Add first implemenation for SU password sync

chrome/browser/chromeos/login/managed/supervised_user_authentication.cc

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.

[Nikita (slow), 2013/12/09 17:51:08]

nit: 2013

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h"
+
+#include "base/base64.h"
+#include "base/command_line.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "chrome/browser/chromeos/login/supervised_user_manager.h"
+#include "chromeos/chromeos_switches.h"
+#include "crypto/random.h"
+#include "crypto/symmetric_key.h"
+
+namespace chromeos {
+
+namespace {
+
+const unsigned kNumIterations = 1234;

[Nikita (slow), 2013/12/09 16:42:16]

nit: Please add short comment about these constants.

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+const unsigned kSaltSize = 32;
+const unsigned kKeySizeInBits = 256;
+
+std::string CreateSalt() {
+    char result[kSaltSize];
+    crypto::RandBytes(&result, sizeof(result));
+    return StringToLowerASCII(base::HexEncode(
+        reinterpret_cast<const void*>(result),
+        sizeof(result)));
+}
+
+} // namespace
+
+SupervisedUserAuthentication::SupervisedUserAuthentication(
+    SupervisedUserManager* owner)
+      : owner_(owner),
+        should_migrate_(false),
+        target_version_(kPlainPasswordSchema) {
+  CommandLine* command_line = CommandLine::ForCurrentProcess();
+  if (command_line->HasSwitch(switches::kEnableSupervisedPasswordSync)) {
+    should_migrate_ = true;
+    target_version_ = kPasswordEncryptedWithSaltSchema;
+  }
+}
+
+SupervisedUserAuthentication::~SupervisedUserAuthentication() {}
+
+std::string SupervisedUserAuthentication::TransformPassword(
+    const std::string& user_id,
+    const std::string& password) {
+  int user_schema_version = GetPasswordSchemaVersion(user_id);
+  if (kPlainPasswordSchema == user_schema_version)
+    return password;
+  if (kPasswordEncryptedWithSaltSchema == user_schema_version) {

[Nikita (slow), 2013/12/09 17:51:08]

nit: How about wrapping this into else if

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+    base::DictionaryValue holder;
+    std::string salt;
+    owner_->GetPasswordInformation(user_id, &holder);
+    holder.GetStringWithoutPathExpansion(kSalt, &salt);
+    DCHECK(!salt.empty());
+    return BuildPasswordForSchemaV2(salt, password);
+  }
+  NOTREACHED();

[Nikita (slow), 2013/12/09 17:51:08]

nit: Put this block into else?

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+  return password;
+}
+
+bool SupervisedUserAuthentication::FillDataForNewUser(
+    const std::string& user_id,
+    const std::string& password,
+    base::DictionaryValue* password_data) {
+  int schema = target_version_;
+  if (schema == kPlainPasswordSchema)

[Nikita (slow), 2013/12/09 17:51:08]

nit: Please keep consistency with previous method: either first put variable or
constant.

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+    return false;
+  if (schema == kPasswordEncryptedWithSaltSchema) {

[Nikita (slow), 2013/12/09 17:51:08]

nit:
if (v1) {
  ..
} else if (v2) {
  ..
} else {
  NOTREACHED();
}

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

[Bernhard Bauer, 2013/12/14 03:02:30]

Um... sorry, but http://dev.chromium.org/developers/coding-style#Code_Formatting
says "Don't use else after return", and all the branches here end with a return
statement.

[Nikita (slow), 2013/12/15 06:55:12]

So this should be like
bool result = false;

if (...) {
  ...
  result = true;
} else {
  ...
  result = false;
}

return result;

right?

[Bernhard Bauer, 2013/12/15 15:39:56]

No, the else should go, not the return :)

So it would be like

  if (...)
    return false;

  if (...)
    return true;

  NOTREACHED();
  return false;

+    password_data->SetStringWithoutPathExpansion(

[Bernhard Bauer, 2013/12/11 14:46:43]

You don't need to store everything as a string. You could just use
SetInteger...().

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Yes, but (as I understand) if I at some point set it as integer, and in other
try to get it as string (or vice versa) it will fail.
And as they are written to disk / (will be) retrieved from sync as strings, it's
easier to pass them around as strings.

[Bernhard Bauer, 2013/12/13 00:30:50]

Sync doesn't know about the preferences as they are stored in Local State. The
API for you to use will take a string key and a base::Value setting, which could
be an integer. It will internally serialize the value to JSON (i.e. a string),
but that's an implementation detail.

+        kSchemaVersion, base::IntToString(schema));

[Nikita (slow), 2013/12/09 17:51:08]

nit: Will it fit? First parameter on previous line, another one aligned.

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+    std::string salt = CreateSalt();
+    password_data->SetStringWithoutPathExpansion(
+        kSalt, salt);

[Nikita (slow), 2013/12/09 17:51:08]

nit: Fits on the previous line.

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+    password_data->SetStringWithoutPathExpansion(
+        kPasswordVersion, std::string("1"));

[Nikita (slow), 2013/12/09 17:51:08]

nit: first parameter on the previous line, another one aligned.

[Nikita (slow), 2013/12/09 17:51:08]

nit: std::string("1") - magic constant?

[Denis Kuznetsov (DE-MUC), 2013/12/12 19:45:24]

Done.

+    password_data->SetStringWithoutPathExpansion(
+        kEncryptedPassword, BuildPasswordForSchemaV2(salt, password));
+    return true;
+  }
+  NOTREACHED();
+  return false;
+}
+
+void SupervisedUserAuthentication::StorePasswordData(
+    const std::string& user_id,
+    const base::DictionaryValue& password_data) {
+  DictionaryValue holder;
+  owner_->GetPasswordInformation(user_id, &holder);
+  const base::Value* value;
+  if (password_data.GetWithoutPathExpansion(kSchemaVersion, &value))
+      holder.SetWithoutPathExpansion(kSchemaVersion, value->DeepCopy());
+  if (password_data.GetWithoutPathExpansion(kSalt, &value))
+      holder.SetWithoutPathExpansion(kSalt, value->DeepCopy());
+  if (password_data.GetWithoutPathExpansion(kPasswordVersion, &value))
+      holder.SetWithoutPathExpansion(kPasswordVersion, value->DeepCopy());
+  owner_->SetPasswordInformation(user_id, &holder);
+}
+
+std::string SupervisedUserAuthentication::BuildPasswordForSchemaV2(
+  const std::string& salt,
+  const std::string& plain_password) {
+  scoped_ptr<crypto::SymmetricKey> key(
+      crypto::SymmetricKey::DeriveKeyFromPassword(
+          crypto::SymmetricKey::AES,
+          plain_password, salt,
+          kNumIterations, kKeySizeInBits));
+  std::string raw_result, result;
+  key->GetRawKey(&raw_result);
+  base::Base64Encode(raw_result, &result);
+  return result;
+}
+
+bool SupervisedUserAuthentication::PasswordNeedsMigration(
+    const std::string& user_id) {
+  return GetPasswordSchemaVersion(user_id) < target_version_;
+}
+
+int SupervisedUserAuthentication::GetPasswordSchemaVersion(
+  const std::string& user_id) {
+  base::DictionaryValue holder;
+  std::string schema_version_string;
+  owner_->GetPasswordInformation(user_id, &holder);
+  // Default version.
+  int schema_version = kPlainPasswordSchema;
+  if (holder.GetStringWithoutPathExpansion(kSchemaVersion,
+                                           &schema_version_string)) {
+    schema_version = atoi(schema_version_string.c_str());
+  }
+  return schema_version;
+}
+
+void SupervisedUserAuthentication::SchedulePasswordMigration(
+    const std::string& supervised_user_id,
+    const std::string& user_password,
+    SupervisedUserLoginFlow* user_flow) {
+  // TODO(antrim): Add actual migration code once cryptohome has required API.
+}
+
+}  // namespace chromeos