state_stopped)
++        return false;
++
++    {
++        std::lock_guard<decltype(mutex_children)> child_lock(mutex_children);
++
++        if (std::find_if(trusted_children.begin(), trusted_children.end(),
++                [session](std::weak_ptr<ms::Session> const& child)
++                {
++                    return child.lock() == session;
++                }) != trusted_children.end())
++        {
++            return false;
++        }
++
++        trusted_children.push_back(session);
++    }
++
++    trust_session_listener->trusted_session_beginning(*this, session);
++    return true;
++}
++
++void ms::TrustSessionImpl::remove_trusted_child(std::shared_ptr<ms::Session> const& session)
++{
++    std::lock_guard<decltype(mutex)> lock(mutex);
++
++    if (state == mir_trust_session_state_stopped)
++        return;
++
++    bool found = false;
++    {
++        std::lock_guard<decltype(mutex_children)> child_lock(mutex_children);
++
++        for (auto it = trusted_children.begin(); it != trusted_children.end(); ++it)
++        {
++            auto trusted_child = (*it).lock();
++            if (trusted_child && trusted_child == session) {
++                found = true;
++                trusted_children.erase(it);
++                break;
++            }
++        }
++    }
++
++    if (found)
++    {
++        trust_session_listener->trusted_session_ending(*this, session);
++    }
++}
++
++void ms::TrustSessionImpl::for_each_trusted_child(
++    std::function<void(std::shared_ptr<ms::Session> const&)> f) const
++{
++    std::lock_guard<decltype(mutex_children)> child_lock(mutex_children);
++
++    for (auto it = trusted_children.begin(); it != trusted_children.end(); ++it)
++    {
++        if (auto trusted_child = (*it).lock())
++            f(trusted_child);
++    }
++}
 === added file 'src/server/scene/trust_session_impl.h'
 --- src/server/scene/trust_session_impl.h	1970-01-01 00:00:00 +0000
 +++ src/server/scene/trust_session_impl.h	2014-05-15 13:19:23 +0000
@@ -0,0 +1,74 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#ifndef MIR_SCENE_TRUST_SESSION_IMPL_H_
++#define MIR_SCENE_TRUST_SESSION_IMPL_H_
++
++#include "mir/scene/trust_session.h"
++
++#include <vector>
++#include <atomic>
++#include <mutex>
++
++namespace mir
++{
++
++namespace scene
++{
++class SessionContainer;
++class TrustSessionCreationParameters;
++class TrustSessionListener;
++
++class TrustSessionImpl : public TrustSession
++{
++public:
++    TrustSessionImpl(std::weak_ptr<Session> const& session,
++                 TrustSessionCreationParameters const& parameters,
++                 std::shared_ptr<TrustSessionListener> const& trust_session_listener);
++    ~TrustSessionImpl();
++
++    MirTrustSessionState get_state() const override;
++    std::weak_ptr<Session> get_trusted_helper() const override;
++
++    void start() override;
++    void stop() override;
++
++    bool add_trusted_child(std::shared_ptr<Session> const& session);
++    void remove_trusted_child(std::shared_ptr<Session> const& session);
++    void for_each_trusted_child(std::function<void(std::shared_ptr<Session> const&)> f) const;
++
++protected:
++    TrustSessionImpl(const TrustSessionImpl&) = delete;
++    TrustSessionImpl& operator=(const TrustSessionImpl&) = delete;
++
++private:
++    std::weak_ptr<Session> const trusted_helper;
++    std::shared_ptr<TrustSessionListener> const trust_session_listener;
++    MirTrustSessionState state;
++    std::string cookie;
++    std::mutex mutable mutex;
++
++    std::mutex mutable mutex_children;
++    std::vector<pid_t> client_processes;
++    std::vector<std::weak_ptr<Session>> trusted_children;
++};
++
++}
++}
++
++#endif // MIR_SCENE_TRUST_SESSION_H_
 === modified file 'src/shared/protobuf/mir_protobuf.proto'
 --- src/shared/protobuf/mir_protobuf.proto	2014-05-09 19:52:44 +0000
 +++ src/shared/protobuf/mir_protobuf.proto	2014-05-15 13:19:23 +0000
@@ -100,7 +100,7 @@
    optional int32 pixel_format = 4;
    optional int32 buffer_usage = 5;
    optional Buffer buffer = 6;
--
++
    repeated sint32 fd = 7;
    optional int32 fds_on_side_channel = 8;
@@ -185,7 +185,6 @@
    required int32 number = 1;
+ }
--
  message SocketFD {
    repeated sint32 fd = 1;
    optional int32  fds_on_side_channel = 2;
@@ -193,6 +192,24 @@
    optional string error = 127;
+ }
++message TrustedSession {
++  required int32 pid = 1;
++}
++
++message TrustSessionParameters {
++  required TrustedSession base_trusted_session = 1;
++}
++
++message TrustSession {
++  optional uint32 state = 1;
++  optional string error = 127;
++}
++
++message TrustSessionAddResult {
++  optional int32 result = 1;
++  optional string error = 127;
++}
++
  service DisplayServer {
    // Platform independent requests
    rpc connect(ConnectParameters) returns (Connection);
@@ -215,4 +232,8 @@
    rpc configure_cursor(CursorSetting) returns (Void);
    rpc new_fds_for_trusted_clients(SocketFDRequest) returns (SocketFD);
++
++  rpc start_trust_session(TrustSessionParameters) returns (TrustSession);
++  rpc add_trusted_session(TrustedSession) returns (TrustSessionAddResult);
++  rpc stop_trust_session(Void) returns (Void);
+ }
 === modified file 'tests/acceptance-tests/CMakeLists.txt'
 --- tests/acceptance-tests/CMakeLists.txt	2014-05-09 19:52:44 +0000
 +++ tests/acceptance-tests/CMakeLists.txt	2014-05-15 13:19:23 +0000
@@ -28,6 +28,7 @@
    test_surfaces_with_output_id.cpp
    test_server_disconnect.cpp
    test_client_library_drm.cpp
++  test_client_trust_session_api.cpp
    test_protobuf.cpp
    test_client_screencast.cpp
    test_client_surface_swap_buffers.cpp
 === added file 'tests/acceptance-tests/test_client_trust_session_api.cpp'
 --- tests/acceptance-tests/test_client_trust_session_api.cpp	1970-01-01 00:00:00 +0000
 +++ tests/acceptance-tests/test_client_trust_session_api.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,106 @@
++/*
++ * Copyright © 2013 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "mir_test_framework/display_server_test_fixture.h"
++
++#include "mir_toolkit/mir_client_library.h"
++#include "mir_toolkit/mir_trust_session.h"
++
++#include <gtest/gtest.h>
++
++namespace mtf = mir_test_framework;
++
++namespace
++{
++    char const* const mir_test_socket = mtf::test_socket_file().c_str();
++}
++
++using MirClientTrustSessionAPITest = DefaultDisplayServerTestFixture;
++
++namespace mir
++{
++namespace
++{
++struct ClientConfigCommon : TestingClientConfiguration
++{
++    ClientConfigCommon()
++        : connection(0)
++        , trust_session(0)
++        , started(0)
++        , stopped(0)
++    {
++    }
++
++    static void connection_callback(MirConnection * connection, void * context)
++    {
++        ClientConfigCommon * config = reinterpret_cast<ClientConfigCommon *>(context);
++        config->connection = connection;
++    }
++
++    virtual void connected(MirConnection * new_connection)
++    {
++        connection = new_connection;
++    }
++
++    static void trust_session_start_callback(MirTrustSession * session, void * context)
++    {
++        ClientConfigCommon * config = reinterpret_cast<ClientConfigCommon *>(context);
++        config->trust_session = session;
++        config->started++;
++    }
++
++    static void trust_session_stop_callback(MirTrustSession * /* session */, void * context)
++    {
++        ClientConfigCommon * config = reinterpret_cast<ClientConfigCommon *>(context);
++        config->stopped++;
++    }
++
++    MirConnection* connection;
++    MirTrustSession* trust_session;
++    int started;
++    int stopped;
++};
++}
++
++TEST_F(MirClientTrustSessionAPITest, client_trust_session_api)
++{
++    struct ClientConfig : ClientConfigCommon
++    {
++        void exec()
++        {
++            mir_wait_for(mir_connect(mir_test_socket, __PRETTY_FUNCTION__, connection_callback, this));
++
++            ASSERT_TRUE(connection != NULL);
++            EXPECT_TRUE(mir_connection_is_valid(connection));
++            EXPECT_STREQ("", mir_connection_get_error_message(connection));
++
++            mir_wait_for(mir_connection_start_trust_session(connection, __LINE__, trust_session_start_callback, NULL, this));
++            ASSERT_TRUE(trust_session != NULL);
++            EXPECT_EQ(started, 1);
++
++            mir_wait_for(mir_trust_session_stop(trust_session, trust_session_stop_callback, this));
++            EXPECT_EQ(stopped, 1);
++
++            mir_connection_release(connection);
++        }
++    } client_config;
++
++    launch_client_process(client_config);
++}
++
++}
 === modified file 'tests/acceptance-tests/test_nested_mir.cpp'
 --- tests/acceptance-tests/test_nested_mir.cpp	2014-03-06 06:05:17 +0000
 +++ tests/acceptance-tests/test_nested_mir.cpp	2014-05-15 13:19:23 +0000
@@ -56,6 +56,9 @@
      MOCK_METHOD1(session_next_buffer_called, void (std::string const&));
      MOCK_METHOD1(session_release_surface_called, void (std::string const&));
      MOCK_METHOD1(session_disconnect_called, void (std::string const&));
++    MOCK_METHOD2(session_start_trust_session_called, void (std::string const&, std::string const&));
++    MOCK_METHOD2(session_add_trusted_session_called, void (std::string const&, std::string const&));
++    MOCK_METHOD1(session_stop_trust_session_called, void (std::string const&));
      void session_drm_auth_magic_called(const std::string&) override {};
      void session_configure_surface_called(std::string const&) override {};
 === modified file 'tests/integration-tests/frontend/test_application_mediator_report.cpp'
 --- tests/integration-tests/frontend/test_application_mediator_report.cpp	2014-03-06 06:05:17 +0000
 +++ tests/integration-tests/frontend/test_application_mediator_report.cpp	2014-05-15 13:19:23 +0000
@@ -50,6 +50,12 @@
          EXPECT_CALL(*this, session_disconnect_called(testing::_)).
              Times(testing::AtLeast(0));
++
++        EXPECT_CALL(*this, session_start_trust_session_called(testing::_, testing::_)).
++            Times(testing::AtLeast(0));
++
++        EXPECT_CALL(*this, session_stop_trust_session_called(testing::_)).
++            Times(testing::AtLeast(0));
+     }
      MOCK_METHOD1(session_connect_called, void (std::string const&));
@@ -57,6 +63,9 @@
      MOCK_METHOD1(session_next_buffer_called, void (std::string const&));
      MOCK_METHOD1(session_release_surface_called, void (std::string const&));
      MOCK_METHOD1(session_disconnect_called, void (std::string const&));
++    MOCK_METHOD2(session_start_trust_session_called, void (std::string const&, std::string const&));
++    MOCK_METHOD2(session_add_trusted_session_called, void (std::string const&, std::string const&));
++    MOCK_METHOD1(session_stop_trust_session_called, void (std::string const&));
      void session_drm_auth_magic_called(const std::string&) override {};
      void session_configure_surface_called(std::string const&) override {};
@@ -358,3 +367,175 @@
      launch_client_process(client_process);
+ }
++
++TEST_F(ApplicationMediatorReport, trust_session_start_called)
++{
++    struct Server : TestingServerConfiguration
++    {
++        std::shared_ptr<mf::SessionMediatorReport>
++        the_application_mediator_report()
++        {
++            auto result = std::make_shared<MockApplicationMediatorReport>();
++
++            EXPECT_CALL(*result, session_start_trust_session_called(testing::_, testing::_)).
++                Times(1);
++
++            return result;
++        }
++    } server_processing;
++
++    launch_server_process(server_processing);
++
++    struct Client: TestingClientConfiguration
++    {
++        void exec()
++        {
++            mt::TestProtobufClient client(mtf::test_socket_file(), rpc_timeout_ms);
++
++            client.connect_parameters.set_application_name(__PRETTY_FUNCTION__);
++            EXPECT_CALL(client, connect_done()).
++                Times(testing::AtLeast(0));
++            EXPECT_CALL(client, trust_session_start_done()).
++                Times(testing::AtLeast(0));
++
++            client.display_server.connect(
++                0,
++                &client.connect_parameters,
++                &client.connection,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::connect_done));
++
++            client.wait_for_connect_done();
++
++            client.display_server.start_trust_session(
++                0,
++                &client.trust_session_parameters,
++                &client.trust_session,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::trust_session_start_done));
++            client.wait_for_trust_session_start_done();
++
++        }
++    } client_process;
++
++    launch_client_process(client_process);
++}
++
++TEST_F(ApplicationMediatorReport, trust_session_add_trusted_session_called)
++{
++    struct Server : TestingServerConfiguration
++    {
++        std::shared_ptr<mf::SessionMediatorReport>
++        the_application_mediator_report()
++        {
++            auto result = std::make_shared<MockApplicationMediatorReport>();
++
++            EXPECT_CALL(*result, session_start_trust_session_called(testing::_, testing::_)).
++                Times(1);
++
++            return result;
++        }
++    } server_processing;
++
++    launch_server_process(server_processing);
++
++    struct Client: TestingClientConfiguration
++    {
++        void exec()
++        {
++            mt::TestProtobufClient client(mtf::test_socket_file(), rpc_timeout_ms);
++
++            client.connect_parameters.set_application_name(__PRETTY_FUNCTION__);
++            EXPECT_CALL(client, connect_done()).
++                Times(testing::AtLeast(0));
++            EXPECT_CALL(client, trust_session_start_done()).
++                Times(testing::AtLeast(0));
++            EXPECT_CALL(client, trust_session_add_trusted_session_done()).
++                Times(testing::AtLeast(0));
++
++            client.display_server.connect(
++                0,
++                &client.connect_parameters,
++                &client.connection,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::connect_done));
++
++            client.wait_for_connect_done();
++
++            client.display_server.start_trust_session(
++                0,
++                &client.trust_session_parameters,
++                &client.trust_session,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::trust_session_start_done));
++            client.wait_for_trust_session_start_done();
++
++            client.display_server.add_trusted_session(
++                0,
++                &client.trusted_session,
++                &client.add_trust_result,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::trust_session_add_trusted_session_done));
++            client.wait_for_trust_session_add_trusted_session_done();
++
++        }
++    } client_process;
++
++    launch_client_process(client_process);
++}
++
++TEST_F(ApplicationMediatorReport, trust_session_stop_called)
++{
++    struct Server : TestingServerConfiguration
++    {
++        std::shared_ptr<mf::SessionMediatorReport>
++        the_application_mediator_report()
++        {
++            auto result = std::make_shared<MockApplicationMediatorReport>();
++
++            EXPECT_CALL(*result, session_stop_trust_session_called(testing::_)).
++                Times(1);
++
++            return result;
++        }
++    } server_processing;
++
++    launch_server_process(server_processing);
++
++    struct Client: TestingClientConfiguration
++    {
++        void exec()
++        {
++            mt::TestProtobufClient client(mtf::test_socket_file(), rpc_timeout_ms);
++
++            client.connect_parameters.set_application_name(__PRETTY_FUNCTION__);
++            EXPECT_CALL(client, connect_done()).
++                Times(testing::AtLeast(0));
++            EXPECT_CALL(client, trust_session_start_done()).
++                Times(testing::AtLeast(0));
++            EXPECT_CALL(client, trust_session_stop_done()).
++                Times(testing::AtLeast(0));
++
++            client.display_server.connect(
++                0,
++                &client.connect_parameters,
++                &client.connection,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::connect_done));
++
++            client.wait_for_connect_done();
++
++            client.display_server.start_trust_session(
++                0,
++                &client.trust_session_parameters,
++                &client.trust_session,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::trust_session_start_done));
++            client.wait_for_trust_session_start_done();
++
++            client.display_server.stop_trust_session(
++                0,
++                &client.ignored,
++                &client.ignored,
++                google::protobuf::NewCallback(&client, &mt::TestProtobufClient::trust_session_stop_done));
++            client.wait_for_trust_session_stop_done();
++        }
++    } client_process;
++
++    launch_client_process(client_process);
++}
++
++
 === modified file 'tests/integration-tests/test_session_manager.cpp'
 --- tests/integration-tests/test_session_manager.cpp	2014-04-15 05:31:19 +0000
 +++ tests/integration-tests/test_session_manager.cpp	2014-05-15 13:19:23 +0000
@@ -24,6 +24,7 @@
  #include "mir/compositor/buffer_stream.h"
  #include "src/server/scene/basic_surface.h"
  #include "mir/scene/surface_creation_parameters.h"
++#include "mir/scene/null_trust_session_listener.h"
  #include "mir_test/gmock_fixes.h"
  #include "mir_test/fake_shared.h"
@@ -55,7 +56,8 @@
                mt::fake_shared(focus_setter),
                std::make_shared<mtd::NullSnapshotStrategy>(),
                std::make_shared<mtd::NullSessionEventSink>(),
--              mt::fake_shared(session_listener))
++              mt::fake_shared(session_listener),
++              std::make_shared<ms::NullTrustSessionListener>())
+     {
+     }
 === modified file 'tests/mir_test_doubles/test_protobuf_client.cpp'
 --- tests/mir_test_doubles/test_protobuf_client.cpp	2014-03-06 06:05:17 +0000
 +++ tests/mir_test_doubles/test_protobuf_client.cpp	2014-05-15 13:19:23 +0000
@@ -22,6 +22,7 @@
  #include "src/client/connection_surface_map.h"
  #include "src/client/display_configuration.h"
  #include "src/client/lifecycle_control.h"
++#include "src/client/event_distributor.h"
  #include "src/client/rpc/make_rpc_channel.h"
  #include "src/client/rpc/mir_basic_rpc_channel.h"
@@ -38,7 +39,8 @@
          std::make_shared<mir::client::ConnectionSurfaceMap>(),
          std::make_shared<mir::client::DisplayConfiguration>(),
          rpc_report,
--        std::make_shared<mir::client::LifecycleControl>())),
++        std::make_shared<mir::client::LifecycleControl>(),
++        std::make_shared<mir::client::EventDistributor>())),
      display_server(channel.get(), ::google::protobuf::Service::STUB_DOESNT_OWN_CHANNEL),
      maxwait(timeout_ms),
      connect_done_called(false),
@@ -59,6 +61,9 @@
      surface_parameters.set_buffer_usage(0);
      surface_parameters.set_output_id(mir_display_output_id_invalid);
++    trusted_session.set_pid(__LINE__);
++    trust_session_parameters.mutable_base_trusted_session()->set_pid(__LINE__);
++
      ON_CALL(*this, connect_done())
          .WillByDefault(testing::Invoke(this, &TestProtobufClient::on_connect_done));
      ON_CALL(*this, create_surface_done())
@@ -73,6 +78,12 @@
          .WillByDefault(testing::Invoke(this, &TestProtobufClient::on_drm_auth_magic_done));
      ON_CALL(*this, display_configure_done())
          .WillByDefault(testing::Invoke(this, &TestProtobufClient::on_configure_display_done));
++    ON_CALL(*this, trust_session_start_done())
++        .WillByDefault(testing::Invoke(&wc_trust_session_start, &WaitCondition::wake_up_everyone));
++    ON_CALL(*this, trust_session_add_trusted_session_done())
++        .WillByDefault(testing::Invoke(&wc_trust_session_add, &WaitCondition::wake_up_everyone));
++    ON_CALL(*this, trust_session_stop_done())
++        .WillByDefault(testing::Invoke(&wc_trust_session_stop, &WaitCondition::wake_up_everyone));
+ }
  void mir::test::TestProtobufClient::on_connect_done()
@@ -225,3 +236,18 @@
+     }
      tfd_done_called.store(false);
+ }
++
++void mir::test::TestProtobufClient::wait_for_trust_session_start_done()
++{
++    wc_trust_session_start.wait_for_at_most_seconds(maxwait);
++}
++
++void mir::test::TestProtobufClient::wait_for_trust_session_add_trusted_session_done()
++{
++    wc_trust_session_add.wait_for_at_most_seconds(maxwait);
++}
++
++void mir::test::TestProtobufClient::wait_for_trust_session_stop_done()
++{
++    wc_trust_session_stop.wait_for_at_most_seconds(maxwait);
++}
 === modified file 'tests/unit-tests/client/CMakeLists.txt'
 --- tests/unit-tests/client/CMakeLists.txt	2014-03-06 06:05:17 +0000
 +++ tests/unit-tests/client/CMakeLists.txt	2014-05-15 13:19:23 +0000
@@ -8,6 +8,7 @@
    ${CMAKE_CURRENT_SOURCE_DIR}/test_wait_handle.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/test_client_display_conf.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/test_mir_screencast.cpp
++  ${CMAKE_CURRENT_SOURCE_DIR}/test_mir_trust_session.cpp
+ )
  if(MIR_TEST_PLATFORM STREQUAL "android")
 === added file 'tests/unit-tests/client/test_mir_trust_session.cpp'
 --- tests/unit-tests/client/test_mir_trust_session.cpp	1970-01-01 00:00:00 +0000
 +++ tests/unit-tests/client/test_mir_trust_session.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,244 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Nick Dedekind <nick.dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "src/client/mir_trust_session.h"
++#include "src/client/event_distributor.h"
++
++#include <gtest/gtest.h>
++#include <gmock/gmock.h>
++
++#include <thread>
++
++namespace mcl = mir::client;
++
++namespace google
++{
++namespace protobuf
++{
++class RpcController;
++}
++}
++
++namespace
++{
++
++struct MockProtobufServer : mir::protobuf::DisplayServer
++{
++
++    MOCK_METHOD4(start_trust_session,
++                 void(::google::protobuf::RpcController* /*controller*/,
++                      ::mir::protobuf::TrustSessionParameters const* /*request*/,
++                      ::mir::protobuf::TrustSession* /*response*/,
++                      ::google::protobuf::Closure* /*done*/));
++
++    MOCK_METHOD4(add_trusted_session,
++                 void(::google::protobuf::RpcController* /*controller*/,
++                      const ::mir::protobuf::TrustedSession* /*request*/,
++                      ::mir::protobuf::TrustSessionAddResult* /*response*/,
++                      ::google::protobuf::Closure* /*done*/));
++
++    MOCK_METHOD4(stop_trust_session,
++                 void(::google::protobuf::RpcController* /*controller*/,
++                      ::mir::protobuf::Void const* /*request*/,
++                      ::mir::protobuf::Void* /*response*/,
++                      ::google::protobuf::Closure* /*done*/));
++};
++
++class StubProtobufServer : public mir::protobuf::DisplayServer
++{
++public:
++    void start_trust_session(::google::protobuf::RpcController* /*controller*/,
++                             ::mir::protobuf::TrustSessionParameters const* /*request*/,
++                             ::mir::protobuf::TrustSession* response,
++                             ::google::protobuf::Closure* done) override
++    {
++        if (server_thread.joinable())
++            server_thread.join();
++        server_thread = std::thread{
++            [response, done, this]
++            {
++                response->clear_error();
++                done->Run();
++            }};
++    }
++
++    void add_trusted_session(::google::protobuf::RpcController* /*controller*/,
++                             const ::mir::protobuf::TrustedSession* /*request*/,
++                             ::mir::protobuf::TrustSessionAddResult* /*response*/,
++                             ::google::protobuf::Closure* done)
++    {
++        if (server_thread.joinable())
++            server_thread.join();
++        server_thread = std::thread{[done, this] { done->Run(); }};
++    }
++
++    void stop_trust_session(::google::protobuf::RpcController* /*controller*/,
++                            mir::protobuf::Void const* /*request*/,
++                            ::mir::protobuf::Void* /*response*/,
++                            ::google::protobuf::Closure* done) override
++    {
++        if (server_thread.joinable())
++            server_thread.join();
++        server_thread = std::thread{[done, this] { done->Run(); }};
++    }
++
++    StubProtobufServer()
++    {
++    }
++
++    ~StubProtobufServer()
++    {
++        if (server_thread.joinable())
++            server_thread.join();
++    }
++
++private:
++    std::thread server_thread;
++};
++
++class MirTrustSessionTest : public testing::Test
++{
++public:
++    MirTrustSessionTest()
++        : event_distributor{std::make_shared<mcl::EventDistributor>()}
++    {
++    }
++
++    static void trust_session_event(MirTrustSession*, MirTrustSessionState new_state, void* context)
++    {
++        MirTrustSessionTest* test = static_cast<MirTrustSessionTest*>(context);
++        test->state_updated(new_state);
++    }
++
++    MOCK_METHOD1(state_updated, void(MirTrustSessionState));
++
++    testing::NiceMock<MockProtobufServer> mock_server;
++    StubProtobufServer stub_server;
++    std::shared_ptr<mcl::EventDistributor> event_distributor;
++};
++
++struct MockCallback
++{
++    MOCK_METHOD2(call, void(void*, void*));
++};
++
++void mock_callback_func(MirTrustSession* trust_session, void* context)
++{
++    auto mock_cb = static_cast<MockCallback*>(context);
++    mock_cb->call(trust_session, context);
++}
++
++void null_callback_func(MirTrustSession*, void*)
++{
++}
++
++ACTION(RunClosure)
++{
++    arg3->Run();
++}
++
++}
++
++TEST_F(MirTrustSessionTest, start_trust_session)
++{
++    using namespace testing;
++
++    EXPECT_CALL(mock_server,
++                start_trust_session(_,_,_,_))
++        .WillOnce(RunClosure());
++
++    MirTrustSession trust_session{
++        mock_server,
++        event_distributor};
++    trust_session.start(__LINE__, null_callback_func, nullptr);
++}
++
++TEST_F(MirTrustSessionTest, stop_trust_session)
++{
++    using namespace testing;
++
++    EXPECT_CALL(mock_server,
++                stop_trust_session(_,_,_,_))
++        .WillOnce(RunClosure());
++
++    MirTrustSession trust_session{
++        mock_server,
++        event_distributor};
++    trust_session.stop(null_callback_func, nullptr);
++}
++
++TEST_F(MirTrustSessionTest, executes_callback_on_start)
++{
++    using namespace testing;
++
++    MockCallback mock_cb;
++    EXPECT_CALL(mock_cb, call(_, &mock_cb));
++
++    MirTrustSession trust_session{
++        stub_server,
++        event_distributor};
++    trust_session.start(__LINE__, mock_callback_func, &mock_cb)->wait_for_all();
++}
++
++TEST_F(MirTrustSessionTest, executes_callback_on_stop)
++{
++    using namespace testing;
++
++    MockCallback mock_cb;
++    EXPECT_CALL(mock_cb, call(_, &mock_cb));
++
++    MirTrustSession trust_session{
++        stub_server,
++        event_distributor};
++    trust_session.stop(mock_callback_func, &mock_cb)->wait_for_all();
++}
++
++TEST_F(MirTrustSessionTest, state_change_event_handler_started)
++{
++    using namespace testing;
++
++    MirTrustSession trust_session{
++        mock_server,
++        event_distributor};
++    trust_session.register_trust_session_event_callback(&MirTrustSessionTest::trust_session_event, this);
++
++    EXPECT_CALL(*this, state_updated(mir_trust_session_state_started)).Times(1);
++
++    MirEvent e;
++    e.type = mir_event_type_trust_session_state_change;
++    e.trust_session.new_state = mir_trust_session_state_started;
++    event_distributor->handle_event(e);
++}
++
++TEST_F(MirTrustSessionTest, state_change_event_handler_stopped)
++{
++    using namespace testing;
++
++    MirTrustSession trust_session{
++        mock_server,
++        event_distributor};
++    trust_session.register_trust_session_event_callback(&MirTrustSessionTest::trust_session_event, this);
++
++    EXPECT_CALL(*this, state_updated(mir_trust_session_state_stopped)).Times(1);
++
++    MirEvent e;
++    e.type = mir_event_type_trust_session_state_change;
++    e.trust_session.new_state = mir_trust_session_state_stopped;
++    event_distributor->handle_event(e);
++}
++
 === modified file 'tests/unit-tests/frontend/stress_protobuf_communicator.cpp'
 --- tests/unit-tests/frontend/stress_protobuf_communicator.cpp	2014-03-06 06:05:17 +0000
 +++ tests/unit-tests/frontend/stress_protobuf_communicator.cpp	2014-05-15 13:19:23 +0000
@@ -28,6 +28,7 @@
  #include "src/client/connection_surface_map.h"
  #include "src/client/display_configuration.h"
  #include "src/client/lifecycle_control.h"
++#include "src/client/event_distributor.h"
  #include "src/client/rpc/null_rpc_report.h"
  #include "src/client/rpc/make_rpc_channel.h"
  #include "src/client/rpc/mir_basic_rpc_channel.h"
@@ -178,7 +179,8 @@
          std::make_shared<mir::client::ConnectionSurfaceMap>(),
          std::make_shared<mir::client::DisplayConfiguration>(),
          rpc_report,
--        std::make_shared<mir::client::LifecycleControl>())),
++        std::make_shared<mir::client::LifecycleControl>(),
++        std::make_shared<mir::client::EventDistributor>())),
      display_server(channel.get(), ::google::protobuf::Service::STUB_DOESNT_OWN_CHANNEL),
      maxwait(timeout_ms),
      connect_done_called(false),
 === added file 'tests/unit-tests/graphics/mesa/test_drm_helper.cpp.moved'
 --- tests/unit-tests/graphics/mesa/test_drm_helper.cpp.moved	1970-01-01 00:00:00 +0000
 +++ tests/unit-tests/graphics/mesa/test_drm_helper.cpp.moved	2014-05-15 13:19:23 +0000
@@ -0,0 +1,65 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Alexandros Frantzis <alexandros.frantzis@canonical.com>
++ */
++
++#include "src/platform/graphics/mesa/display_helpers.h"
++#include "mir/udev/wrapper.h"
++
++#include "mir_test_framework/udev_environment.h"
++#include "mir_test_doubles/mock_drm.h"
++
++#include <fcntl.h>
++
++#include <gtest/gtest.h>
++#include <gmock/gmock.h>
++
++namespace mgm = mir::graphics::mesa;
++namespace mtf = mir::mir_test_framework;
++namespace mtd = mir::test::doubles;
++
++namespace
++{
++
++MATCHER_P(FlagSet, flag, "")
++{
++    return (arg & flag);
++}
++
++class DRMHelperTest : public ::testing::Test
++{
++public:
++    DRMHelperTest()
++    {
++        fake_devices.add_standard_device("standard-drm-devices");
++    }
++
++protected:
++    ::testing::NiceMock<mtd::MockDRM> mock_drm;
++    mtf::UdevEnvironment fake_devices;
++};
++
++}
++
++TEST_F(DRMHelperTest, closes_drm_fd_on_exec)
++{
++    using namespace testing;
++
++    EXPECT_CALL(mock_drm, open(_, FlagSet(O_CLOEXEC), _));
++
++    mgm::helpers::DRMHelper drm_helper;
++    drm_helper.setup(std::make_shared<mir::udev::Context>());
++}
 === modified file 'tests/unit-tests/scene/CMakeLists.txt'
 --- tests/unit-tests/scene/CMakeLists.txt	2014-05-06 06:16:13 +0000
 +++ tests/unit-tests/scene/CMakeLists.txt	2014-05-15 13:19:23 +0000
@@ -9,6 +9,8 @@
    ${CMAKE_CURRENT_SOURCE_DIR}/test_the_session_container_implementation.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/test_threaded_snapshot_strategy.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/test_mediating_display_changer.cpp
++  ${CMAKE_CURRENT_SOURCE_DIR}/test_trust_session.cpp
++  ${CMAKE_CURRENT_SOURCE_DIR}/test_trust_session_container.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/test_surface.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/test_surface_impl.cpp
 === modified file 'tests/unit-tests/scene/test_application_session.cpp'
 --- tests/unit-tests/scene/test_application_session.cpp	2014-04-15 10:19:19 +0000
 +++ tests/unit-tests/scene/test_application_session.cpp	2014-05-15 13:19:23 +0000
@@ -27,6 +27,7 @@
  #include "mir_test_doubles/stub_display_configuration.h"
  #include "mir_test_doubles/null_snapshot_strategy.h"
  #include "mir_test_doubles/null_event_sink.h"
++#include "mir_test_doubles/null_trust_session.h"
  #include <gmock/gmock.h>
  #include <gtest/gtest.h>
@@ -70,6 +71,10 @@
             arg.stride == mir::geometry::Stride{} &&
             arg.pixels == nullptr;
+ }
++
++MATCHER_P(EqTrustedEventState, state, "") {
++  return arg.type == mir_event_type_trust_session_state_change && arg.trust_session.new_state == state;
++}
+ }
  TEST(ApplicationSession, create_and_destroy_surface)
@@ -380,3 +385,43 @@
      EXPECT_THAT(app_session.process_id(), Eq(pid));
+ }
++
++TEST(ApplicationSession, begin_trust_session)
++{
++    using namespace ::testing;
++
++    mtd::MockSurfaceCoordinator surface_coordinator;
++    MockEventSink sender;
++
++    ms::ApplicationSession app_session(
++        mt::fake_shared(surface_coordinator),
++        __LINE__,
++        "Foo",
++        std::make_shared<mtd::NullSnapshotStrategy>(),
++        std::make_shared<ms::NullSessionListener>(),
++        mt::fake_shared(sender));
++
++    EXPECT_CALL(sender, handle_event(EqTrustedEventState(mir_trust_session_state_started))).Times(1);
++
++    app_session.begin_trust_session();
++}
++
++TEST(ApplicationSession, end_trust_session)
++{
++    using namespace ::testing;
++
++    mtd::MockSurfaceCoordinator surface_coordinator;
++    MockEventSink sender;
++
++    ms::ApplicationSession app_session(
++        mt::fake_shared(surface_coordinator),
++        __LINE__,
++        "Foo",
++        std::make_shared<mtd::NullSnapshotStrategy>(),
++        std::make_shared<ms::NullSessionListener>(),
++        mt::fake_shared(sender));
++
++    EXPECT_CALL(sender, handle_event(EqTrustedEventState(mir_trust_session_state_stopped))).Times(1);
++
++    app_session.end_trust_session();
++}
 === modified file 'tests/unit-tests/scene/test_session_manager.cpp'
 --- tests/unit-tests/scene/test_session_manager.cpp	2014-04-15 10:19:19 +0000
 +++ tests/unit-tests/scene/test_session_manager.cpp	2014-05-15 13:19:23 +0000
@@ -27,6 +27,9 @@
  #include "src/server/scene/session_event_sink.h"
  #include "src/server/scene/basic_surface.h"
  #include "src/server/report/null_report_factory.h"
++#include "mir/scene/trust_session_creation_parameters.h"
++#include "mir/scene/null_trust_session_listener.h"
++#include "mir/scene/trust_session.h"
  #include "mir_test/fake_shared.h"
  #include "mir_test_doubles/mock_buffer_stream.h"
@@ -37,6 +40,8 @@
  #include "mir_test_doubles/null_snapshot_strategy.h"
  #include "mir_test_doubles/null_surface_configurator.h"
  #include "mir_test_doubles/null_session_event_sink.h"
++#include "mir_test_doubles/mock_trust_session_listener.h"
++#include "mir_test_doubles/null_event_sink.h"
  #include <gmock/gmock.h>
  #include <gtest/gtest.h>
@@ -44,7 +49,6 @@
  namespace mc = mir::compositor;
  namespace mf = mir::frontend;
  namespace mi = mir::input;
--namespace msh = mir::shell;
  namespace ms = mir::scene;
  namespace geom = mir::geometry;
  namespace mt = mir::test;
@@ -78,7 +82,8 @@
                          mt::fake_shared(focus_setter),
                          std::make_shared<mtd::NullSnapshotStrategy>(),
                          std::make_shared<mtd::NullSessionEventSink>(),
--                        mt::fake_shared(session_listener))
++                        mt::fake_shared(session_listener),
++                        std::make_shared<ms::NullTrustSessionListener>())
+     {
          using namespace ::testing;
          ON_CALL(container, successor_of(_)).WillByDefault(Return((std::shared_ptr<ms::Session>())));
@@ -178,7 +183,8 @@
                          mt::fake_shared(focus_setter),
                          std::make_shared<mtd::NullSnapshotStrategy>(),
                          std::make_shared<mtd::NullSessionEventSink>(),
--                        mt::fake_shared(session_listener))
++                        mt::fake_shared(session_listener),
++                        std::make_shared<ms::NullTrustSessionListener>())
+     {
          using namespace ::testing;
          ON_CALL(container, successor_of(_)).WillByDefault(Return((std::shared_ptr<ms::Session>())));
@@ -187,7 +193,7 @@
      mtd::MockSurfaceCoordinator surface_coordinator;
      testing::NiceMock<MockSessionContainer> container;    // Inelegant but some tests need a stub
      testing::NiceMock<mtd::MockFocusSetter> focus_setter; // Inelegant but some tests need a stub
--    mtd::MockSessionListener session_listener;
++    testing::NiceMock<mtd::MockSessionListener> session_listener;
      ms::SessionManager session_manager;
  };
@@ -217,7 +223,8 @@
                          mt::fake_shared(focus_setter),
                          std::make_shared<mtd::NullSnapshotStrategy>(),
                          mt::fake_shared(session_event_sink),
--                        std::make_shared<ms::NullSessionListener>())
++                        std::make_shared<ms::NullSessionListener>(),
++                        std::make_shared<ms::NullTrustSessionListener>())
+     {
          using namespace ::testing;
          ON_CALL(container, successor_of(_)).WillByDefault(Return((std::shared_ptr<ms::Session>())));
@@ -257,3 +264,46 @@
      session_manager.close_session(session1);
      session_manager.close_session(session);
+ }
++
++namespace
++{
++
++struct SessionManagerTrustSessionListenerSetup : public testing::Test
++{
++    SessionManagerTrustSessionListenerSetup()
++      : session_manager(mt::fake_shared(surface_coordinator),
++                        mt::fake_shared(container),
++                        mt::fake_shared(focus_setter),
++                        std::make_shared<mtd::NullSnapshotStrategy>(),
++                        std::make_shared<mtd::NullSessionEventSink>(),
++                        std::make_shared<ms::NullSessionListener>(),
++                        mt::fake_shared(trust_session_listener))
++    {
++        using namespace ::testing;
++        ON_CALL(container, successor_of(_)).WillByDefault(Return((std::shared_ptr<ms::Session>())));
++    }
++
++    mtd::MockSurfaceCoordinator surface_coordinator;
++    testing::NiceMock<MockSessionContainer> container;    // Inelegant but some tests need a stub
++    testing::NiceMock<mtd::MockFocusSetter> focus_setter; // Inelegant but some tests need a stub
++    testing::NiceMock<mtd::MockTrustSessionListener> trust_session_listener;
++    mtd::NullEventSink event_sink;
++
++    ms::SessionManager session_manager;
++};
++}
++
++TEST_F(SessionManagerTrustSessionListenerSetup, trust_session_listener_is_notified_of_trust_session_start_and_stop)
++{
++    using namespace ::testing;
++
++    EXPECT_CALL(trust_session_listener, starting(_)).Times(1);
++    EXPECT_CALL(trust_session_listener, stopping(_)).Times(1);
++
++    auto helper = session_manager.open_session(__LINE__, "XPlane", mt::fake_shared(event_sink));
++
++    ms::TrustSessionCreationParameters parameters;
++
++    auto trust_session = session_manager.start_trust_session_for(helper, parameters);
++    session_manager.stop_trust_session(trust_session);
++}
 === added file 'tests/unit-tests/scene/test_trust_session.cpp'
 --- tests/unit-tests/scene/test_trust_session.cpp	1970-01-01 00:00:00 +0000
 +++ tests/unit-tests/scene/test_trust_session.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,82 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "mir/frontend/event_sink.h"
++#include "mir/scene/trust_session_creation_parameters.h"
++#include "src/server/scene/trust_session_impl.h"
++#include "mir_test/fake_shared.h"
++#include "mir_test_doubles/mock_scene_session.h"
++#include "mir_test_doubles/mock_trust_session_listener.h"
++
++#include <gmock/gmock.h>
++#include <gtest/gtest.h>
++
++namespace mf = mir::frontend;
++namespace ms = mir::scene;
++namespace mt = mir::test;
++namespace mtd = mir::test::doubles;
++
++
++namespace
++{
++
++struct TrustSession : public testing::Test
++{
++    TrustSession()
++    {
++    }
++
++    testing::NiceMock<mtd::MockTrustSessionListener> trust_session_listener;
++    testing::NiceMock<mtd::MockSceneSession> trusted_helper;
++    testing::NiceMock<mtd::MockSceneSession> trusted_app1;
++    testing::NiceMock<mtd::MockSceneSession> trusted_app2;
++};
++}
++
++TEST_F(TrustSession, start_and_stop)
++{
++    using namespace testing;
++
++    auto shared_helper = mt::fake_shared(trusted_helper);
++    std::shared_ptr<ms::Session> shared_app1 = mt::fake_shared(trusted_app1);
++    std::shared_ptr<ms::Session> shared_app2 = mt::fake_shared(trusted_app2);
++
++    ms::TrustSessionImpl trust_session(shared_helper,
++                                   ms::a_trust_session(),
++                                   mt::fake_shared(trust_session_listener));
++
++    EXPECT_CALL(trusted_helper, begin_trust_session()).Times(1);
++    EXPECT_CALL(trusted_helper, end_trust_session()).Times(1);
++
++    EXPECT_CALL(trusted_app1, begin_trust_session()).Times(0);
++    EXPECT_CALL(trusted_app1, end_trust_session()).Times(0);
++
++    EXPECT_CALL(trusted_app2, begin_trust_session()).Times(0);
++    EXPECT_CALL(trusted_app2, end_trust_session()).Times(0);
++
++    EXPECT_CALL(trust_session_listener, trusted_session_beginning(_, shared_app1)).Times(1);
++    EXPECT_CALL(trust_session_listener, trusted_session_beginning(_, shared_app2)).Times(1);
++
++    EXPECT_CALL(trust_session_listener, trusted_session_ending(_, shared_app1)).Times(1);
++    EXPECT_CALL(trust_session_listener, trusted_session_ending(_, shared_app2)).Times(1);
++
++    trust_session.start();
++    trust_session.add_trusted_child(shared_app1);
++    trust_session.add_trusted_child(shared_app2);
++    trust_session.stop();
++}
 === added file 'tests/unit-tests/scene/test_trust_session_container.cpp'
 --- tests/unit-tests/scene/test_trust_session_container.cpp	1970-01-01 00:00:00 +0000
 +++ tests/unit-tests/scene/test_trust_session_container.cpp	2014-05-15 13:19:23 +0000
@@ -0,0 +1,167 @@
++/*
++ * Copyright © 2014 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored By: Nick Dedekind <nick.dedekind@canonical.com>
++ */
++
++#include "src/server/scene/trust_session_container.h"
++#include "mir_test_doubles/mock_scene_session.h"
++#include "mir_test_doubles/null_trust_session.h"
++#include "mir_test/fake_shared.h"
++
++#include <gmock/gmock.h>
++#include <gtest/gtest.h>
++
++namespace ms = mir::scene;
++namespace mf = mir::frontend;
++namespace mt = mir::test;
++namespace mtd = mir::test::doubles;
++
++
++TEST(TrustSessionContainer, test_insert)
++{
++    using namespace testing;
++
++    testing::NiceMock<mtd::NullTrustSession> trust_session1;
++    testing::NiceMock<mtd::NullTrustSession> trust_session2;
++    testing::NiceMock<mtd::NullTrustSession> trust_session3;
++
++    ms::TrustSessionContainer container;
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session1), 1), true);
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session1), 2), true);
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session1), 3), true);
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session1), 1), false);
++
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session2), 2), true);
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session2), 3), true);
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session2), 2), false);
++
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session3), 3), true);
++    EXPECT_EQ(container.insert(mt::fake_shared(trust_session3), 3), false);
++}
++
++TEST(TrustSessionContainer, for_each_process_for_trust_session)
++{
++    using namespace testing;
++
++    testing::NiceMock<mtd::NullTrustSession> trust_session1;
++    testing::NiceMock<mtd::NullTrustSession> trust_session2;
++    testing::NiceMock<mtd::NullTrustSession> trust_session3;
++
++    ms::TrustSessionContainer container;
++    container.insert(mt::fake_shared(trust_session1), 1);
++    container.insert(mt::fake_shared(trust_session1), 2);
++    container.insert(mt::fake_shared(trust_session2), 3);
++    container.insert(mt::fake_shared(trust_session2), 1);
++    container.insert(mt::fake_shared(trust_session3), 2);
++    container.insert(mt::fake_shared(trust_session2), 4);
++
++    std::vector<ms::TrustSessionContainer::ClientProcess> results;
++    auto for_each_fn = [&results](ms::TrustSessionContainer::ClientProcess const& process)
++    {
++        results.push_back(process);
++    };
++
++    container.for_each_process_for_trust_session(mt::fake_shared(trust_session2), for_each_fn);
++    EXPECT_THAT(results, ElementsAre(3, 1, 4));
++}
++
++TEST(TrustSessionContainer, for_each_trust_session_for_process)
++{
++    using namespace testing;
++
++    testing::NiceMock<mtd::NullTrustSession> trust_session1;
++    testing::NiceMock<mtd::NullTrustSession> trust_session2;
++    testing::NiceMock<mtd::NullTrustSession> trust_session3;
++
++    ms::TrustSessionContainer container;
++    container.insert(mt::fake_shared(trust_session1), 1);
++    container.insert(mt::fake_shared(trust_session1), 2);
++    container.insert(mt::fake_shared(trust_session2), 3);
++    container.insert(mt::fake_shared(trust_session2), 1);
++    container.insert(mt::fake_shared(trust_session3), 2);
++    container.insert(mt::fake_shared(trust_session2), 4);
++
++    std::vector<std::shared_ptr<mf::TrustSession>> results;
++    auto for_each_fn = [&results](std::shared_ptr<mf::TrustSession> const& trust_session)
++    {
++        results.push_back(trust_session);
++    };
++
++    container.for_each_trust_session_for_process(2, for_each_fn);
++    EXPECT_THAT(results, ElementsAre(mt::fake_shared(trust_session1), mt::fake_shared(trust_session3)));
++}
++
++TEST(TrustSessionContainer, test_remove_trust_sesion)
++{
++    using namespace testing;
++
++    testing::NiceMock<mtd::NullTrustSession> trust_session1;
++
++    ms::TrustSessionContainer container;
++    container.insert(mt::fake_shared(trust_session1), 1);
++    container.insert(mt::fake_shared(trust_session1), 2);
++    container.insert(mt::fake_shared(trust_session1), 3);
++
++    int count = 0;
++    auto for_each_fn = [&count](ms::TrustSessionContainer::ClientProcess const&)
++    {
++        count++;
++    };
++
++    container.for_each_process_for_trust_session(mt::fake_shared(trust_session1), for_each_fn);
++    EXPECT_EQ(count, 3);
++
++    container.remove_trust_session(mt::fake_shared(trust_session1));
++
++    count = 0;
++    container.for_each_process_for_trust_session(mt::fake_shared(trust_session1), for_each_fn);
++    EXPECT_EQ(count, 0);
++}
++
++TEST(TrustSessionContainer, remove_process)
++{
++    using namespace testing;
++
++    testing::NiceMock<mtd::NullTrustSession> trust_session1;
++    testing::NiceMock<mtd::NullTrustSession> trust_session2;
++    testing::NiceMock<mtd::NullTrustSession> trust_session3;
++
++    ms::TrustSessionContainer container;
++    container.insert(mt::fake_shared(trust_session1), 1);
++    container.insert(mt::fake_shared(trust_session1), 2);
++
++    container.insert(mt::fake_shared(trust_session2), 1);
++    container.insert(mt::fake_shared(trust_session2), 3);
++
++    container.insert(mt::fake_shared(trust_session3), 1);
++    container.insert(mt::fake_shared(trust_session3), 4);
++
++    int count = 0;
++    auto for_each_fn = [&count](std::shared_ptr<mf::TrustSession> const&)
++    {
++        count++;
++    };
++
++    container.for_each_trust_session_for_process(1, for_each_fn);
++    EXPECT_EQ(count, 3);
++
++    container.remove_process(1);
++
++    count = 0;
++    container.for_each_trust_session_for_process(1, for_each_fn);
++    EXPECT_EQ(count, 0);
++}
++

Mir

Merge lp:~nick-dedekind/mir/trusted_sessions into lp:mir

Commit message

Description of the change

Preview Diff

Subscribers