Chromium Code Reviews Chromium Code Reviews
Issue 1165323004:
We should use UserID object to identify users instead of username.
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h" | 5 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/prefs/pref_change_registrar.h" | 9 #include "base/prefs/pref_change_registrar.h" |
| 10 #include "base/prefs/pref_registry_simple.h" | 10 #include "base/prefs/pref_registry_simple.h" |
| 11 #include "base/prefs/pref_service.h" | 11 #include "base/prefs/pref_service.h" |
| 12 #include "base/prefs/scoped_user_pref_update.h" | 12 #include "base/prefs/scoped_user_pref_update.h" |
| 13 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller_dele gate.h" | 13 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller_dele gate.h" |
| 14 #include "chrome/browser/chromeos/policy/policy_cert_service.h" | 14 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
| 15 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" | 15 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
| 16 #include "chrome/browser/chromeos/profiles/profile_helper.h" | 16 #include "chrome/browser/chromeos/profiles/profile_helper.h" |
| 17 #include "chrome/browser/prefs/pref_service_syncable.h" | 17 #include "chrome/browser/prefs/pref_service_syncable.h" |
| 18 #include "chrome/browser/profiles/profile.h" | 18 #include "chrome/browser/profiles/profile.h" |
| 19 #include "chrome/common/pref_names.h" | 19 #include "chrome/common/pref_names.h" |
| 20 #include "components/user_manager/user.h" | 20 #include "components/user_manager/user.h" |
| 21 #include "components/user_manager/user_id.h" | |
| 21 #include "components/user_manager/user_manager.h" | 22 #include "components/user_manager/user_manager.h" |
| 22 #include "google_apis/gaia/gaia_auth_util.h" | 23 #include "google_apis/gaia/gaia_auth_util.h" |
| 23 | 24 |
| 24 namespace chromeos { | 25 namespace chromeos { |
| 25 | 26 |
| 26 namespace { | 27 namespace { |
| 27 | 28 |
| 28 std::string SanitizeBehaviorValue(const std::string& value) { | 29 std::string SanitizeBehaviorValue(const std::string& value) { |
| 29 if (value == MultiProfileUserController::kBehaviorUnrestricted || | 30 if (value == MultiProfileUserController::kBehaviorUnrestricted || |
| 30 value == MultiProfileUserController::kBehaviorPrimaryOnly || | 31 value == MultiProfileUserController::kBehaviorPrimaryOnly || |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 89 MultiProfileUserController::UserAllowedInSessionReason | 90 MultiProfileUserController::UserAllowedInSessionReason |
| 90 MultiProfileUserController::GetPrimaryUserPolicy() { | 91 MultiProfileUserController::GetPrimaryUserPolicy() { |
| 91 user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 92 user_manager::UserManager* user_manager = user_manager::UserManager::Get(); |
| 92 CHECK(user_manager); | 93 CHECK(user_manager); |
| 93 | 94 |
| 94 const user_manager::User* user = user_manager->GetPrimaryUser(); | 95 const user_manager::User* user = user_manager->GetPrimaryUser(); |
| 95 if (!user) | 96 if (!user) |
| 96 return ALLOWED; | 97 return ALLOWED; |
| 97 | 98 |
| 98 // Don't allow any secondary profiles if the primary profile is tainted. | 99 // Don't allow any secondary profiles if the primary profile is tainted. |
| 99 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user->email())) { | 100 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user->GetUserID() )) { |
| 100 // Check directly in local_state before checking if the primary user has | 101 // Check directly in local_state before checking if the primary user has |
| 101 // a PolicyCertService. His profile may have been tainted previously though | 102 // a PolicyCertService. His profile may have been tainted previously though |
| 102 // he didn't get a PolicyCertService created for this session. | 103 // he didn't get a PolicyCertService created for this session. |
| 103 return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED; | 104 return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED; |
| 104 } | 105 } |
| 105 | 106 |
| 106 Profile* profile = ProfileHelper::Get()->GetProfileByUser(user); | 107 Profile* profile = ProfileHelper::Get()->GetProfileByUser(user); |
| 107 if (!profile) | 108 if (!profile) |
| 108 return ALLOWED; | 109 return ALLOWED; |
| 109 | 110 |
| 110 // If the primary profile already has policy certificates installed but | 111 // If the primary profile already has policy certificates installed but |
| 111 // hasn't used them yet then it can become tainted at any time during this | 112 // hasn't used them yet then it can become tainted at any time during this |
| 112 // session disable secondary profiles in this case too. | 113 // session disable secondary profiles in this case too. |
| 113 policy::PolicyCertService* service = | 114 policy::PolicyCertService* service = |
| 114 policy::PolicyCertServiceFactory::GetForProfile(profile); | 115 policy::PolicyCertServiceFactory::GetForProfile(profile); |
| 115 if (service && service->has_policy_certificates()) | 116 if (service && service->has_policy_certificates()) |
| 116 return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED; | 117 return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED; |
| 117 | 118 |
| 118 // No user is allowed if the primary user policy forbids it. | 119 // No user is allowed if the primary user policy forbids it. |
| 119 const std::string behavior = profile->GetPrefs()->GetString( | 120 const std::string behavior = profile->GetPrefs()->GetString( |
| 120 prefs::kMultiProfileUserBehavior); | 121 prefs::kMultiProfileUserBehavior); |
| 121 if (behavior == kBehaviorNotAllowed) | 122 if (behavior == kBehaviorNotAllowed) |
| 122 return NOT_ALLOWED_PRIMARY_USER_POLICY_FORBIDS; | 123 return NOT_ALLOWED_PRIMARY_USER_POLICY_FORBIDS; |
| 123 | 124 |
| 124 return ALLOWED; | 125 return ALLOWED; |
| 125 } | 126 } |
| 126 | 127 |
| 127 bool MultiProfileUserController::IsUserAllowedInSession( | 128 bool MultiProfileUserController::IsUserAllowedInSession( |
| 128 const std::string& user_email, | 129 const user_manager::UserID& user_id, |
| 129 MultiProfileUserController::UserAllowedInSessionReason* reason) const { | 130 MultiProfileUserController::UserAllowedInSessionReason* reason) const { |
| 130 user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 131 user_manager::UserManager* user_manager = user_manager::UserManager::Get(); |
| 131 CHECK(user_manager); | 132 CHECK(user_manager); |
| 132 | 133 |
| 133 const user_manager::User* primary_user = user_manager->GetPrimaryUser(); | 134 const user_manager::User* primary_user = user_manager->GetPrimaryUser(); |
| 134 std::string primary_user_email; | 135 user_manager::UserID primary_user_id = user_manager::UserID(std::string(), std ::string()); |
|
Denis Kuznetsov (DE-MUC)
2015/06/10 16:50:45
EmptyGaiaID() ?
| |
| 135 if (primary_user) | 136 if (primary_user) |
| 136 primary_user_email = primary_user->email(); | 137 primary_user_id = primary_user->GetUserID(); |
| 137 | 138 |
| 138 // Always allow if there is no primary user or user being checked is the | 139 // Always allow if there is no primary user or user being checked is the |
| 139 // primary user. | 140 // primary user. |
| 140 if (primary_user_email.empty() || primary_user_email == user_email) | 141 if (primary_user_id.empty() || primary_user_id == user_id) |
| 141 return SetUserAllowedReason(reason, ALLOWED); | 142 return SetUserAllowedReason(reason, ALLOWED); |
| 142 | 143 |
| 143 // Don't allow profiles potentially tainted by data fetched with policy-pushed | 144 // Don't allow profiles potentially tainted by data fetched with policy-pushed |
| 144 // certificates to join a multiprofile session. | 145 // certificates to join a multiprofile session. |
| 145 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email)) | 146 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_id)) |
| 146 return SetUserAllowedReason(reason, NOT_ALLOWED_POLICY_CERT_TAINTED); | 147 return SetUserAllowedReason(reason, NOT_ALLOWED_POLICY_CERT_TAINTED); |
| 147 | 148 |
| 148 UserAllowedInSessionReason primary_user_policy = GetPrimaryUserPolicy(); | 149 UserAllowedInSessionReason primary_user_policy = GetPrimaryUserPolicy(); |
| 149 if (primary_user_policy != ALLOWED) | 150 if (primary_user_policy != ALLOWED) |
| 150 return SetUserAllowedReason(reason, primary_user_policy); | 151 return SetUserAllowedReason(reason, primary_user_policy); |
| 151 | 152 |
| 152 // The user must have 'unrestricted' policy to be a secondary user. | 153 // The user must have 'unrestricted' policy to be a secondary user. |
| 153 const std::string behavior = GetCachedValue(user_email); | 154 const std::string behavior = GetCachedValue(user_id); |
| 154 return SetUserAllowedReason( | 155 return SetUserAllowedReason( |
| 155 reason, | 156 reason, |
| 156 behavior == kBehaviorUnrestricted ? ALLOWED : NOT_ALLOWED_POLICY_FORBIDS); | 157 behavior == kBehaviorUnrestricted ? ALLOWED : NOT_ALLOWED_POLICY_FORBIDS); |
| 157 } | 158 } |
| 158 | 159 |
| 159 void MultiProfileUserController::StartObserving(Profile* user_profile) { | 160 void MultiProfileUserController::StartObserving(Profile* user_profile) { |
| 160 // Profile name could be empty during tests. | 161 // Profile name could be empty during tests. |
| 161 if (user_profile->GetProfileUserName().empty()) | 162 if (user_profile->GetProfileUserName().empty()) |
| 162 return; | 163 return; |
| 163 | 164 |
| 164 scoped_ptr<PrefChangeRegistrar> registrar(new PrefChangeRegistrar); | 165 scoped_ptr<PrefChangeRegistrar> registrar(new PrefChangeRegistrar); |
| 165 registrar->Init(user_profile->GetPrefs()); | 166 registrar->Init(user_profile->GetPrefs()); |
| 166 registrar->Add( | 167 registrar->Add( |
| 167 prefs::kMultiProfileUserBehavior, | 168 prefs::kMultiProfileUserBehavior, |
| 168 base::Bind(&MultiProfileUserController::OnUserPrefChanged, | 169 base::Bind(&MultiProfileUserController::OnUserPrefChanged, |
| 169 base::Unretained(this), | 170 base::Unretained(this), |
| 170 user_profile)); | 171 user_profile)); |
| 171 pref_watchers_.push_back(registrar.release()); | 172 pref_watchers_.push_back(registrar.release()); |
| 172 | 173 |
| 173 OnUserPrefChanged(user_profile); | 174 OnUserPrefChanged(user_profile); |
| 174 } | 175 } |
| 175 | 176 |
| 176 void MultiProfileUserController::RemoveCachedValues( | 177 void MultiProfileUserController::RemoveCachedValues( |
| 177 const std::string& user_email) { | 178 const user_manager::UserID& user_id) { |
| 178 DictionaryPrefUpdate update(local_state_, | 179 DictionaryPrefUpdate update(local_state_, |
| 179 prefs::kCachedMultiProfileUserBehavior); | 180 prefs::kCachedMultiProfileUserBehavior); |
| 180 update->RemoveWithoutPathExpansion(user_email, NULL); | 181 update->RemoveWithoutPathExpansion(user_id.GetUserEmail(), NULL); |
| 181 policy::PolicyCertServiceFactory::ClearUsedPolicyCertificates(user_email); | 182 policy::PolicyCertServiceFactory::ClearUsedPolicyCertificates(user_id); |
| 182 } | 183 } |
| 183 | 184 |
| 184 std::string MultiProfileUserController::GetCachedValue( | 185 std::string MultiProfileUserController::GetCachedValue( |
| 185 const std::string& user_email) const { | 186 const user_manager::UserID& user_id) const { |
| 186 const base::DictionaryValue* dict = | 187 const base::DictionaryValue* dict = |
| 187 local_state_->GetDictionary(prefs::kCachedMultiProfileUserBehavior); | 188 local_state_->GetDictionary(prefs::kCachedMultiProfileUserBehavior); |
| 188 std::string value; | 189 std::string value; |
| 189 if (dict && dict->GetStringWithoutPathExpansion(user_email, &value)) | 190 if (dict && dict->GetStringWithoutPathExpansion(user_id.GetUserEmail(), &value )) |
| 190 return SanitizeBehaviorValue(value); | 191 return SanitizeBehaviorValue(value); |
| 191 | 192 |
| 192 return std::string(kBehaviorUnrestricted); | 193 return std::string(kBehaviorUnrestricted); |
| 193 } | 194 } |
| 194 | 195 |
| 195 void MultiProfileUserController::SetCachedValue( | 196 void MultiProfileUserController::SetCachedValue( |
| 196 const std::string& user_email, | 197 const user_manager::UserID& user_id, |
| 197 const std::string& behavior) { | 198 const std::string& behavior) { |
| 198 DictionaryPrefUpdate update(local_state_, | 199 DictionaryPrefUpdate update(local_state_, |
| 199 prefs::kCachedMultiProfileUserBehavior); | 200 prefs::kCachedMultiProfileUserBehavior); |
| 200 update->SetStringWithoutPathExpansion(user_email, | 201 update->SetStringWithoutPathExpansion(user_id.GetUserEmail(), |
| 201 SanitizeBehaviorValue(behavior)); | 202 SanitizeBehaviorValue(behavior)); |
| 202 } | 203 } |
| 203 | 204 |
| 204 void MultiProfileUserController::CheckSessionUsers() { | 205 void MultiProfileUserController::CheckSessionUsers() { |
| 205 const user_manager::UserList& users = | 206 const user_manager::UserList& users = |
| 206 user_manager::UserManager::Get()->GetLoggedInUsers(); | 207 user_manager::UserManager::Get()->GetLoggedInUsers(); |
| 207 for (user_manager::UserList::const_iterator it = users.begin(); | 208 for (user_manager::UserList::const_iterator it = users.begin(); |
| 208 it != users.end(); | 209 it != users.end(); |
| 209 ++it) { | 210 ++it) { |
| 210 if (!IsUserAllowedInSession((*it)->email(), NULL)) { | 211 if (!IsUserAllowedInSession((*it)->GetUserID(), NULL)) { |
| 211 delegate_->OnUserNotAllowed((*it)->email()); | 212 delegate_->OnUserNotAllowed((*it)->GetUserID()); |
| 212 return; | 213 return; |
| 213 } | 214 } |
| 214 } | 215 } |
| 215 } | 216 } |
| 216 | 217 |
| 217 void MultiProfileUserController::OnUserPrefChanged( | 218 void MultiProfileUserController::OnUserPrefChanged( |
| 218 Profile* user_profile) { | 219 Profile* user_profile) { |
| 219 std::string user_email = user_profile->GetProfileUserName(); | 220 std::string user_email = user_profile->GetProfileUserName(); |
| 220 CHECK(!user_email.empty()); | 221 CHECK(!user_email.empty()); |
| 221 user_email = gaia::CanonicalizeEmail(user_email); | 222 user_email = gaia::CanonicalizeEmail(user_email); |
| 223 const user_manager::UserID user_id(std::string() /* gaia_id */, user_email); | |
|
Denis Kuznetsov (DE-MUC)
2015/06/10 16:50:45
FromUserEmail()
| |
| 222 | 224 |
| 223 PrefService* prefs = user_profile->GetPrefs(); | 225 PrefService* prefs = user_profile->GetPrefs(); |
| 224 if (prefs->FindPreference(prefs::kMultiProfileUserBehavior) | 226 if (prefs->FindPreference(prefs::kMultiProfileUserBehavior) |
| 225 ->IsDefaultValue()) { | 227 ->IsDefaultValue()) { |
| 226 // Migration code to clear cached default behavior. | 228 // Migration code to clear cached default behavior. |
| 227 // TODO(xiyuan): Remove this after M35. | 229 // TODO(xiyuan): Remove this after M35. |
| 228 DictionaryPrefUpdate update(local_state_, | 230 DictionaryPrefUpdate update(local_state_, |
| 229 prefs::kCachedMultiProfileUserBehavior); | 231 prefs::kCachedMultiProfileUserBehavior); |
| 230 update->RemoveWithoutPathExpansion(user_email, NULL); | 232 update->RemoveWithoutPathExpansion(user_id.GetUserEmail(), NULL); |
| 231 } else { | 233 } else { |
| 232 const std::string behavior = | 234 const std::string behavior = |
| 233 prefs->GetString(prefs::kMultiProfileUserBehavior); | 235 prefs->GetString(prefs::kMultiProfileUserBehavior); |
| 234 SetCachedValue(user_email, behavior); | 236 SetCachedValue(user_id, behavior); |
| 235 } | 237 } |
| 236 | 238 |
| 237 CheckSessionUsers(); | 239 CheckSessionUsers(); |
| 238 } | 240 } |
| 239 | 241 |
| 240 } // namespace chromeos | 242 } // namespace chromeos |
| OLD | NEW |
