Closes #2229: Encrypted-at-rest FxA state storage support #5053
Conversation
I've tested switching back and forth between encrypted and plaintext storage versions in |
4726dbb
to
f8c592c
Compare
8849ffd
to
84830fb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Just one comment / question below.
if (migrateFromPlaintextStorage) { | ||
// In case we switched from SharedPrefAccountStorage to this implementation, migrate persisted account | ||
// and clear out the old storage layer. | ||
val plaintextStorage = SharedPrefAccountStorage(context, migrateFromSecureStorage = false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure where my previous comment went. It was just a nit to ask if we could instead add migrateFrom...
methods to the storages. It seems the constructor parameter is easy to miss and then we'd migrate by mistake. With a method we'd trigger migration explicitly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With an explicit method, the only way to get rid off the constructor flag is to expose a migrate
method as part of AccountStorage
interface; i really like the enclosed nature of these classes - consumers don't need to know anything about migrations, it "just works". This is how the lower level works, as well - consumers of secure prefs don't need to know that it auto-migrates data from insecure prefs in case of an API upgrade! So there's a nice symmetry here I'd like to keep. So, landing as-is.
This patch adds a version of `AccountStorage` which is backed by an encrypted-at-rest shared-prefs implementation, `SecureAbove22Preferences`. As the name suggests, encryption at rest is enabled only for Android API levels 23+. Otherwise, plaintext storage is used. `SecureAbove22Preferences` will handle API level upgrades behind the scenes, if necessary. In order to support rolling this out, `SecureAbove22AccountStorage` automatically migrates account state if it was present in `SharedPrefAccountStorage`. And vice-versa, `SharedPrefAccountStorage` will automatically migrate account state if it was present in `SecureAbove22AccountStorage`. This allows applications to easily switch between two implementations, without any ill-effects. In order to monitor storage implementations for abnormalities (such as disappearing encryption keys), an optional `CrashReporter` instance may be configured now via FxaAccountManager. `DeviceConfig` gained a `secureStateAtRest` flag, which allows applications to specify if they'd like to encrypt account state. This config object isn't a perfect fit for this flag, but it's close enough conceptually.
bors r=csadilek |
5053: Closes #2229: Encrypted-at-rest FxA state storage support r=csadilek a=grigoryk This patch adds a version of `AccountStorage` which is backed by an encrypted-at-rest shared-prefs implementation, `SecureAbove22Preferences`. As the name suggests, encryption at rest is enabled only for Android API levels 23+. Otherwise, plaintext storage is used. `SecureAbove22Preferences` will handle API level upgrades behind the scenes, if necessary. In order to support rolling this out, `SecureAbove22AccountStorage` automatically migrates account state if it was present in `SharedPrefAccountStorage`. And vice-versa, `SharedPrefAccountStorage` will automatically migrate account state if it was present in `SecureAbove22AccountStorage`. This allows applications to easily switch between two implementations, without any ill-effects. In order to monitor storage implementations for abnormalities (such as disappearing encryption keys), an optional `CrashReporter` instance may be configured now via FxaAccountManager. `DeviceConfig` gained a `secureStateAtRest` flag, which allows applications to specify if they'd like to encrypt account state. This config object isn't a perfect fit for this flag, but it's close enough conceptually. Co-authored-by: Grisha Kruglov <gkruglov@mozilla.com>
Build failed
|
This seems like an intermittent..? But I'm not sure what's going wrong here. Can't reproduce it locally, either. So let's just try again...
|
bors retry |
5053: Closes #2229: Encrypted-at-rest FxA state storage support r=csadilek a=grigoryk This patch adds a version of `AccountStorage` which is backed by an encrypted-at-rest shared-prefs implementation, `SecureAbove22Preferences`. As the name suggests, encryption at rest is enabled only for Android API levels 23+. Otherwise, plaintext storage is used. `SecureAbove22Preferences` will handle API level upgrades behind the scenes, if necessary. In order to support rolling this out, `SecureAbove22AccountStorage` automatically migrates account state if it was present in `SharedPrefAccountStorage`. And vice-versa, `SharedPrefAccountStorage` will automatically migrate account state if it was present in `SecureAbove22AccountStorage`. This allows applications to easily switch between two implementations, without any ill-effects. In order to monitor storage implementations for abnormalities (such as disappearing encryption keys), an optional `CrashReporter` instance may be configured now via FxaAccountManager. `DeviceConfig` gained a `secureStateAtRest` flag, which allows applications to specify if they'd like to encrypt account state. This config object isn't a perfect fit for this flag, but it's close enough conceptually. Co-authored-by: Grisha Kruglov <gkruglov@mozilla.com>
Build succeeded
|
This patch adds a version of
AccountStorage
which is backed by an encrypted-at-rest shared-prefs implementation,SecureAbove22Preferences
. As the name suggests, encryption at rest is enabled only for Android API levels 23+.Otherwise, plaintext storage is used.
SecureAbove22Preferences
will handle API level upgrades behind the scenes,if necessary.
In order to support rolling this out,
SecureAbove22AccountStorage
automatically migrates account state if it waspresent in
SharedPrefAccountStorage
. And vice-versa,SharedPrefAccountStorage
will automatically migrate accountstate if it was present in
SecureAbove22AccountStorage
. This allows applications to easily switch between twoimplementations, without any ill-effects.
In order to monitor storage implementations for abnormalities (such as disappearing encryption keys), an optional
CrashReporter
instance may be configured now via FxaAccountManager.DeviceConfig
gained asecureStateAtRest
flag, which allows applications to specify if they'd like to encryptaccount state. This config object isn't a perfect fit for this flag, but it's close enough conceptually.
Pull Request checklist
After merge