Remote plasma api review.

Rob Scheepmaker r.scheepmaker at student.utwente.nl
Thu Jul 9 14:24:17 CEST 2009 

On Wednesday 08 July 2009 22:27:24 Aaron J. Seigo wrote:
> personally, what i'd expect is the ability to set the authorization
> interface either using an AuthorizationInterface* or by just calling
> AuthorizationManager::setAuthorizationInterface() with a enum as the
> parameter, with the enums mapping to these internal classes.
>
> so a shell can either go "standard" or "custom".
>
> the standards might include DenyAllAuthorization, PinPairingAuthorization,
> CertificateAuthorization? pin pairing should include certificate auth, i'd
> think, as well... but yes, then there's no need to make any of it public.

Sounds like a good idea. Indeed PinPairingAuthorization will only actually do 
pin pairing if there isn't already some trusted gpg key or something like that 
we could use to validate it's identity. 
I assume btw that it's safe to, when adding support for GPG, sign the 
QCA::PublicKey we use for signing/validating, and check if that GPG key is in 
some trusted key ring? That way, there's just a single code path for signing 
validating (just RSA or DSA keys, which doesn't really mind since they both 
implement QCA::PublicKey), and GPG (which has a completely different API in 
QCA) is just some addition on top of that. And the shell can just check 
Identity::isTrusted() to see if it is trusted even if in the future different 
method for establishing trust are used.
Hmm, now that I'm thinking about the Identity class: what if I, besides 
validating signatures, also put signing there (with identities that aren't the 
local machine just not being able to sign because of the lack of a 
privatekey), create some identity "me" in AuthorizationManager, and a second 
constructor that creates a private/public key pair. Then, if instead of 
QCA::PublicKey the constructor accepts the key as a QByteArray, ALL QCA 
related stuff (hmm, except tokens, well, let's say ALL crypto) will be 
encapsulated by Identity. Hell, we could then even switch out QCA entirely for 
something else in the probably unlikely case that QCA would become 
unmaintained. I'd like that....

> something else in AccessManager:
>
> ServiceAccessJob* accessService(KUrl location) const;
>
> the url is said to be, in the dox:
>
> * @param location a valid JOLIE url
>
> besides not wanting to really expose JOLIE too much in the api, this is not
> going to work out well for other modes of transit. same will go for
> retrieving applets.
>
> while it's just fine to have only JOLIE created right now, i think we
> should keep the possibility open for other mechanisms. JOLIE may not be an
> option on some devices, particularly very small ones. so while plasma://
> would be synonymous with "this is a JOLIE driven service" or "this is an
> applet we're going to grab using JOLIE", i do plan on writing an emb:// (or
> whatever) handler that does things in a rather more direct fashion between
> plasma and a device. the only major difference is the kind of service it
> returns (it would obviously speak a slightly different protocol) and how it
> retrieves the applet/service/etc.
>
> now, this doesn't impact the external API at all, but the apidox should
> probably be changed and the backend code should remain flexible enough to
> have this added in future.

Hmm, I didn't really think about bypassing jolie, but it's a good idea, and 
not hard to accomplish. Only in AuthorizationManager there are currently some 
Jolie::Message parameters for certain functions, but these functions usually 
only need a couple of fields from such a message, so I could replace them with 
some QByteArrays/QStrings. In which case the only place that does Jolie 
specific stuff would be RemoteService/RemoteServiceJob/ServiceProvider. Which 
would be neat: for a different future protocol (what IS emb:///?) All you need 
is a different implementation of those classes, and you'll have your different 
protocol. At the exact same way we could even version the JOLIE based 
protocol: See if the other side supports the newer version and then 
instantiate RemoteServiceV2 instead. We could even make those plugins, but 
let's not start with that :p

> > I hate it if there are two
> > methods for service access though (Service *serviceForSource and
> > ServiceAccessJob *accessService).
>
> there are actually more than two; you can ask for a service from a local
> plugin as well using Plasma::Service::load. there's nothing that says
> services must be attached a DataEngine, after all.
>
> that said, they all have completely different use cases, and in the case of
> serviceForSource, if it's a remote engine it should be using accessService
> in the background. so for the users of services today in plasma, it will be
> completely transparent and the API is just there as an implementation
> detail to them, no?

Yeah, true.

> > Another option would be to have
> > accessService in AccessManager and have it still return a Service *, but
> > that would make it inconsistent with accessApplet.
>
> i think the accessService should just return a Service*, since Service is
> (now, anyways :) fully async, and accessApplet should return a job because
> applets are _not_ async. it's not inconsistent really, it's just that the
> two kinds of objects behave very differently.

Ok, so to summarize:

Default implementations AuthorizationInterface become private and settable by 
Enum
Only have Jolie specific stuff in 
RemoteService/RemoteServiceJob/ServiceProvider
Have all QCA crypto stuff in identity.

Alright?
Let's put on my refactoring hat.
... pitty refactoring support for kdevelop is still a WiP :p


Oh, on a related topic:
Suppose we're going to connect to a remote nowplaying applet. That applet uses 
the nowplaying dataengine and possibly nowplaying service. So when we 
succesfully connect with the service that provides the applet, that service 
should also:
* make sure nowplaying dataengine is published (service will be published as a 
response to serviceForSource)
* create an AuthorizationRule for that identity that allows it access to 
nowplaying dataengine and applet.
So we need tok now which other services an applet uses so we can put all the 
light on green. (people probably wouldn't like having to Pin pair for all 
engines used by an applet as well :p). How it currently works however is that 
the applet's config contains a section with names of dataengines and the urls 
they point to. Which is not enough to acccomplish this.
So there are two ways to do this:
* Include a list of 'dependencies' in the applet's .desktop
* Invoke a dataEngine operation on the service providing the applet that will 
publish the dataengine (if not already published) and add a rule allowing the 
caller to access that engine.
the last option looks quite good, but it does give a little less flexibility. 
Theoratically, you could now configure a local applet to use dataengine a from 
machine A and dataengine b from machine B, which will be lost with that 
approach. I don't know how important it is to be able to do that kind of 
insane stuff ;)

Regards,
Rob

More information about the Plasma-devel mailing list