Make an online wildcard login check for enterprise devices.

chrome/browser/chromeos/login/login_performer.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_performer.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_restrictions.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/chromeos/boot_times_loader.h"
 #include "chrome/browser/chromeos/login/login_utils.h"
 #include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h"
 #include "chrome/browser/chromeos/login/managed/supervised_user_login_flow.h"
 #include "chrome/browser/chromeos/login/supervised_user_manager.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
+#include "chrome/browser/chromeos/policy/wildcard_login_checker.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/common/pref_names.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_types.h"
 #include "content/public/browser/user_metrics.h"
@@ skipping 119 matching lines @@
       delegate_->PolicyLoadFailed();
     else
       NOTREACHED();
     return;
   } else if (status != CrosSettingsProvider::TRUSTED) {
     // Value of AllowNewUser setting is still not verified.
     // Another attempt will be invoked after verification completion.
     return;
   }
 
-  bool is_whitelisted = LoginUtils::IsWhitelisted(
-      gaia::CanonicalizeEmail(user_context.username));
+  bool wildcard_match = false;
+  std::string email = gaia::CanonicalizeEmail(user_context.username);
+  bool is_whitelisted = LoginUtils::IsWhitelisted(email, &wildcard_match);
   if (is_whitelisted) {
     switch (auth_mode_) {
-      case AUTH_MODE_EXTENSION:
-        StartLoginCompletion();
+      case AUTH_MODE_EXTENSION: {
+        // On enterprise devices, reconfirm login permission with the server.
+        policy::BrowserPolicyConnectorChromeOS* connector =
+            g_browser_process->platform_part()
+                ->browser_policy_connector_chromeos();
+        if (connector->IsEnterpriseManaged() && wildcard_match &&
+            !connector->IsNonEnterpriseUser(email)) {
+          (new policy::WildcardLoginChecker())->Start(

[Joao da Silva, 2014/01/28 14:45:46]

I've found code like this hard to get right in tests in the past, because the
instance is still live after the test ends and a leak is reported (unless the
test adds more boilerplate to make sure this check is done).

I'd just have LoginPerformer own the checker.

[Mattias Nissler (ping if slow), 2014/01/28 15:44:22]

All right, converting.

+                  ProfileHelper::GetSigninProfile()->GetRequestContext(),
+                  base::Bind(&LoginPerformer::OnlineWildcardLoginCheckCompleted,
+                             weak_factory_.GetWeakPtr()));
+        } else {
+          StartLoginCompletion();
+        }
         break;
+      }
       case AUTH_MODE_INTERNAL:
         StartAuthentication();
         break;
     }
   } else {
     if (delegate_)
       delegate_->WhiteListCheckFailed(user_context.username);
     else
       NOTREACHED();
   }
@@ skipping 152 matching lines @@
     // Make unobtrusive online check. It helps to determine password change
     // state in the case when offline login fails.
     online_attempt_host_.Check(profile, user_context_);
   } else {
     NOTREACHED();
   }
   user_context_.password.clear();
   user_context_.auth_code.clear();
 }
 
+void LoginPerformer::OnlineWildcardLoginCheckCompleted(bool result) {
+  if (result) {
+    StartLoginCompletion();
+  } else {
+    if (delegate_)
+      delegate_->WhiteListCheckFailed(user_context_.username);
+  }
+}
 }  // namespace chromeos

[Joao da Silva, 2014/01/28 14:45:46]

nit: add a newline

[Mattias Nissler (ping if slow), 2014/01/28 15:44:22]

Done.