OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/login/supervised/supervised_user_authenticator
.h" | 5 #include "chrome/browser/chromeos/login/supervised/supervised_user_authenticator
.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/strings/string_number_conversions.h" | 8 #include "base/strings/string_number_conversions.h" |
9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
10 #include "chrome/browser/chromeos/boot_times_recorder.h" | 10 #include "chrome/browser/chromeos/boot_times_recorder.h" |
(...skipping 12 matching lines...) Expand all Loading... |
23 | 23 |
24 namespace chromeos { | 24 namespace chromeos { |
25 | 25 |
26 namespace { | 26 namespace { |
27 | 27 |
28 // Records status and calls resolver->Resolve(). | 28 // Records status and calls resolver->Resolve(). |
29 void TriggerResolve(SupervisedUserAuthenticator::AuthAttempt* attempt, | 29 void TriggerResolve(SupervisedUserAuthenticator::AuthAttempt* attempt, |
30 scoped_refptr<SupervisedUserAuthenticator> resolver, | 30 scoped_refptr<SupervisedUserAuthenticator> resolver, |
31 bool success, | 31 bool success, |
32 cryptohome::MountError return_code) { | 32 cryptohome::MountError return_code) { |
33 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 33 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
34 attempt->RecordCryptohomeStatus(success, return_code); | 34 attempt->RecordCryptohomeStatus(success, return_code); |
35 resolver->Resolve(); | 35 resolver->Resolve(); |
36 } | 36 } |
37 | 37 |
38 // Records status and calls resolver->Resolve(). | 38 // Records status and calls resolver->Resolve(). |
39 void TriggerResolveResult(SupervisedUserAuthenticator::AuthAttempt* attempt, | 39 void TriggerResolveResult(SupervisedUserAuthenticator::AuthAttempt* attempt, |
40 scoped_refptr<SupervisedUserAuthenticator> resolver, | 40 scoped_refptr<SupervisedUserAuthenticator> resolver, |
41 bool success, | 41 bool success, |
42 const std::string& result) { | 42 const std::string& result) { |
43 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 43 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
44 attempt->RecordHash(result); | 44 attempt->RecordHash(result); |
45 resolver->Resolve(); | 45 resolver->Resolve(); |
46 } | 46 } |
47 | 47 |
48 // Calls TriggerResolve while adding login time marker. | 48 // Calls TriggerResolve while adding login time marker. |
49 void TriggerResolveWithLoginTimeMarker( | 49 void TriggerResolveWithLoginTimeMarker( |
50 const std::string& marker_name, | 50 const std::string& marker_name, |
51 SupervisedUserAuthenticator::AuthAttempt* attempt, | 51 SupervisedUserAuthenticator::AuthAttempt* attempt, |
52 scoped_refptr<SupervisedUserAuthenticator> resolver, | 52 scoped_refptr<SupervisedUserAuthenticator> resolver, |
53 bool success, | 53 bool success, |
54 cryptohome::MountError return_code) { | 54 cryptohome::MountError return_code) { |
55 chromeos::BootTimesRecorder::Get()->AddLoginTimeMarker(marker_name, false); | 55 chromeos::BootTimesRecorder::Get()->AddLoginTimeMarker(marker_name, false); |
56 TriggerResolve(attempt, resolver, success, return_code); | 56 TriggerResolve(attempt, resolver, success, return_code); |
57 } | 57 } |
58 | 58 |
59 // Calls cryptohome's mount method. | 59 // Calls cryptohome's mount method. |
60 void Mount(SupervisedUserAuthenticator::AuthAttempt* attempt, | 60 void Mount(SupervisedUserAuthenticator::AuthAttempt* attempt, |
61 scoped_refptr<SupervisedUserAuthenticator> resolver, | 61 scoped_refptr<SupervisedUserAuthenticator> resolver, |
62 int flags, | 62 int flags, |
63 const std::string& system_salt) { | 63 const std::string& system_salt) { |
64 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 64 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
65 chromeos::BootTimesRecorder::Get()->AddLoginTimeMarker( | 65 chromeos::BootTimesRecorder::Get()->AddLoginTimeMarker( |
66 "CryptohomeMount-LMU-Start", false); | 66 "CryptohomeMount-LMU-Start", false); |
67 | 67 |
68 Key key(attempt->password); | 68 Key key(attempt->password); |
69 key.Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); | 69 key.Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); |
70 cryptohome::AsyncMethodCaller::GetInstance()->AsyncMount( | 70 cryptohome::AsyncMethodCaller::GetInstance()->AsyncMount( |
71 attempt->username, | 71 attempt->username, |
72 key.GetSecret(), | 72 key.GetSecret(), |
73 flags, | 73 flags, |
74 base::Bind(&TriggerResolveWithLoginTimeMarker, | 74 base::Bind(&TriggerResolveWithLoginTimeMarker, |
75 "CryptohomeMount-LMU-End", | 75 "CryptohomeMount-LMU-End", |
76 attempt, | 76 attempt, |
77 resolver)); | 77 resolver)); |
78 | 78 |
79 cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername( | 79 cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername( |
80 attempt->username, | 80 attempt->username, |
81 base::Bind(&TriggerResolveResult, attempt, resolver)); | 81 base::Bind(&TriggerResolveResult, attempt, resolver)); |
82 } | 82 } |
83 | 83 |
84 // Calls cryptohome's addKey method. | 84 // Calls cryptohome's addKey method. |
85 void AddKey(SupervisedUserAuthenticator::AuthAttempt* attempt, | 85 void AddKey(SupervisedUserAuthenticator::AuthAttempt* attempt, |
86 scoped_refptr<SupervisedUserAuthenticator> resolver, | 86 scoped_refptr<SupervisedUserAuthenticator> resolver, |
87 const std::string& plain_text_master_key, | 87 const std::string& plain_text_master_key, |
88 const std::string& system_salt) { | 88 const std::string& system_salt) { |
89 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 89 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
90 chromeos::BootTimesRecorder::Get()->AddLoginTimeMarker( | 90 chromeos::BootTimesRecorder::Get()->AddLoginTimeMarker( |
91 "CryptohomeAddKey-LMU-Start", false); | 91 "CryptohomeAddKey-LMU-Start", false); |
92 | 92 |
93 Key user_key(attempt->password); | 93 Key user_key(attempt->password); |
94 user_key.Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); | 94 user_key.Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); |
95 Key master_key(plain_text_master_key); | 95 Key master_key(plain_text_master_key); |
96 master_key.Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); | 96 master_key.Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); |
97 cryptohome::AsyncMethodCaller::GetInstance()->AsyncAddKey( | 97 cryptohome::AsyncMethodCaller::GetInstance()->AsyncAddKey( |
98 attempt->username, | 98 attempt->username, |
99 user_key.GetSecret(), | 99 user_key.GetSecret(), |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
152 SystemSaltGetter::Get()->GetSystemSalt( | 152 SystemSaltGetter::Get()->GetSystemSalt( |
153 base::Bind(&AddKey, | 153 base::Bind(&AddKey, |
154 current_state_.get(), | 154 current_state_.get(), |
155 scoped_refptr<SupervisedUserAuthenticator>(this), | 155 scoped_refptr<SupervisedUserAuthenticator>(this), |
156 master_key)); | 156 master_key)); |
157 } | 157 } |
158 | 158 |
159 void SupervisedUserAuthenticator::OnAuthenticationSuccess( | 159 void SupervisedUserAuthenticator::OnAuthenticationSuccess( |
160 const std::string& mount_hash, | 160 const std::string& mount_hash, |
161 bool add_key) { | 161 bool add_key) { |
162 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 162 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
163 VLOG(1) << "Supervised user authentication success"; | 163 VLOG(1) << "Supervised user authentication success"; |
164 if (consumer_) { | 164 if (consumer_) { |
165 if (add_key) | 165 if (add_key) |
166 consumer_->OnAddKeySuccess(); | 166 consumer_->OnAddKeySuccess(); |
167 else | 167 else |
168 consumer_->OnMountSuccess(mount_hash); | 168 consumer_->OnMountSuccess(mount_hash); |
169 } | 169 } |
170 } | 170 } |
171 | 171 |
172 void SupervisedUserAuthenticator::OnAuthenticationFailure( | 172 void SupervisedUserAuthenticator::OnAuthenticationFailure( |
173 SupervisedUserAuthenticator::AuthState state) { | 173 SupervisedUserAuthenticator::AuthState state) { |
174 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 174 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
175 LOG(WARNING) << "Supervised user authentication failure"; | 175 LOG(WARNING) << "Supervised user authentication failure"; |
176 if (consumer_) | 176 if (consumer_) |
177 consumer_->OnAuthenticationFailure(state); | 177 consumer_->OnAuthenticationFailure(state); |
178 } | 178 } |
179 | 179 |
180 void SupervisedUserAuthenticator::Resolve() { | 180 void SupervisedUserAuthenticator::Resolve() { |
181 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 181 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
182 SupervisedUserAuthenticator::AuthState state = ResolveState(); | 182 SupervisedUserAuthenticator::AuthState state = ResolveState(); |
183 VLOG(1) << "Resolved state to: " << state; | 183 VLOG(1) << "Resolved state to: " << state; |
184 switch (state) { | 184 switch (state) { |
185 case CONTINUE: | 185 case CONTINUE: |
186 // These are intermediate states; we need more info from a request that | 186 // These are intermediate states; we need more info from a request that |
187 // is still pending. | 187 // is still pending. |
188 break; | 188 break; |
189 case FAILED_MOUNT: | 189 case FAILED_MOUNT: |
190 // In this case, whether login succeeded or not, we can't log | 190 // In this case, whether login succeeded or not, we can't log |
191 // the user in because their data is horked. So, override with | 191 // the user in because their data is horked. So, override with |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
232 default: | 232 default: |
233 NOTREACHED(); | 233 NOTREACHED(); |
234 break; | 234 break; |
235 } | 235 } |
236 } | 236 } |
237 | 237 |
238 SupervisedUserAuthenticator::~SupervisedUserAuthenticator() {} | 238 SupervisedUserAuthenticator::~SupervisedUserAuthenticator() {} |
239 | 239 |
240 SupervisedUserAuthenticator::AuthState | 240 SupervisedUserAuthenticator::AuthState |
241 SupervisedUserAuthenticator::ResolveState() { | 241 SupervisedUserAuthenticator::ResolveState() { |
242 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 242 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
243 // If we haven't mounted the user's home dir yet, we can't be done. | 243 // If we haven't mounted the user's home dir yet, we can't be done. |
244 // We never get past here if a cryptohome op is still pending. | 244 // We never get past here if a cryptohome op is still pending. |
245 // This is an important invariant. | 245 // This is an important invariant. |
246 if (!current_state_->cryptohome_complete()) | 246 if (!current_state_->cryptohome_complete()) |
247 return CONTINUE; | 247 return CONTINUE; |
248 if (!current_state_->add_key && !current_state_->hash_obtained()) | 248 if (!current_state_->add_key && !current_state_->hash_obtained()) |
249 return CONTINUE; | 249 return CONTINUE; |
250 | 250 |
251 AuthState state; | 251 AuthState state; |
252 | 252 |
253 if (current_state_->cryptohome_outcome()) | 253 if (current_state_->cryptohome_outcome()) |
254 state = ResolveCryptohomeSuccessState(); | 254 state = ResolveCryptohomeSuccessState(); |
255 else | 255 else |
256 state = ResolveCryptohomeFailureState(); | 256 state = ResolveCryptohomeFailureState(); |
257 | 257 |
258 DCHECK(current_state_->cryptohome_complete()); | 258 DCHECK(current_state_->cryptohome_complete()); |
259 DCHECK(current_state_->hash_obtained() || current_state_->add_key); | 259 DCHECK(current_state_->hash_obtained() || current_state_->add_key); |
260 return state; | 260 return state; |
261 } | 261 } |
262 | 262 |
263 SupervisedUserAuthenticator::AuthState | 263 SupervisedUserAuthenticator::AuthState |
264 SupervisedUserAuthenticator::ResolveCryptohomeFailureState() { | 264 SupervisedUserAuthenticator::ResolveCryptohomeFailureState() { |
265 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 265 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
266 LOG(ERROR) << "Failed to authenticate supervised user, code: " | 266 LOG(ERROR) << "Failed to authenticate supervised user, code: " |
267 << current_state_->cryptohome_code(); | 267 << current_state_->cryptohome_code(); |
268 if (current_state_->cryptohome_code() == | 268 if (current_state_->cryptohome_code() == |
269 cryptohome::MOUNT_ERROR_TPM_NEEDS_REBOOT) { | 269 cryptohome::MOUNT_ERROR_TPM_NEEDS_REBOOT) { |
270 // Critical TPM error detected, reboot needed. | 270 // Critical TPM error detected, reboot needed. |
271 return FAILED_TPM; | 271 return FAILED_TPM; |
272 } | 272 } |
273 | 273 |
274 if (current_state_->cryptohome_code() == | 274 if (current_state_->cryptohome_code() == |
275 cryptohome::MOUNT_ERROR_USER_DOES_NOT_EXIST) { | 275 cryptohome::MOUNT_ERROR_USER_DOES_NOT_EXIST) { |
276 // If we tried a mount but the user did not exist, then we should wait | 276 // If we tried a mount but the user did not exist, then we should wait |
277 // for online login to succeed and try again with the "create" flag set. | 277 // for online login to succeed and try again with the "create" flag set. |
278 return NO_MOUNT; | 278 return NO_MOUNT; |
279 } | 279 } |
280 | 280 |
281 return FAILED_MOUNT; | 281 return FAILED_MOUNT; |
282 } | 282 } |
283 | 283 |
284 SupervisedUserAuthenticator::AuthState | 284 SupervisedUserAuthenticator::AuthState |
285 SupervisedUserAuthenticator::ResolveCryptohomeSuccessState() { | 285 SupervisedUserAuthenticator::ResolveCryptohomeSuccessState() { |
286 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 286 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
287 return SUCCESS; | 287 return SUCCESS; |
288 } | 288 } |
289 | 289 |
290 SupervisedUserAuthenticator::AuthAttempt::AuthAttempt( | 290 SupervisedUserAuthenticator::AuthAttempt::AuthAttempt( |
291 const std::string& username, | 291 const std::string& username, |
292 const std::string& password, | 292 const std::string& password, |
293 bool add_key_attempt) | 293 bool add_key_attempt) |
294 : username(username), | 294 : username(username), |
295 password(password), | 295 password(password), |
296 add_key(add_key_attempt), | 296 add_key(add_key_attempt), |
297 cryptohome_complete_(false), | 297 cryptohome_complete_(false), |
298 cryptohome_outcome_(false), | 298 cryptohome_outcome_(false), |
299 hash_obtained_(false), | 299 hash_obtained_(false), |
300 cryptohome_code_(cryptohome::MOUNT_ERROR_NONE) {} | 300 cryptohome_code_(cryptohome::MOUNT_ERROR_NONE) {} |
301 | 301 |
302 SupervisedUserAuthenticator::AuthAttempt::~AuthAttempt() {} | 302 SupervisedUserAuthenticator::AuthAttempt::~AuthAttempt() {} |
303 | 303 |
304 void SupervisedUserAuthenticator::AuthAttempt::RecordCryptohomeStatus( | 304 void SupervisedUserAuthenticator::AuthAttempt::RecordCryptohomeStatus( |
305 bool cryptohome_outcome, | 305 bool cryptohome_outcome, |
306 cryptohome::MountError cryptohome_code) { | 306 cryptohome::MountError cryptohome_code) { |
307 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 307 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
308 cryptohome_complete_ = true; | 308 cryptohome_complete_ = true; |
309 cryptohome_outcome_ = cryptohome_outcome; | 309 cryptohome_outcome_ = cryptohome_outcome; |
310 cryptohome_code_ = cryptohome_code; | 310 cryptohome_code_ = cryptohome_code; |
311 } | 311 } |
312 | 312 |
313 void SupervisedUserAuthenticator::AuthAttempt::RecordHash( | 313 void SupervisedUserAuthenticator::AuthAttempt::RecordHash( |
314 const std::string& hash) { | 314 const std::string& hash) { |
315 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 315 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
316 hash_obtained_ = true; | 316 hash_obtained_ = true; |
317 hash_ = hash; | 317 hash_ = hash; |
318 } | 318 } |
319 | 319 |
320 bool SupervisedUserAuthenticator::AuthAttempt::cryptohome_complete() { | 320 bool SupervisedUserAuthenticator::AuthAttempt::cryptohome_complete() { |
321 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 321 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
322 return cryptohome_complete_; | 322 return cryptohome_complete_; |
323 } | 323 } |
324 | 324 |
325 bool SupervisedUserAuthenticator::AuthAttempt::cryptohome_outcome() { | 325 bool SupervisedUserAuthenticator::AuthAttempt::cryptohome_outcome() { |
326 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 326 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
327 return cryptohome_outcome_; | 327 return cryptohome_outcome_; |
328 } | 328 } |
329 | 329 |
330 cryptohome::MountError | 330 cryptohome::MountError |
331 SupervisedUserAuthenticator::AuthAttempt::cryptohome_code() { | 331 SupervisedUserAuthenticator::AuthAttempt::cryptohome_code() { |
332 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 332 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
333 return cryptohome_code_; | 333 return cryptohome_code_; |
334 } | 334 } |
335 | 335 |
336 bool SupervisedUserAuthenticator::AuthAttempt::hash_obtained() { | 336 bool SupervisedUserAuthenticator::AuthAttempt::hash_obtained() { |
337 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 337 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
338 return hash_obtained_; | 338 return hash_obtained_; |
339 } | 339 } |
340 | 340 |
341 std::string SupervisedUserAuthenticator::AuthAttempt::hash() { | 341 std::string SupervisedUserAuthenticator::AuthAttempt::hash() { |
342 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 342 DCHECK_CURRENTLY_ON(BrowserThread::UI); |
343 return hash_; | 343 return hash_; |
344 } | 344 } |
345 | 345 |
346 } // namespace chromeos | 346 } // namespace chromeos |
OLD | NEW |