Add policy that forces SAML users to log in online periodically

chrome/browser/chromeos/login/saml_offline_signin_limiter.h

Index: chrome/browser/chromeos/login/saml_offline_signin_limiter.h
diff --git a/chrome/browser/chromeos/login/saml_offline_signin_limiter.h b/chrome/browser/chromeos/login/saml_offline_signin_limiter.h
new file mode 100644
index 0000000000000000000000000000000000000000..6d0cae4ea4770cb01a6a58aed253803e0c969833
--- /dev/null
+++ b/chrome/browser/chromeos/login/saml_offline_signin_limiter.h
@@ -0,0 +1,77 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_SAML_OFFLINE_SIGNIN_LIMITER_H_
+#define CHROME_BROWSER_CHROMEOS_LOGIN_SAML_OFFLINE_SIGNIN_LIMITER_H_
+
+#include "base/basictypes.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/prefs/pref_change_registrar.h"
+#include "base/time/default_clock.h"
+#include "base/time/time.h"
+#include "base/timer/timer.h"
+#include "chrome/browser/chromeos/login/user.h"
+#include "components/browser_context_keyed_service/browser_context_keyed_service.h"
+
+class Profile;
+
+namespace base {
+class Clock;
+}
+
+namespace user_prefs {
+class PrefRegistrySyncable;
+}
+
+namespace chromeos {
+
+// Enforces a limit on the length of time for which a user authenticated via
+// SAML can use offline authentication against a cached password before being
+// forced to go through online authentication against GAIA again.
+class SAMLOfflineSigninLimiter : public BrowserContextKeyedService {
+ public:
+  // Registers preferences.
+  static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
+
+  // Called when the user successfully authenticates. |auth_flow| indicates
+  // the type of authentication flow that the user went though.

[Nikita (slow), 2014/01/23 17:50:09]

nit: went through

[bartfab (slow), 2014/01/24 12:56:07]

Done.

+  void SignedIn(UserContext::AuthFlow auth_flow);
+
+  // BrowserContextKeyedService:
+  void Shutdown() OVERRIDE;
+
+ private:
+  friend class SAMLOfflineSigninLimiterFactory;
+  friend class SAMLOfflineSigninLimiterTest;
+
+  // |profile| and |clock| must remain valid until Shutdown() is called. If
+  // |clock| is NULL, the |default_clock_| will be used.
+  SAMLOfflineSigninLimiter(Profile* profile, base::Clock* clock);
+  virtual ~SAMLOfflineSigninLimiter();
+
+  // Recalculates the amount of time remaining until online login should be
+  // forced and sets the |offline_signin_limit_timer_| accordingly. If the limit
+  // has expired already, sets the flag enforcing online login immediately.
+  void UpdateLimit();
+
+  // Sets the flag enforcing online login. This will cause the user's next login
+  // to use online authentication against GAIA.
+  void ForceOnlineLogin();
+
+  base::DefaultClock default_clock_;
+
+  Profile* profile_;
+  base::Clock* clock_;
+
+  PrefChangeRegistrar pref_change_registrar_;
+
+  scoped_ptr<base::OneShotTimer<SAMLOfflineSigninLimiter> >
+      offline_signin_limit_timer_;
+
+  DISALLOW_COPY_AND_ASSIGN(SAMLOfflineSigninLimiter);
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_SAML_OFFLINE_SIGNIN_LIMITER_H_