Perform online reauth when password is changed for a locked profile.

chrome/browser/ui/webui/signin/user_manager_screen_handler.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/signin/user_manager_screen_handler.h"
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/prefs/pref_service.h"
 #include "base/profiler/scoped_tracker.h"
@@ skipping 106 matching lines @@
   if (avatar_image.Width() <= profiles::kAvatarIconWidth ||
       avatar_image.Height() <= profiles::kAvatarIconHeight ) {
     avatar_image = ui::ResourceBundle::GetSharedInstance().GetImageNamed(
         profiles::GetPlaceholderAvatarIconResourceID());
   }
   gfx::Image resized_image = profiles::GetSizedAvatarIcon(
       avatar_image, is_gaia_picture, kAvatarIconSize, kAvatarIconSize);
   return webui::GetBitmapDataUrl(resized_image.AsBitmap());
 }
 
-size_t GetIndexOfProfileWithEmail(const ProfileInfoCache& info_cache,
-                                  const std::string& email) {
-  const base::string16& profile_email = base::UTF8ToUTF16(email);
-  for (size_t i = 0; i < info_cache.GetNumberOfProfiles(); ++i) {
-    if (info_cache.GetUserNameOfProfileAtIndex(i) == profile_email)
-      return i;
-  }
-  return std::string::npos;
-}
-
 extensions::ScreenlockPrivateEventRouter* GetScreenlockRouter(
     const std::string& email) {
-  const ProfileInfoCache& info_cache =
-      g_browser_process->profile_manager()->GetProfileInfoCache();
-  const size_t profile_index = GetIndexOfProfileWithEmail(info_cache, email);
+  base::FilePath path =
+      profiles::GetPathOfProfileWithEmail(g_browser_process->profile_manager(),
+                                          email);
   Profile* profile = g_browser_process->profile_manager()
-      ->GetProfileByPath(info_cache.GetPathOfProfileAtIndex(profile_index));
+      ->GetProfileByPath(path);
   return extensions::ScreenlockPrivateEventRouter::GetFactoryInstance()->Get(
       profile);
 }
 
 bool IsGuestModeEnabled() {
   PrefService* service = g_browser_process->local_state();
   DCHECK(service);
   return service->GetBoolean(prefs::kBrowserGuestModeEnabled);
 }
 
@@ skipping 205 matching lines @@
     return proximity_auth::ScreenlockBridge::LockHandler::OFFLINE_PASSWORD;
   return it->second;
 }
 
 proximity_auth::ScreenlockBridge::LockHandler::ScreenType
 UserManagerScreenHandler::GetScreenType() const {
   return proximity_auth::ScreenlockBridge::LockHandler::LOCK_SCREEN;
 }
 
 void UserManagerScreenHandler::Unlock(const std::string& user_email) {
-  const ProfileInfoCache& info_cache =
-      g_browser_process->profile_manager()->GetProfileInfoCache();
-  const size_t profile_index =
-      GetIndexOfProfileWithEmail(info_cache, user_email);
-  DCHECK_LT(profile_index, info_cache.GetNumberOfProfiles());
-
-  authenticating_profile_index_ = profile_index;
-  ReportAuthenticationResult(true, ProfileMetrics::AUTH_LOCAL);
+  base::FilePath path =
+      profiles::GetPathOfProfileWithEmail(g_browser_process->profile_manager(),
+                                          user_email);
+  if (!path.empty()) {
+    authenticating_profile_path_ = path;
+    ReportAuthenticationResult(true, ProfileMetrics::AUTH_LOCAL);
+  }
 }
 
 void UserManagerScreenHandler::AttemptEasySignin(
     const std::string& user_email,
     const std::string& secret,
     const std::string& key_label) {
   NOTREACHED();
 }
 
 void UserManagerScreenHandler::HandleInitialize(const base::ListValue* args) {
@@ skipping 26 matching lines @@
 void UserManagerScreenHandler::HandleAuthenticatedLaunchUser(
     const base::ListValue* args) {
   const base::Value* profile_path_value;
   if (!args->Get(0, &profile_path_value))
     return;
 
   base::FilePath profile_path;
   if (!base::GetValueAsFilePath(*profile_path_value, &profile_path))
     return;
 
+  ProfileInfoCache& info_cache =
+      g_browser_process->profile_manager()->GetProfileInfoCache();
+
+  ProfileAttributesEntry* entry;
+  if (!info_cache.GetProfileAttributesWithPath(profile_path, &entry))
+    return;
+
   base::string16 email_address;
   if (!args->GetString(1, &email_address))
     return;
 
   std::string password;
   if (!args->GetString(2, &password))
     return;
 
-  const ProfileInfoCache& info_cache =
-      g_browser_process->profile_manager()->GetProfileInfoCache();
+  authenticating_profile_path_ = profile_path;
+
   size_t profile_index = info_cache.GetIndexOfProfileWithPath(profile_path);
-
-  if (profile_index == std::string::npos) {
-    NOTREACHED();
-    return;
-  }
-
-  authenticating_profile_index_ = profile_index;
   if (LocalAuth::ValidateLocalAuthCredentials(profile_index, password)) {
     ReportAuthenticationResult(true, ProfileMetrics::AUTH_LOCAL);
     return;
   }
 
-  email_address_ = email_address;
+  email_address_ = base::UTF16ToUTF8(email_address);
   password_attempt_ = password;
 
   // This could be a mis-typed password or typing a new password while we
   // still have a hash of the old one.  The new way of checking a password
   // change makes use of a token so we do that... if it's available.
   if (!oauth_client_) {
     oauth_client_.reset(new gaia::GaiaOAuthClient(
         web_ui()->GetWebContents()->GetBrowserContext()->GetRequestContext()));
   }
-  std::string token = info_cache.GetPasswordChangeDetectionTokenAtIndex(
-      profile_index);
+
+  std::string token = entry->GetPasswordChangeDetectionToken();
   if (!token.empty()) {
     oauth_client_->GetTokenHandleInfo(token, kMaxOAuthRetries, this);
     return;
   }
 
   // In order to support the upgrade case where we have a local hash but no
-  // password token, we fall back on (deprecated) ClientLogin.  This will
-  // have to be removed in future versions as the service gets turned down
-  // but by then we'll have seamlessly updated the majority of users.
-  client_login_.reset(new GaiaAuthFetcher(
-      this,
-      GaiaConstants::kChromeSource,
-      web_ui()->GetWebContents()->GetBrowserContext()->GetRequestContext()));
-
-  client_login_->StartClientLogin(
-      base::UTF16ToUTF8(email_address),
-      password,
-      GaiaConstants::kSyncService,
-      std::string(),
-      std::string(),
-      GaiaAuthFetcher::HostedAccountsAllowed);
+  // password token, the user perform a full online reauth.
+  UserManager::ShowReauthDialog(web_ui()->GetWebContents()->GetBrowserContext(),
+                                email_address_);
 }
 
 void UserManagerScreenHandler::HandleRemoveUser(const base::ListValue* args) {
   DCHECK(args);
   const base::Value* profile_path_value;
   if (!args->Get(0, &profile_path_value)) {
     NOTREACHED();
     return;
   }
 
@@ skipping 83 matching lines @@
 }
 
 void UserManagerScreenHandler::OnGetTokenInfoResponse(
     scoped_ptr<base::DictionaryValue> token_info) {
   // Password is unchanged so user just mistyped it.  Ask again.
   ReportAuthenticationResult(false, ProfileMetrics::AUTH_FAILED);
 }
 
 void UserManagerScreenHandler::OnOAuthError() {
   // Password has changed.  Go through online signin flow.
-  // ... if we had it.  Until then, use deprecated ClientLogin to validate
-  // the password.  This will have to be changed soon.  (TODO: bcwhite)
-    oauth_client_.reset();
-    client_login_.reset(new GaiaAuthFetcher(
-      this,
-      GaiaConstants::kChromeSource,
-      web_ui()->GetWebContents()->GetBrowserContext()->GetRequestContext()));
-
   DCHECK(!email_address_.empty());
-  DCHECK(!password_attempt_.empty());
-  client_login_->StartClientLogin(
-      base::UTF16ToUTF8(email_address_),
-      password_attempt_,
-      GaiaConstants::kSyncService,
-      std::string(),
-      std::string(),
-      GaiaAuthFetcher::HostedAccountsAllowed);
+  oauth_client_.reset();
+  UserManager::ShowReauthDialog(web_ui()->GetWebContents()->GetBrowserContext(),
+                                email_address_);
 }
 
 void UserManagerScreenHandler::OnNetworkError(int response_code) {
   // Inconclusive but can't do real signin without being online anyway.
     oauth_client_.reset();
     ReportAuthenticationResult(false, ProfileMetrics::AUTH_FAILED_OFFLINE);
 }
 
-void UserManagerScreenHandler::OnClientLoginSuccess(
-    const ClientLoginResult& result) {
-  oauth_client_.reset();
-  LocalAuth::SetLocalAuthCredentials(authenticating_profile_index_,
-                                     password_attempt_);
-  ReportAuthenticationResult(true, ProfileMetrics::AUTH_ONLINE);
-}
-
-void UserManagerScreenHandler::OnClientLoginFailure(
-    const GoogleServiceAuthError& error) {
-  const GoogleServiceAuthError::State state = error.state();
-  // Some "error" results mean the password was correct but some other action
-  // should be taken.  For our purposes, we only care that the password was
-  // correct so count those as a success.
-  bool success = (state == GoogleServiceAuthError::NONE ||
-                  state == GoogleServiceAuthError::CAPTCHA_REQUIRED ||
-                  state == GoogleServiceAuthError::TWO_FACTOR ||
-                  state == GoogleServiceAuthError::ACCOUNT_DELETED ||
-                  state == GoogleServiceAuthError::ACCOUNT_DISABLED ||
-                  state == GoogleServiceAuthError::WEB_LOGIN_REQUIRED);
-
-  // If the password was correct, the user must have changed it since the
-  // profile was locked.  Save the password to streamline future unlocks.
-  if (success) {
-    DCHECK(!password_attempt_.empty());
-    LocalAuth::SetLocalAuthCredentials(authenticating_profile_index_,
-                                       password_attempt_);
-  }
-
-  bool offline = error.IsTransientError();
-  ProfileMetrics::ProfileAuth failure_metric =
-      offline ? ProfileMetrics::AUTH_FAILED_OFFLINE :
-                ProfileMetrics::AUTH_FAILED;
-  ReportAuthenticationResult(
-      success, success ? ProfileMetrics::AUTH_ONLINE : failure_metric);
-}
-
 void UserManagerScreenHandler::RegisterMessages() {
   web_ui()->RegisterMessageCallback(kJsApiUserManagerInitialize,
       base::Bind(&UserManagerScreenHandler::HandleInitialize,
                  base::Unretained(this)));
   web_ui()->RegisterMessageCallback(kJsApiUserManagerAddUser,
       base::Bind(&UserManagerScreenHandler::HandleAddUser,
                  base::Unretained(this)));
   web_ui()->RegisterMessageCallback(kJsApiUserManagerAuthLaunchUser,
       base::Bind(&UserManagerScreenHandler::HandleAuthenticatedLaunchUser,
                  base::Unretained(this)));
@@ skipping 180 matching lines @@
 }
 
 void UserManagerScreenHandler::ReportAuthenticationResult(
     bool success,
     ProfileMetrics::ProfileAuth auth) {
   ProfileMetrics::LogProfileAuthResult(auth);
   email_address_.clear();
   password_attempt_.clear();
 
   if (success) {
-    const ProfileInfoCache& info_cache =
-        g_browser_process->profile_manager()->GetProfileInfoCache();
-    base::FilePath path = info_cache.GetPathOfProfileAtIndex(
-        authenticating_profile_index_);
     profiles::SwitchToProfile(
-        path,
+        authenticating_profile_path_,
         desktop_type_,
         true,
         base::Bind(&UserManagerScreenHandler::OnSwitchToProfileComplete,
                    weak_ptr_factory_.GetWeakPtr()),
         ProfileMetrics::SWITCH_PROFILE_UNLOCK);
   } else {
     web_ui()->CallJavascriptFunction(
         "cr.ui.Oobe.showSignInError",
         base::FundamentalValue(0),
         base::StringValue(l10n_util::GetStringUTF8(
@@ skipping 56 matching lines @@
     Profile* profile, Profile::CreateStatus profile_create_status) {
   Browser* browser = chrome::FindAnyBrowser(profile, false, desktop_type_);
   if (browser && browser->window()) {
     OnBrowserWindowReady(browser);
   } else {
     registrar_.Add(this,
                    chrome::NOTIFICATION_BROWSER_WINDOW_READY,
                    content::NotificationService::AllSources());
   }
 }