Implement ephemeral users

chrome/browser/chromeos/login/user_manager_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/user_manager_impl.h"
 
 #include <vector>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 17 matching lines @@
 #include "chrome/browser/chromeos/cryptohome/async_method_caller.h"
 #include "chrome/browser/chromeos/dbus/cryptohome_client.h"
 #include "chrome/browser/chromeos/dbus/dbus_thread_manager.h"
 #include "chrome/browser/chromeos/input_method/input_method_manager.h"
 #include "chrome/browser/chromeos/login/default_user_images.h"
 #include "chrome/browser/chromeos/login/helper.h"
 #include "chrome/browser/chromeos/login/login_display.h"
 #include "chrome/browser/chromeos/login/ownership_service.h"
 #include "chrome/browser/chromeos/login/remove_user_delegate.h"
 #include "chrome/browser/chromeos/system/runtime_environment.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
 #include "chrome/browser/prefs/pref_service.h"
 #include "chrome/browser/prefs/scoped_user_pref_update.h"
 #include "chrome/browser/profiles/profile_downloader.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/sync/profile_sync_service.h"
 #include "chrome/browser/sync/profile_sync_service_factory.h"
 #include "chrome/browser/ui/webui/web_ui_util.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
@@ skipping 235 matching lines @@
 }  // namespace
 
 UserManagerImpl::UserManagerImpl()
     : ALLOW_THIS_IN_INITIALIZER_LIST(image_loader_(new UserImageLoader)),
       demo_user_(kDemoUser, false),
       guest_user_(kGuestUser, true),
       stub_user_(kStubUser, false),
       logged_in_user_(NULL),
       is_current_user_owner_(false),
       is_current_user_new_(false),
+      is_current_user_ephemeral_(false),
       is_user_logged_in_(false),
+      ephemeral_users_enabled_(false),
       observed_sync_service_(NULL),
       last_image_set_async_(false),
       downloaded_profile_image_data_url_(chrome::kAboutBlankURL) {
   // Use stub as the logged-in user for test paths without login.
   if (!system::runtime_environment::IsRunningOnChromeOS())
     StubUserLoggedIn();
   registrar_.Add(this, chrome::NOTIFICATION_OWNER_KEY_FETCH_ATTEMPT_SUCCEEDED,
       content::NotificationService::AllSources());
   registrar_.Add(this, chrome::NOTIFICATION_PROFILE_ADDED,
       content::NotificationService::AllSources());
+  RetrieveTrustedDevicePolicies();
 }
 
 UserManagerImpl::~UserManagerImpl() {
 }
 
 const UserList& UserManagerImpl::GetUsers() const {
   const_cast<UserManagerImpl*>(this)->EnsureUsersLoaded();
   return users_;
 }
 
 void UserManagerImpl::UserLoggedIn(const std::string& email) {
   DCHECK(!is_user_logged_in_);
 
   is_user_logged_in_ = true;
 
   if (email == kGuestUser) {
+    is_current_user_ephemeral_ = true;
     GuestUserLoggedIn();
     return;
   }
 
   if (email == kDemoUser) {
+    is_current_user_ephemeral_ = true;
     DemoUserLoggedIn();
     return;
   }
 
-  EnsureUsersLoaded();
+  if (IsEphemeralUser(email)) {
+    is_current_user_new_ = true;
+    is_current_user_ephemeral_ = true;
+    logged_in_user_ = CreateUser(email);
+    SetInitialUserImage(email);
+  } else {
+    EnsureUsersLoaded();
 
-  // Clear the prefs view of the users.
-  PrefService* prefs = g_browser_process->local_state();
-  ListPrefUpdate prefs_users_update(prefs, UserManager::kLoggedInUsers);
-  prefs_users_update->Clear();
+    // Clear the prefs view of the users.
+    PrefService* prefs = g_browser_process->local_state();
+    ListPrefUpdate prefs_users_update(prefs, UserManager::kLoggedInUsers);
+    prefs_users_update->Clear();
 
-  // Make sure this user is first.
-  prefs_users_update->Append(Value::CreateStringValue(email));
-  UserList::iterator logged_in_user = users_.end();
-  for (UserList::iterator it = users_.begin(); it != users_.end(); ++it) {
-    std::string user_email = (*it)->email();
-    // Skip the most recent user.
-    if (email != user_email)
-      prefs_users_update->Append(Value::CreateStringValue(user_email));
-    else
-      logged_in_user = it;
+    // Make sure this user is first.
+    prefs_users_update->Append(Value::CreateStringValue(email));
+    UserList::iterator logged_in_user = users_.end();
+    for (UserList::iterator it = users_.begin(); it != users_.end(); ++it) {
+      std::string user_email = (*it)->email();
+      // Skip the most recent user.
+      if (email != user_email)
+        prefs_users_update->Append(Value::CreateStringValue(user_email));
+      else
+        logged_in_user = it;
+    }
+
+    if (logged_in_user == users_.end()) {
+      is_current_user_new_ = true;
+      logged_in_user_ = CreateUser(email);
+    } else {
+      logged_in_user_ = *logged_in_user;
+      users_.erase(logged_in_user);
+    }
+    // This user must be in the front of the user list.
+    users_.insert(users_.begin(), logged_in_user_);
   }
 
-  if (logged_in_user == users_.end()) {
-    is_current_user_new_ = true;
-    logged_in_user_ = CreateUser(email);
-  } else {
-    logged_in_user_ = *logged_in_user;
-    users_.erase(logged_in_user);
-  }
-  // This user must be in the front of the user list.
-  users_.insert(users_.begin(), logged_in_user_);
-
   NotifyOnLogin();
 
   if (is_current_user_new_) {
     SetInitialUserImage(email);
   } else {
     // Download profile image if it's user image and see if it has changed.
     int image_index = logged_in_user_->image_index();
     if (image_index == User::kProfileImageIndex) {
       InitDownloadedProfileImage();
       BrowserThread::PostDelayedTask(
@@ skipping 47 matching lines @@
 
   // Sanity check: do not allow the logged-in user to remove himself.
   if (logged_in_user_ && logged_in_user_->email() == email)
     return;
 
   RemoveUserInternal(email, delegate);
 }
 
 void UserManagerImpl::RemoveUserFromList(const std::string& email) {
   EnsureUsersLoaded();
-
-  // Clear the prefs view of the users.
-  PrefService* prefs = g_browser_process->local_state();
-  ListPrefUpdate prefs_users_update(prefs, UserManager::kLoggedInUsers);
-  prefs_users_update->Clear();
-
-  UserList::iterator user_to_remove = users_.end();
-  for (UserList::iterator it = users_.begin(); it != users_.end(); ++it) {
-    std::string user_email = (*it)->email();
-    // Skip user that we would like to delete.
-    if (email != user_email)
-      prefs_users_update->Append(Value::CreateStringValue(user_email));
-    else
-      user_to_remove = it;
-  }
-
-  DictionaryPrefUpdate prefs_images_update(prefs, UserManager::kUserImages);
-  std::string image_path_string;
-  prefs_images_update->GetStringWithoutPathExpansion(email, &image_path_string);
-  prefs_images_update->RemoveWithoutPathExpansion(email, NULL);
-
-  DictionaryPrefUpdate prefs_oauth_update(prefs,
-                                          UserManager::kUserOAuthTokenStatus);
-  int oauth_status;
-  prefs_oauth_update->GetIntegerWithoutPathExpansion(email, &oauth_status);
-  prefs_oauth_update->RemoveWithoutPathExpansion(email, NULL);
-
-  DictionaryPrefUpdate prefs_display_email_update(
-      prefs, UserManager::kUserDisplayEmail);
-  prefs_display_email_update->RemoveWithoutPathExpansion(email, NULL);
-
-  if (user_to_remove != users_.end()) {
-    --display_name_count_[(*user_to_remove)->GetDisplayName()];
-    delete *user_to_remove;
-    users_.erase(user_to_remove);
-  }
-
-  int default_image_id = User::kInvalidImageIndex;
-  if (!image_path_string.empty() &&
-      !IsDefaultImagePath(image_path_string, &default_image_id)) {
-    FilePath image_path(image_path_string);
-    BrowserThread::PostTask(
-        BrowserThread::FILE,
-        FROM_HERE,
-        base::Bind(&UserManagerImpl::DeleteUserImage,
-                   base::Unretained(this),
-                   image_path));
-  }
+  RemoveUserFromListInternal(email);
 }
 
 bool UserManagerImpl::IsKnownUser(const std::string& email) const {
   return FindUser(email) != NULL;
 }
 
 const User* UserManagerImpl::FindUser(const std::string& email) const {
-  // Speed up search by checking the logged-in user first.
   if (logged_in_user_ && logged_in_user_->email() == email)
     return logged_in_user_;
-  const UserList& users = GetUsers();
-  for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
-    if ((*it)->email() == email)
-      return *it;
-  }
-  return NULL;
+  return FindUserInList(email);
 }
 
 const User& UserManagerImpl::GetLoggedInUser() const {
   return *logged_in_user_;
 }
 
 User& UserManagerImpl::GetLoggedInUser() {
   return *logged_in_user_;
 }
 
 bool UserManagerImpl::IsDisplayNameUnique(
     const std::string& display_name) const {
   return display_name_count_[display_name] < 2;
 }
 
 void UserManagerImpl::SaveUserOAuthStatus(
     const std::string& username,
     User::OAuthTokenStatus oauth_token_status) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+
+  DVLOG(1) << "Saving user OAuth token status in Local State";
+  User* user = const_cast<User*>(FindUser(username));
+  if (user)
+    user->set_oauth_token_status(oauth_token_status);
+
+  // Do not update local store if the user is ephemeral.
+  if (IsEphemeralUser(username))
+    return;
+
   PrefService* local_state = g_browser_process->local_state();
+
   DictionaryPrefUpdate oauth_status_update(local_state,
                                            UserManager::kUserOAuthTokenStatus);
   oauth_status_update->SetWithoutPathExpansion(username,
       new base::FundamentalValue(static_cast<int>(oauth_token_status)));
-  DVLOG(1) << "Saving user OAuth token status in Local State";
-  User* user = const_cast<User*>(FindUser(username));
-  if (user)
-    user->set_oauth_token_status(oauth_token_status);
 }
 
 User::OAuthTokenStatus UserManagerImpl::LoadUserOAuthStatus(
     const std::string& username) const {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   if (CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kSkipOAuthLogin)) {
     // Use OAUTH_TOKEN_STATUS_VALID flag if kSkipOAuthLogin is present.
     return User::OAUTH_TOKEN_STATUS_VALID;
@@ skipping 16 matching lines @@
 void UserManagerImpl::SaveUserDisplayEmail(const std::string& username,
                                            const std::string& display_email) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   User* user = const_cast<User*>(FindUser(username));
   if (!user)
     return;  // Ignore if there is no such user.
 
   user->set_display_email(display_email);
 
+  // Do not update local store if the user is ephemeral.
+  if (IsEphemeralUser(username))
+    return;
+
   PrefService* local_state = g_browser_process->local_state();
 
   DictionaryPrefUpdate display_email_update(local_state,
                                             UserManager::kUserDisplayEmail);
   display_email_update->SetWithoutPathExpansion(
       username,
       base::Value::CreateStringValue(display_email));
 }
 
 std::string UserManagerImpl::GetUserDisplayEmail(
@@ skipping 34 matching lines @@
     SaveImageToLocalState(username, "", User::kProfileImageIndex, false);
   }
 }
 
 void UserManagerImpl::DownloadProfileImage(const std::string& reason) {
   if (profile_image_downloader_.get()) {
     // Another download is already in progress
     return;
   }
 
-  if (GetLoggedInUser().email().empty()) {
+  if (IsLoggedInAsGuest()) {
     // This is a guest login so there's no profile image to download.
     return;
   }
 
   profile_image_download_reason_ = reason;
   profile_image_load_start_time_ = base::Time::Now();
   profile_image_downloader_.reset(new ProfileDownloader(this));
   profile_image_downloader_->Start();
 }
 
 void UserManagerImpl::Observe(int type,
                           const content::NotificationSource& source,
                           const content::NotificationDetails& details) {
   switch (type) {
     case chrome::NOTIFICATION_OWNER_KEY_FETCH_ATTEMPT_SUCCEEDED:
       BrowserThread::PostTask(BrowserThread::FILE, FROM_HERE,
                               base::Bind(&UserManagerImpl::CheckOwnership,
                                          base::Unretained(this)));
+      BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+          base::Bind(&UserManagerImpl::RetrieveTrustedDevicePolicies,
+          base::Unretained(this)));
       break;
     case chrome::NOTIFICATION_PROFILE_ADDED:
       if (IsUserLoggedIn() && !IsLoggedInAsGuest()) {
         Profile* profile = content::Source<Profile>(source).ptr();
         if (!profile->IsOffTheRecord() &&
             profile == ProfileManager::GetDefaultProfile()) {
           DCHECK(NULL == observed_sync_service_);
           observed_sync_service_ =
               ProfileSyncServiceFactory::GetForProfile(profile);
           if (observed_sync_service_)
@@ skipping 26 matching lines @@
 
 void UserManagerImpl::SetCurrentUserIsOwner(bool is_current_user_owner) {
   base::AutoLock lk(is_current_user_owner_lock_);
   is_current_user_owner_ = is_current_user_owner;
 }
 
 bool UserManagerImpl::IsCurrentUserNew() const {
   return is_current_user_new_;
 }
 
+bool UserManagerImpl::IsCurrentUserEphemeral() const {
+  return is_current_user_ephemeral_;
+}
+
 bool UserManagerImpl::IsUserLoggedIn() const {
   return is_user_logged_in_;
 }
 
 bool UserManagerImpl::IsLoggedInAsDemoUser() const {
   return logged_in_user_ == &demo_user_;
 }
 
 bool UserManagerImpl::IsLoggedInAsGuest() const {
   return logged_in_user_ == &guest_user_;
@@ skipping 103 matching lines @@
         if (prefs_display_emails &&
             prefs_display_emails->GetStringWithoutPathExpansion(
                 email, &display_email)) {
           user->set_display_email(display_email);
         }
       }
     }
   }
 }
 
+void UserManagerImpl::RetrieveTrustedDevicePolicies() {
+  ephemeral_users_enabled_ = false;
+  owner_email_ = "";

[merkulova, 2014/04/08 10:34:59]

I wonder why we need this string?
We can initialize owner_email in constructor instead if it's an initialization.

Also why we generally need this cache? Currently it's not possible that the
owner will be changed 'on-the-flight'.

[bartfab (slow), 2014/04/14 11:36:42]

Sorry for the late reply. I will summarize here what we discussed offline:

1) Ownership currently cannot go from set to unset. But it can go the other way:
It is possible that there is no owner at construction time but a user becomes
the owner later.

2) This method retrieves owner information from trusted (signed and verified)
device settings. Even if owner information were available during construction,
verifying the signature takes time. Thus, trusted owner information will only
ever become available after a delay.

3) Caching is important for two reasons: One, loading the information from disk
and verifying the signature every time would be extremely wasteful, it would
take time and resources. Two, the trusted status can go backwards in some rare
cases. So trusted owner information may be available at some point and can then
go away. If it is cached, the UserManager will still remember who the owner is.

+
+  CrosSettings* cros_settings = CrosSettings::Get();
+  // Schedule a callback if device policy has not yet been verified.
+  if (!cros_settings->GetTrusted(
+      kAccountsPrefEphemeralUsersEnabled,
+      base::Bind(&UserManagerImpl::RetrieveTrustedDevicePolicies,
+                 base::Unretained(this)))) {
+    return;
+  }
+
+  cros_settings->GetBoolean(kAccountsPrefEphemeralUsersEnabled,
+                            &ephemeral_users_enabled_);
+  cros_settings->GetString(kDeviceOwner, &owner_email_);
+
+  // If ephemeral users are enabled, remove all users except the owner.
+  if (ephemeral_users_enabled_) {
+    scoped_ptr<base::ListValue> users(
+        g_browser_process->local_state()->GetList(kLoggedInUsers)->DeepCopy());
+
+    bool changed = false;
+    for (base::ListValue::const_iterator user = users->begin();
+        user != users->end(); ++user) {
+      std::string user_email;
+      (*user)->GetAsString(&user_email);
+      if (user_email != owner_email_) {
+        RemoveUserFromListInternal(user_email);
+        changed = true;
+      }
+    }
+
+    if (changed) {
+      // Trigger a redraw of the login window.
+      content::NotificationService::current()->Notify(
+          chrome::NOTIFICATION_SYSTEM_SETTING_CHANGED,
+          content::Source<UserManagerImpl>(this),
+          content::NotificationService::NoDetails());
+    }
+  }
+}
+
+bool UserManagerImpl::AreEphemeralUsersEnabled() const {
+  return ephemeral_users_enabled_ &&
+      (g_browser_process->browser_policy_connector()->IsEnterpriseManaged() ||
+      !owner_email_.empty());
+}
+
+bool UserManagerImpl::IsEphemeralUser(const std::string& email) const {
+  // The guest user always is ephemeral.
+  if (email == guest_user_.email())
+    return true;
+
+  // The currently logged-in user is ephemeral iff logged in as ephemeral.
+  if (logged_in_user_ && (email == logged_in_user_->email()))
+    return is_current_user_ephemeral_;
+
+  // Any other user is ephemeral iff ephemeral users are enabled, the user is
+  // not the owner and is not in the persistent list.
+  return AreEphemeralUsersEnabled() &&
+      (email != owner_email_) &&
+      !FindUserInList(email);
+}
+
+const User* UserManagerImpl::FindUserInList(const std::string& email) const {
+  const UserList& users = GetUsers();
+  for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
+    if ((*it)->email() == email)
+      return *it;
+  }
+  return NULL;
+}
+
 void UserManagerImpl::StubUserLoggedIn() {
   logged_in_user_ = &stub_user_;
   stub_user_.SetImage(GetDefaultImage(kStubDefaultImageIndex),
                       kStubDefaultImageIndex);
 }
 
 void UserManagerImpl::NotifyOnLogin() {
   CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_LOGIN_USER_CHANGED,
@@ skipping 62 matching lines @@
   }
 }
 
 void UserManagerImpl::SaveUserImageInternal(const std::string& username,
                                         int image_index,
                                         const SkBitmap& image) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   SetUserImage(username, image_index, image);
 
+  // Ignore for ephemeral users.
+  if (IsEphemeralUser(username))
+    return;
+
   FilePath image_path = GetImagePathForUser(username);
   DVLOG(1) << "Saving user image to " << image_path.value();
 
   last_image_set_async_ = true;
 
   BrowserThread::PostTask(
       BrowserThread::FILE,
       FROM_HERE,
       base::Bind(&UserManagerImpl::SaveImageToFile,
                  base::Unretained(this),
@@ skipping 26 matching lines @@
                  base::Unretained(this),
                  username, image_path.value(), image_index, true));
 }
 
 void UserManagerImpl::SaveImageToLocalState(const std::string& username,
                                         const std::string& image_path,
                                         int image_index,
                                         bool is_async) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
+  // Ignore for ephemeral users.
+  if (IsEphemeralUser(username))
+    return;
+
   // TODO(ivankr): use unique filenames for user images each time
   // a new image is set so that only the last image update is saved
   // to Local State and notified.
   if (is_async && !last_image_set_async_) {
     DVLOG(1) << "Ignoring saved image because it has changed";
     return;
   } else if (!is_async) {
     // Reset the async image save flag if called directly from the UI thread.
     last_image_set_async_ = false;
   }
@@ skipping 129 matching lines @@
 }
 
 User* UserManagerImpl::CreateUser(const std::string& email) const {
   User* user = new User(email, email == kGuestUser);
   user->set_oauth_token_status(LoadUserOAuthStatus(email));
   // Used to determine whether user's display name is unique.
   ++display_name_count_[user->GetDisplayName()];
   return user;
 }
 
+void UserManagerImpl::RemoveUserFromListInternal(const std::string& email) {
+  // Clear the prefs view of the users.
+  PrefService* prefs = g_browser_process->local_state();
+  ListPrefUpdate prefs_users_update(prefs, kLoggedInUsers);
+  prefs_users_update->Clear();
+
+  UserList::iterator user_to_remove = users_.end();
+  for (UserList::iterator it = users_.begin(); it != users_.end(); ++it) {
+    std::string user_email = (*it)->email();
+    // Skip user that we would like to delete.
+    if (email != user_email)
+      prefs_users_update->Append(Value::CreateStringValue(user_email));
+    else
+      user_to_remove = it;
+  }
+
+  DictionaryPrefUpdate prefs_images_update(prefs, kUserImages);
+  std::string image_path_string;
+  prefs_images_update->GetStringWithoutPathExpansion(email, &image_path_string);
+  prefs_images_update->RemoveWithoutPathExpansion(email, NULL);
+
+  DictionaryPrefUpdate prefs_oauth_update(prefs, kUserOAuthTokenStatus);
+  int oauth_status;
+  prefs_oauth_update->GetIntegerWithoutPathExpansion(email, &oauth_status);
+  prefs_oauth_update->RemoveWithoutPathExpansion(email, NULL);
+
+  DictionaryPrefUpdate prefs_display_email_update(prefs, kUserDisplayEmail);
+  prefs_display_email_update->RemoveWithoutPathExpansion(email, NULL);
+
+  if (user_to_remove != users_.end()) {
+    --display_name_count_[(*user_to_remove)->GetDisplayName()];
+    delete *user_to_remove;
+    users_.erase(user_to_remove);
+  }
+
+  int default_image_id = User::kInvalidImageIndex;
+  if (!image_path_string.empty() &&
+      !IsDefaultImagePath(image_path_string, &default_image_id)) {
+    FilePath image_path(image_path_string);
+    BrowserThread::PostTask(
+        BrowserThread::FILE,
+        FROM_HERE,
+        base::Bind(&UserManagerImpl::DeleteUserImage,
+                   base::Unretained(this),
+                   image_path));
+  }
+}
+
 }  // namespace chromeos