[folks] Add PersonaStore trust levels

From: Travis Reitter <treitter src gnome org>
To: commits-list gnome org
Cc:
Subject: [folks] Add PersonaStore trust levels
Date: Tue, 3 Aug 2010 21:21:58 +0000 (UTC)
commit 8b685698e88262e6be5cdeba643535fd197d6d2d
Author: Philip Withnall <philip withnall collabora co uk>
Date:   Mon Jul 19 12:11:56 2010 +0100

    Add PersonaStore trust levels
    
    The Personas from each PersonaStore now have an assigned trust level (none,
    partial or full) which indicates how much of their data can be used for
    linking Personas together to form Individuals.
    
    At the moment, the key-file backend is hard-coded as having the only fully
    trusted PersonaStore.

 backends/telepathy/tpf-persona-store.vala |    7 ++++
 folks/individual-aggregator.vala          |   20 ++++++++++++
 folks/persona-store.vala                  |   48 +++++++++++++++++++++++++++++
 folks/persona.vala                        |    9 +++++
 4 files changed, 84 insertions(+), 0 deletions(-)
---
diff --git a/backends/telepathy/tpf-persona-store.vala b/backends/telepathy/tpf-persona-store.vala
index ba6779a..c081fbf 100644
--- a/backends/telepathy/tpf-persona-store.vala
+++ b/backends/telepathy/tpf-persona-store.vala
@@ -104,6 +104,13 @@ public class Tpf.PersonaStore : Folks.PersonaStore
 
   private void reset ()
     {
+      /* We do not trust local-xmpp at all, since Persona UIDs can be faked by
+       * just changing hostname/username. */
+      if (account.get_protocol () == "local-xmpp")
+        this.trust_level = PersonaStoreTrust.NONE;
+      else
+        this.trust_level = PersonaStoreTrust.PARTIAL;
+
       this._personas = new HashTable<string, Persona> (str_hash,
           str_equal);
       this.conn = null;
diff --git a/folks/individual-aggregator.vala b/folks/individual-aggregator.vala
index a2641a0..498b651 100644
--- a/folks/individual-aggregator.vala
+++ b/folks/individual-aggregator.vala
@@ -150,8 +150,16 @@ public class Folks.IndividualAggregator : Object
     {
       string store_id = this.get_store_full_id (store.type_id, store.id);
 
+      /* FIXME: We hardcode the key-file backend's singleton PersonaStore as the
+       * only trusted PersonaStore for now. */
+      if (store.type_id == "key-file")
+        {
+          store.trust_level = PersonaStoreTrust.FULL;
+        }
+
       this.stores.set (store_id, store);
       store.personas_changed.connect (this.personas_changed_cb);
+      store.notify["trust-level"].connect (this.trust_level_changed_cb);
 
       store.prepare.begin ((obj, result) =>
         {
@@ -171,6 +179,7 @@ public class Folks.IndividualAggregator : Object
       PersonaStore store)
     {
       store.personas_changed.disconnect (this.personas_changed_cb);
+      store.notify["trust-level"].disconnect (this.trust_level_changed_cb);
 
       /* no need to remove this stores' personas from all the individuals, since
        * they'll do that themselves (and emit their own 'removed' signal if
@@ -229,6 +238,17 @@ public class Folks.IndividualAggregator : Object
         }
     }
 
+  private void trust_level_changed_cb (Object object, ParamSpec pspec)
+    {
+      /* FIXME: For the moment, assert that only the key-file backend's
+       * singleton PersonaStore is trusted. */
+      unowned PersonaStore store = (PersonaStore) object;
+      if (store.type_id == "key-file")
+        assert (store.trust_level == PersonaStoreTrust.FULL);
+      else
+        assert (store.trust_level != PersonaStoreTrust.FULL);
+    }
+
   private void individual_removed_cb (Individual i)
     {
       var i_list = new GLib.List<Individual> ();
diff --git a/folks/persona-store.vala b/folks/persona-store.vala
index ec5db71..426c767 100644
--- a/folks/persona-store.vala
+++ b/folks/persona-store.vala
@@ -22,6 +22,40 @@ using GLib;
 using Folks;
 
 /**
+ * Trust level for a { link PersonaStore}'s { link Persona}s for linking
+ * purposes.
+ */
+public enum Folks.PersonaStoreTrust
+{
+  /**
+   * The { link Persona}s aren't trusted at all, and cannot be linked.
+   *
+   * This should be used for { link PersonaStore}s where even the
+   * { link Persona} UID could be maliciously edited to corrupt { link Persona}
+   * links, or where the UID changes regularly.
+   */
+  NONE,
+
+  /**
+   * Only the { link Persona.uid} property is trusted for linking.
+   *
+   * In practice, this means that { link Persona}s from this
+   * { link PersonaStore} will not contribute towards the linking process, but
+   * can be linked together by their UIDs using data from { link Persona}s from
+   * a fully-trusted { link PersonaStore}.
+   */
+  PARTIAL,
+
+  /**
+   * Every property in { link Persona.linkable_properties} is trusted.
+   *
+   * This should only be used for user-controlled { link PersonaStore}s, as if a
+   * remote store is compromised, malicious changes could be made to its data
+   * which corrupt the user's { link Persona} links.
+   */
+  FULL
+}
+/**
  * Errors from { link PersonaStore}s.
  */
 public errordomain Folks.PersonaStoreError
@@ -103,6 +137,20 @@ public abstract class Folks.PersonaStore : Object
   public abstract HashTable<string, Persona> personas { get; }
 
   /**
+   * The trust level of the PersonaStore for linking.
+   *
+   * Each { link PersonaStore} is assigned a trust level by the
+   * IndividualAggregator, designating whether to trust the properties of its
+   * { link Persona}s for linking to produce { link Individual}s.
+   *
+   * @see PersonaStoreTrust
+   */
+  public PersonaStoreTrust trust_level
+    {
+      get; set; default = PersonaStoreTrust.NONE;
+    }
+
+  /**
    * Prepare the PersonaStore for use.
    *
    * This connects the PersonaStore to whichever backend-specific services it
diff --git a/folks/persona.vala b/folks/persona.vala
index ae9d0f6..cb0d0f0 100644
--- a/folks/persona.vala
+++ b/folks/persona.vala
@@ -54,8 +54,17 @@ public abstract class Folks.Persona : Object
   /**
    * The names of the properties of this Persona which are linkable.
    *
+   * If a property name is in this list, and the Persona is from a
+   * { link PersonaStore} whose trust level is { link PersonaStoreTrust.FULL},
+   * the { link IndividualAggregator} should be able to reliably use the value
+   * of the property from a given Persona instance to link the Persona with
+   * other Personas and form { link Individual}s.
+   *
    * Note that { link Persona.uid} is always implicitly a member of this list,
    * and doesn't need to be added explicitly.
+   *
+   * This list will have no effect if the Persona's { link PersonaStore} trust
+   * level is not { link PersonaStoreTrust.FULL}.
    */
   public string[] linkable_properties { get; protected set; }
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]