android13/device/google/cuttlefish/guest/hals/confirmationui/guest_session.cpp

/*
 *
 * Copyright 2021, The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "guest_session.h"

#include <future>

namespace android {
namespace hardware {
namespace confirmationui {
namespace V1_0 {
namespace implementation {
using TeeuiRc = teeui::ResponseCode;

GuestSession::ResultTriple GuestSession::PromptUserConfirmation() {
    std::unique_lock<std::mutex> stateLock(listener_state_lock_);
    /*
     * This is the main listener thread function. The listener thread life cycle
     * is equivalent to the life cycle of a single confirmation request. The life
     * cycle is divided in four phases.
     *  * The starting phase:
     *    * Drives the cuttlefish confirmation UI session on the host side, too
     *
     * Note: During the starting phase the hwbinder service thread is blocked and
     * waiting for possible Errors. If the setup phase concludes successfully, the
     * hwbinder service thread gets unblocked and returns successfully. Errors
     * that occur after the first phase are delivered by callback interface.
     *
     * For cuttlefish, it means that the guest will conduct a blocking wait for
     * an ack to kStart.
     *
     *  * The 2nd phase - non interactive phase
     *    * After a grace period:
     *      * guest will pick up cuttlefish host's ack to kStart
     *
     *  * The 3rd phase - interactive phase
     *    * We wait to any external event
     *      * Abort
     *      * Secure user input asserted
     *    * The result is fetched from the TA.
     *
     *  * The 4th phase - cleanup
     *    * Sending the kStop command to the cuttlefish host, and wait for ack
     */

    GuestSession::ResultTriple error;
    auto& error_rc = std::get<ResponseCode>(error);
    error_rc = ResponseCode::SystemError;

    CHECK(listener_state_ == ListenerState::Starting) << "ListenerState should be Starting";

    // initiate prompt
    ConfUiLog(INFO) << "Initiating prompt";
    const std::uint32_t payload_lower_bound =
        static_cast<std::uint32_t>(prompt_text_.size() + extra_data_.size());
    const std::uint32_t upper_bound =
        static_cast<std::uint32_t>(cuttlefish::confui::kMaxMessageLength);
    if (payload_lower_bound > upper_bound) {
        ConfUiLog(INFO) << "UI message too long to send to the host";
        // message is too long anyway, and don't send it to the host
        error_rc = ResponseCode::UIErrorMessageTooLong;
        return error;
    }
    SerializedSend(cuttlefish::confui::SendStartCmd, host_fd_, session_name_, prompt_text_,
                   extra_data_, locale_, ui_options_);
    ConfUiLog(INFO) << "Session " << GetSessionId() << " started on both the guest and the host";

    auto clean_up_and_get_first = [&]() -> std::unique_ptr<ConfUiMessage> {
        // blocking wait to get the first msg that belongs to this session
        while (true) {
            auto first_curr_session_msg = incoming_msg_queue_.Pop();
            if (!first_curr_session_msg ||
                first_curr_session_msg->GetSessionId() != GetSessionId()) {
                continue;
            }
            return std::move(first_curr_session_msg);
        }
    };

    /*
     * Unconditionally wait ack, or host abort
     *
     * First couple of messages could be from the previous session.
     * We should clear them up.
     *
     * Even though the guest HAL sends kAbort to the host, the kAbort
     * does not happen immediately. Between the incoming_msg_queue_.FlushAll()
     * and the actual abort on the host, there could still be messages
     * sent from the host to the guest. As these lines are the first read
     * for the current session, we clear up the preceding messages
     * from the previous session until we see the message for the current
     * session.
     *
     * Note that abort() call puts the Abort command in the queue. So,
     * it will also show up in incoming_msg_queue_
     *
     */
    auto first_msg = std::move(clean_up_and_get_first());

    cuttlefish::confui::ConfUiAckMessage& start_ack_msg =
        static_cast<cuttlefish::confui::ConfUiAckMessage&>(*first_msg);
    if (!start_ack_msg.IsSuccess()) {
        // handle errors: MALFORMED_UTF8 or Message too long
        const std::string error_msg = start_ack_msg.GetStatusMessage();
        if (error_msg == cuttlefish::confui::HostError::kMessageTooLongError) {
            ConfUiLog(ERROR) << "Message + Extra data + Meta info were too long";
            error_rc = ResponseCode::UIErrorMessageTooLong;
        }
        if (error_msg == cuttlefish::confui::HostError::kIncorrectUTF8) {
            ConfUiLog(ERROR) << "Message is incorrectly UTF-encoded";
            error_rc = ResponseCode::UIErrorMalformedUTF8Encoding;
        }
        return error;
    }

    //  ############################## Start 2nd Phase #############################################
    listener_state_ = ListenerState::SetupDone;
    ConfUiLog(INFO) << "Transition to SetupDone";
    stateLock.unlock();
    listener_state_condv_.notify_all();

    // cuttlefish does not need the second phase to implement HAL APIs
    // input was already prepared before the confirmation UI screen was rendered

    //  ############################## Start 3rd Phase - interactive phase #########################
    stateLock.lock();
    listener_state_ = ListenerState::Interactive;
    ConfUiLog(INFO) << "Transition to Interactive";
    stateLock.unlock();
    listener_state_condv_.notify_all();

    // give deliverSecureInputEvent a chance to interrupt

    // wait for an input but should not block deliverSecureInputEvent or Abort
    // Thus, it should not hold the stateLock
    std::mutex input_ready_mtx;
    std::condition_variable input_ready_cv_;
    std::unique_lock<std::mutex> input_ready_lock(input_ready_mtx);
    bool input_ready = false;
    auto wait_input_and_signal = [&]() -> std::unique_ptr<ConfUiMessage> {
        auto msg = incoming_msg_queue_.Pop();
        {
            std::unique_lock<std::mutex> lock(input_ready_mtx);
            input_ready = true;
            input_ready_cv_.notify_one();
        }
        return msg;
    };
    auto input_and_signal_future = std::async(std::launch::async, wait_input_and_signal);
    input_ready_cv_.wait(input_ready_lock, [&]() { return input_ready; });
    // now an input is ready, so let's acquire the stateLock

    stateLock.lock();
    auto user_or_abort = input_and_signal_future.get();

    if (user_or_abort->GetType() == cuttlefish::confui::ConfUiCmd::kAbort) {
        ConfUiLog(ERROR) << "Abort called or the user/host aborted"
                         << " while waiting user response";
        return {ResponseCode::Aborted, {}, {}};
    }
    if (user_or_abort->GetType() == cuttlefish::confui::ConfUiCmd::kCliAck) {
        auto& ack_msg = static_cast<cuttlefish::confui::ConfUiAckMessage&>(*user_or_abort);
        if (ack_msg.IsSuccess()) {
            ConfUiLog(ERROR) << "When host failed, it is supposed to send "
                             << "kCliAck with fail, but this is kCliAck with success";
        }
        error_rc = ResponseCode::SystemError;
        return error;
    }
    cuttlefish::confui::ConfUiCliResponseMessage& user_response =
        static_cast<cuttlefish::confui::ConfUiCliResponseMessage&>(*user_or_abort);

    // pick, see if it is response, abort cmd
    // handle abort or error response here
    ConfUiLog(INFO) << "Making up the result";

    // make up the result triple
    if (user_response.GetResponse() == cuttlefish::confui::UserResponse::kCancel) {
        SerializedSend(cuttlefish::confui::SendStopCmd, host_fd_, GetSessionId());
        return {ResponseCode::Canceled, {}, {}};
    }

    if (user_response.GetResponse() != cuttlefish::confui::UserResponse::kConfirm) {
        ConfUiLog(ERROR) << "Unexpected user response that is " << user_response.GetResponse();
        return error;
    }
    SerializedSend(cuttlefish::confui::SendStopCmd, host_fd_, GetSessionId());
    //  ############################## Start 4th Phase - cleanup ##################################
    return {ResponseCode::OK, user_response.GetMessage(), user_response.GetSign()};
}

Return<ResponseCode> GuestSession::DeliverSecureInputEvent(
    const android::hardware::keymaster::V4_0::HardwareAuthToken& auth_token) {
    ResponseCode rc = ResponseCode::Ignored;
    {
        /*
         * deliverSecureInputEvent is only used by the VTS test to mock human input. A correct
         * implementation responds with a mock confirmation token signed with a test key. The
         * problem is that the non interactive grace period was not formalized in the HAL spec,
         * so that the VTS test does not account for the grace period. (It probably should.)
         * This means we can only pass the VTS test if we block until the grace period is over
         * (SetupDone -> Interactive) before we deliver the input event.
         *
         * The true secure input is delivered by a different mechanism and gets ignored -
         * not queued - until the grace period is over.
         *
         */
        std::unique_lock<std::mutex> stateLock(listener_state_lock_);
        listener_state_condv_.wait(stateLock,
                                   [this] { return listener_state_ != ListenerState::SetupDone; });
        if (listener_state_ != ListenerState::Interactive) return ResponseCode::Ignored;
        if (static_cast<TestModeCommands>(auth_token.challenge) == TestModeCommands::OK_EVENT) {
            SerializedSend(cuttlefish::confui::SendUserSelection, host_fd_, GetSessionId(),
                           cuttlefish::confui::UserResponse::kConfirm);
        } else {
            SerializedSend(cuttlefish::confui::SendUserSelection, host_fd_, GetSessionId(),
                           cuttlefish::confui::UserResponse::kCancel);
        }
        rc = ResponseCode::OK;
    }
    listener_state_condv_.notify_all();
    // VTS test expect an OK response if the event was successfully delivered.
    // But since the TA returns the callback response now, we have to translate
    // Canceled into OK. Canceled is only returned if the delivered event canceled
    // the operation, which means that the event was successfully delivered. Thus
    // we return OK.
    if (rc == ResponseCode::Canceled) return ResponseCode::OK;
    return rc;
}

Return<void> GuestSession::Abort() {
    {
        std::unique_lock<std::mutex> stateLock(listener_state_lock_);
        if (listener_state_ == ListenerState::SetupDone ||
            listener_state_ == ListenerState::Interactive) {
            if (host_fd_->IsOpen()) {
                SerializedSend(cuttlefish::confui::SendAbortCmd, host_fd_, GetSessionId());
            }
            using cuttlefish::confui::ConfUiAbortMessage;
            auto local_abort_cmd = std::make_unique<ConfUiAbortMessage>(GetSessionId());
            incoming_msg_queue_.Push(std::move(local_abort_cmd));
        }
    }
    listener_state_condv_.notify_all();
    return Void();
}
}  // namespace implementation
}  // namespace V1_0
}  // namespace confirmationui
}  // namespace hardware
}  // namespace android