Chromium Code Reviews Chromium Code Reviews
Issue 9466005:
Make sure the device recovers from policy loss in the consumer case. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/browser/chromeos/login/parallel_authenticator.cc |
| diff --git a/chrome/browser/chromeos/login/parallel_authenticator.cc b/chrome/browser/chromeos/login/parallel_authenticator.cc |
| index ae27986999282a0261d70a321a30f4f32d2e6ff7..b7f544b2509d174f8105363dfcabddf3e848922b 100644 |
| --- a/chrome/browser/chromeos/login/parallel_authenticator.cc |
| +++ b/chrome/browser/chromeos/login/parallel_authenticator.cc |
| @@ -17,6 +17,7 @@ |
| #include "base/synchronization/lock.h" |
| #include "chrome/browser/chromeos/cros/cert_library.h" |
| #include "chrome/browser/chromeos/cros/cryptohome_library.h" |
| +#include "chrome/browser/chromeos/cros_settings.h" |
| #include "chrome/browser/chromeos/login/auth_response_handler.h" |
| #include "chrome/browser/chromeos/login/authentication_notification_details.h" |
| #include "chrome/browser/chromeos/login/login_status_consumer.h" |
| @@ -53,6 +54,8 @@ const int ParallelAuthenticator::kClientLoginTimeoutMs = 10000; |
| ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer) |
| : Authenticator(consumer), |
| already_reported_success_(false), |
| + owner_is_verified_(false), |
| + user_can_login_(false), |
| using_oauth_( |
| CommandLine::ForCurrentProcess()->HasSwitch( |
| switches::kWebUILogin) && |
| @@ -81,13 +84,18 @@ void ParallelAuthenticator::AuthenticateToLogin( |
| login_token, |
| login_captcha, |
| !UserManager::Get()->IsKnownUser(canonicalized))); |
| + { |
| + LOG(ERROR) << "@@@ Resetting for " << username; |
| + // Reset the verified flag. |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + owner_is_verified_ = false; |
| + } |
| mounter_ = CryptohomeOp::CreateMountAttempt(current_state_.get(), |
| this, |
| false /* don't create */); |
| // Sadly, this MUST be on the UI thread due to sending DBus traffic :-/ |
| BrowserThread::PostTask( |
| BrowserThread::UI, FROM_HERE, |
| - |
| base::Bind(&CryptohomeOp::Initiate, mounter_.get())); |
| // ClientLogin authentication check should happen immediately here. |
| // We should not try OAuthLogin check until the profile loads. |
| @@ -111,6 +119,12 @@ void ParallelAuthenticator::CompleteLogin(Profile* profile, |
| password, |
| CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(password), |
| !UserManager::Get()->IsKnownUser(canonicalized))); |
| + { |
| + LOG(ERROR) << "@@@ Resetting for " << username; |
| + // Reset the verified flag. |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + owner_is_verified_ = false; |
| + } |
| mounter_ = CryptohomeOp::CreateMountAttempt(current_state_.get(), |
| this, |
| false /* don't create */); |
| @@ -253,6 +267,40 @@ void ParallelAuthenticator::ResyncRecoverHelper(CryptohomeOp* to_initiate) { |
| base::Bind(&CryptohomeOp::Initiate, to_initiate)); |
| } |
| +void ParallelAuthenticator::VerifyOwnerOnUIThread() { |
| + // Check if policy data is fine and continue in safe mode if needed. |
| + bool is_safe_mode = false; |
| + CrosSettings::Get()->GetBoolean(kPolicyMissingMitigationMode, &is_safe_mode); |
| + if (!is_safe_mode) { |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + // Now we can continue reading the private key. |
| + user_can_login_ = true; |
| + owner_is_verified_ = true; |
| + BrowserThread::PostTask( |
| + BrowserThread::IO, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::Resolve, this)); |
| + return; |
| + } |
| + // First we have to make sure the current user's cert store is available. |
| + UserManager::Get()->LoadKeyStore(); |
| + // Now we can continue reading the private key. |
| + BrowserThread::PostTask( |
| + BrowserThread::FILE, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::FinishVerifyOwnerOnFileThread, this)); |
| +} |
| + |
| +void ParallelAuthenticator::FinishVerifyOwnerOnFileThread() { |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + // Now we can continue reading the private key. |
| + user_can_login_ = |
| + OwnershipService::GetSharedInstance()->CurrentUserIsOwner(); |
| + owner_is_verified_ = true; |
| + BrowserThread::PostTask( |
| + BrowserThread::IO, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::Resolve, this)); |
| + LOG(ERROR) << "@@@ Check finished: " << user_can_login_; |
| +} |
| + |
| void ParallelAuthenticator::RetryAuth(Profile* profile, |
| const std::string& username, |
| const std::string& password, |
| @@ -417,6 +465,15 @@ void ParallelAuthenticator::Resolve() { |
| this, |
| current_state_->online_outcome())); |
| break; |
| + case OWNER_REQUIRED: |
| + current_state_->ResetCryptohomeStatus(); |
|
Chris Masone
2012/02/24 18:49:45
Hm. This doesn't actually unmount the user's cryp
pastarmovj
2012/03/13 15:21:55
Done.
|
| + BrowserThread::PostTask(BrowserThread::UI, |
| + FROM_HERE, |
| + base::Bind( |
| + &ParallelAuthenticator::OnLoginFailure, |
| + this, |
| + LoginFailure(LoginFailure::OWNER_REQUIRED))); |
| + break; |
| default: |
| NOTREACHED(); |
| break; |
| @@ -532,7 +589,16 @@ ParallelAuthenticator::ResolveCryptohomeSuccessState() { |
| return RECOVER_MOUNT; |
| if (key_checker_.get()) |
| return UNLOCK; |
| - return OFFLINE_LOGIN; |
| + |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + LOG(ERROR) << "@@@ cryptohome state " << owner_is_verified_; |
| + if (!owner_is_verified_) { |
| + BrowserThread::PostTask( |
| + BrowserThread::UI, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::VerifyOwnerOnUIThread, this)); |
| + return CONTINUE; |
| + } |
| + return user_can_login_ ? OFFLINE_LOGIN : OWNER_REQUIRED; |
| } |
| namespace { |
