Make an online wildcard login check for enterprise devices.

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/sequenced_task_runner.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/policy/policy_oauth2_token_fetcher.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h"
+#include "chrome/browser/chromeos/policy/wildcard_login_checker.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/lifetime/application_lifetime.h"
 #include "components/policy/core/common/cloud/cloud_external_data_manager.h"
 #include "components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h"
 #include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/policy/core/common/cloud/system_policy_request_context.h"
 #include "components/policy/core/common/policy_pref_names.h"
 #include "content/public/common/content_client.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "url/gurl.h"
 
 namespace em = enterprise_management;
@@ skipping 13 matching lines @@
     "Enterprise.UserPolicyChromeOS.InitialFetch.DelayOAuth2Token";
 const char kUMAInitialFetchDelayPolicyFetch[] =
     "Enterprise.UserPolicyChromeOS.InitialFetch.DelayPolicyFetch";
 const char kUMAInitialFetchDelayTotal[] =
     "Enterprise.UserPolicyChromeOS.InitialFetch.DelayTotal";
 const char kUMAInitialFetchOAuth2Error[] =
     "Enterprise.UserPolicyChromeOS.InitialFetch.OAuth2Error";
 const char kUMAInitialFetchOAuth2NetworkError[] =
     "Enterprise.UserPolicyChromeOS.InitialFetch.OAuth2NetworkError";
 
+void OnWildcardCheckCompleted(const std::string& username, bool result) {
+  if (!result) {
+    LOG(ERROR) << "Online wildcard login check failed, terminating session.";
+
+    // TODO(mnissler): This only removes the user pod from the login screen, but
+    // the cryptohome remains. This is because deleting the cryptohome for a
+    // logged-in session is not possible. Fix this either by delaying the
+    // cryptohome deletion operation or by getting rid of the in-session
+    // wildcard check.
+    chromeos::UserManager::Get()->RemoveUserFromList(username);
+    chrome::AttemptUserExit();
+  }
+}
+
 }  // namespace
 
 UserCloudPolicyManagerChromeOS::UserCloudPolicyManagerChromeOS(
     scoped_ptr<CloudPolicyStore> store,
     scoped_ptr<CloudExternalDataManager> external_data_manager,
     const base::FilePath& component_policy_cache_path,
     bool wait_for_policy_fetch,
     base::TimeDelta initial_policy_fetch_timeout,
     const scoped_refptr<base::SequencedTaskRunner>& task_runner,
     const scoped_refptr<base::SequencedTaskRunner>& file_task_runner,
@@ skipping 58 matching lines @@
   if (service()->IsInitializationComplete()) {
     OnInitializationCompleted(service());
   } else {
     service()->AddObserver(this);
   }
 }
 
 void UserCloudPolicyManagerChromeOS::OnAccessTokenAvailable(
     const std::string& access_token) {
   access_token_ = access_token;
+
+  if (!wildcard_username_.empty()) {
+    wildcard_login_checker_.reset(new WildcardLoginChecker());
+    wildcard_login_checker_->StartWithAccessToken(
+        access_token,
+        base::Bind(&OnWildcardCheckCompleted, wildcard_username_));
+  }
+
   if (service() && service()->IsInitializationComplete() &&
       client() && !client()->is_registered()) {
     OnOAuth2PolicyTokenFetched(
         access_token, GoogleServiceAuthError(GoogleServiceAuthError::NONE));
   }
 }
 
 bool UserCloudPolicyManagerChromeOS::IsClientRegistered() const {
   return client() && client()->is_registered();
 }
 
+void UserCloudPolicyManagerChromeOS::EnableWildcardLoginCheck(
+    const std::string& username) {
+  wildcard_username_ = username;

[Andrew T Wilson (Slow), 2014/01/28 16:31:13]

So, this breaks if for some reason EnableWildcardLoginCheck() is called after
the access token is available. I don't think it's possible for this to happen,
but you should probably add a DCHECK(access_token_.empty()) here to ensure it.

[Mattias Nissler (ping if slow), 2014/01/29 12:12:32]

Done.

+}
+
 void UserCloudPolicyManagerChromeOS::Shutdown() {
   if (client())
     client()->RemoveObserver(this);
   if (service())
     service()->RemoveObserver(this);
   token_fetcher_.reset();
   external_data_manager_->Disconnect();
   CloudPolicyManager::Shutdown();
 }
 
@@ skipping 25 matching lines @@
   //
   // If |wait_for_policy_fetch_| is false then the UserCloudPolicyTokenForwarder
   // service will eventually call OnAccessTokenAvailable() once an access token
   // is available. That call may have already happened while waiting for
   // initialization of the CloudPolicyService, so in that case check if an
   // access token is already available.
   if (!client()->is_registered()) {
     if (wait_for_policy_fetch_) {
       FetchPolicyOAuthTokenUsingSigninProfile();
     } else if (!access_token_.empty()) {
-      OnOAuth2PolicyTokenFetched(
-          access_token_, GoogleServiceAuthError(GoogleServiceAuthError::NONE));
+      OnAccessTokenAvailable(access_token_);
     }
   }
 
   if (!wait_for_policy_fetch_) {
     // If this isn't blocking on a policy fetch then
     // CloudPolicyManager::OnStoreLoaded() already published the cached policy.
     // Start the refresh scheduler now, which will eventually refresh the
     // cached policy or make the first fetch once the OAuth2 token is
     // available.
     StartRefreshSchedulerIfReady();
@@ skipping 64 matching lines @@
       g_browser_process->system_request_context(),
       base::Bind(&UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched,
                  base::Unretained(this))));
   token_fetcher_->Start();
 }
 
 void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched(
     const std::string& policy_token,
     const GoogleServiceAuthError& error) {
   DCHECK(!client()->is_registered());
-
   time_token_available_ = base::Time::Now();
   if (wait_for_policy_fetch_) {
     UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayOAuth2Token,
                                time_token_available_ - time_init_completed_);
   }
 
   if (error.state() == GoogleServiceAuthError::NONE) {
     // Start client registration. Either OnRegistrationStateChanged() or
     // OnClientError() will be called back.
     client()->Register(em::DeviceRegisterRequest::USER,
@@ skipping 61 matching lines @@
     // OnComponentCloudPolicyUpdated() once it's ready.
     return;
   }
 
   core()->StartRefreshScheduler();
   core()->TrackRefreshDelayPref(local_state_,
                                 policy_prefs::kUserPolicyRefreshRate);
 }
 
 }  // namespace policy