Sailfish Secrets
API DocumentationStoragePlugin Class
(Sailfish::Secrets::StoragePlugin)Specifies an interface allowing storage and retrieval of secrets More...
| Header: | #include <Secrets/Plugins/extensionplugins.h> |
| Inherits: | Sailfish::Secrets::PluginBase |
Public Types
| enum | FilterOperator { OperatorOr, OperatorAnd } |
| enum | StorageType { NoStorage, InMemoryStorage, FileSystemStorage, SecureFilesystemStorage, SecurePeripheralStorage } |
Public Functions
| StoragePlugin() | |
| virtual | ~StoragePlugin() |
| virtual Sailfish::Secrets::Result | collectionNames(QStringList *names) = 0 |
| virtual Sailfish::Secrets::Result | createCollection(const QString &collectionName) = 0 |
| virtual Sailfish::Secrets::Result | findSecrets(const QString &collectionName, const Sailfish::Secrets::Secret::FilterData &filter, Sailfish::Secrets::StoragePlugin::FilterOperator filterOperator, QStringList *secretNames) = 0 |
| virtual Sailfish::Secrets::Result | getSecret(const QString &collectionName, const QString &secretName, QByteArray *secret, Sailfish::Secrets::Secret::FilterData *filterData) = 0 |
| virtual Sailfish::Secrets::Result | reencrypt(const QString &collectionName, const QString &secretName, const QByteArray &oldkey, const QByteArray &newkey, Sailfish::Secrets::EncryptionPlugin *plugin) = 0 |
| virtual Sailfish::Secrets::Result | removeCollection(const QString &collectionName) = 0 |
| virtual Sailfish::Secrets::Result | removeSecret(const QString &collectionName, const QString &secretName) = 0 |
| virtual Sailfish::Secrets::Result | secretNames(const QString &collectionName, QStringList *secretNames) = 0 |
| virtual Sailfish::Secrets::Result | setSecret(const QString &collectionName, const QString &secretName, const QByteArray &secret, const Sailfish::Secrets::Secret::FilterData &filterData) = 0 |
| virtual Sailfish::Secrets::StoragePlugin::StorageType | storageType() const = 0 |
- 11 public functions inherited from Sailfish::Secrets::PluginBase
Detailed Description
Specifies an interface allowing storage and retrieval of secrets
The StoragePlugin type specifies an interface which includes a variety of operations on secrets and collections of secrets.
A plugin implementation should derive from this type only if the backing store (e.g. USB token, online service, etc) does not support encryption; otherwise, the EncryptedStoragePlugin interface should be used.
Member Type Documentation
enum StoragePlugin::FilterOperator
This enum defines the possible operators which may be specified for filter operations
| Constant | Value | Description |
|---|---|---|
Sailfish::Secrets::StoragePlugin::OperatorOr | SecretManager::OperatorOr | A secret matches the filter if its filter data contains any of the key-value pairs specified in the filter |
Sailfish::Secrets::StoragePlugin::OperatorAnd | SecretManager::OperatorAnd | A secret matches the filter if its filter data contains all of the key-value pairs specified in the filter |
enum StoragePlugin::StorageType
This enum defines the types of storage capability which may be offered by plugins
| Constant | Value | Description |
|---|---|---|
Sailfish::Secrets::StoragePlugin::NoStorage | 0 | No storage is provided |
Sailfish::Secrets::StoragePlugin::InMemoryStorage | 1 | Secrets are stored in-memory only; data won't survive reboot |
Sailfish::Secrets::StoragePlugin::FileSystemStorage | 2 | Normal filesystem storage, e.g. in a database |
Sailfish::Secrets::StoragePlugin::SecureFilesystemStorage | ? | Storage available to trusted execution environment applications only |
Sailfish::Secrets::StoragePlugin::SecurePeripheralStorage | 4 | Data is stored to a secure hardware peripheral via TEE application |
Member Function Documentation
StoragePlugin::StoragePlugin()
Constructs a new StoragePlugin instance
[virtual] StoragePlugin::~StoragePlugin()
Cleans up any memory used by the StoragePlugin instance
[pure virtual] Sailfish::Secrets::Result StoragePlugin::collectionNames(QStringList *names)
Writes the names of collections managed by the plugin to names
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the storage plugin supports storing collections of secrets, it must implement this method by returning the names of currently stored collections into the out-parameter names and returning a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
Otherwise, it should write an empty list of collection names to the out-parameter names and return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::createCollection(const QString &collectionName)
Creates a collection within which to store secrets called collectionName
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the storage plugin supports storing collections of secrets, it must implement this method such that the new collection is created, its name is subsequently returned from collectionNames(), and secrets can be stored in it, and the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
If a collection with that name already exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::CollectionAlreadyExistsError.
If the storage plugin does not support the creation of new collections, it should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::OperationNotSupportedError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::findSecrets(const QString &collectionName, const Sailfish::Secrets::Secret::FilterData &filter, Sailfish::Secrets::StoragePlugin::FilterOperator filterOperator, QStringList *secretNames)
Writes the name of each secret in the collection with the specified collectionName into the out-parameter secretNames if that secret has filter data matching the given filter according to the specified filterOperator.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the given collectionName is empty, or is the special value "standalone", the plugin should return the names of standalone secrets which match the filter requirements which are stored in the storage managed by the storage plugin. If the plugin does not support storing standalone secrets, it should set the secretNames out-parameter to an empty list, and return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If no collection with the given collectionName exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the given filterOperator is OperatorOr then a secret is deemed to match if its filter data contains any of the key-value pairs specified in the filter. Otherwise, if the filterOperator is OperatorAnd then a secret is deemed to match only if its filter data contains all of the key-value pairs specified in the filter.
If the secret names were retrieved successfully, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::getSecret(const QString &collectionName, const QString &secretName, QByteArray *secret, Sailfish::Secrets::Secret::FilterData *filterData)
Write the secret data and filter data associated with the secret identified by the given secretName in the collection identified by the given collectionName into the secret and filterData out-parameters respectively.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If no collection with the given collectionName exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If no secret with the given secretName exists in that collection managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidSecretError.
If the secret data was retrieved successfully, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::reencrypt(const QString &collectionName, const QString &secretName, const QByteArray &oldkey, const QByteArray &newkey, Sailfish::Secrets::EncryptionPlugin *plugin)
Transactionally re-encrypt secret data stored by the storage plugin using the specified oldkey to decrypt the current data, and then encrypting that data with the newkey, by calling the appropriate methods of the specified EncryptionPlugin plugin.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the given collectionName is empty, or is the special value "standalone", the plugin should re-encrypt the standalone secret identified by the given secretName. Otherwise, the plugin should re-encrypt every secret within the collection identified by the given collectionName.
Only the secret data (and not the filter data) should be re-encrypted.
This method will be invoked if the user changes the master encryption key, if any collection stored within this storage plugin uses master-lock (or device-lock) semantics. It will also be invoked if the user changes a custom-lock associated with a collection or standalone secret.
If the secret data was re-encrypted and updated within storage successfully, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::removeCollection(const QString &collectionName)
Removes the collection with the given collectionName from the storage managed by the plugin.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the storage plugin supports removing collections of secrets, it must implement this method such that the specified collection is removed, its name is subsequently no longer returned from collectionNames(), and and the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded. Any secrets which were stored into this collection should be removed as part of this operation.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
If no collection with that name exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the storage plugin does not support the removal of collections, it should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::OperationNotSupportedError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::removeSecret(const QString &collectionName, const QString &secretName)
Remove the secret identified by the given secretName within the collection identified by the given collectionName from the storage managed by the storage plugin.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If no collection with the given collectionName exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If no secret with the given secretName exists in that collection managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidSecretError.
If the secret data and any associated filter data was removed successfully, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::secretNames(const QString &collectionName, QStringList *secretNames)
Write the names of secrets which are stored by the plugin in the collection with the given collectionName to the secretNames out-parameter.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the given collectionName is empty, or is the special value "standalone", the plugin should return the names of standalone secrets which are stored in the storage managed by the storage plugin. If the plugin does not support storing standalone secrets, it should set the secretNames out-parameter to an empty list, and return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If no collection with the given collectionName exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the secret names were retrieved successfully, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Succeeded.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::Result StoragePlugin::setSecret(const QString &collectionName, const QString &secretName, const QByteArray &secret, const Sailfish::Secrets::Secret::FilterData &filterData)
Store the given secret data identified by the given secretName with the specified filterData into the collection identified by the given collectionName.
If the plugin itself is locked, this function should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretsPluginIsLockedError.
If the given collectionName is either empty or contains the special value "standalone", this specifies that the secret should not be stored in a collection, but instead should be stored on its own (and thus not be deleted when any particular collection is deleted), if the storage plugin supports storing standalone secrets (and otherwise should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::OperationNotSupportedError).
If no collection with the given collectionName exists in the storage managed by the plugin, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If a secret with the specified secretName is already stored in the collection identified by the given collectionName, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Result::Failed and the error code set to Sailfish::Secrets::Result::SecretAlreadyExistsError.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Secrets::Result with the result code set to Sailfish::Secrets::Failed and the error code set to Sailfish::Secrets::Result::DatabaseError.
[pure virtual] Sailfish::Secrets::StoragePlugin::StorageType StoragePlugin::storageType() const
Returns the type of storage which is exposed by the plugin