ChromeOS cryptohome should be able to use gaia id as user identifier.

chromeos/login/auth/cryptohome_authenticator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/login/auth/cryptohome_authenticator.h"
 
 #include <stdint.h>
 
 #include <vector>
 
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/weak_ptr.h"
+#include "chromeos/chromeos_switches.h"
 #include "chromeos/cryptohome/async_method_caller.h"
 #include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/cryptohome/homedir_methods.h"
 #include "chromeos/cryptohome/system_salt_getter.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/login/auth/auth_status_consumer.h"
 #include "chromeos/login/auth/key.h"
 #include "chromeos/login/auth/user_context.h"
 #include "chromeos/login/login_state.h"
 #include "chromeos/login/user_names.h"
 #include "chromeos/login_event_recorder.h"
 #include "components/device_event_log/device_event_log.h"
 #include "components/signin/core/account_id/account_id.h"
+#include "components/user_manager/known_user.h"
 #include "components/user_manager/user_type.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
 namespace {
 
 // The label used for the key derived from the user's GAIA credentials.
 const char kCryptohomeGAIAKeyLabel[] = "gaia";
 
@@ skipping 102 matching lines @@
                                            cryptohome::PRIV_DEFAULT);
   cryptohome::MountParameters mount(ephemeral);
   if (create_if_nonexistent) {
     mount.create_keys.push_back(cryptohome::KeyDefinition(
         key->GetSecret(),
         kCryptohomeGAIAKeyLabel,
         cryptohome::PRIV_DEFAULT));
   }
 
   cryptohome::HomedirMethods::GetInstance()->MountEx(
-      cryptohome::Identification(
-          attempt->user_context.GetAccountId().GetUserEmail()),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       cryptohome::Authorization(auth_key), mount,
       base::Bind(&OnMount, attempt, resolver));
 }
 
+// Handle cryptohome migration status.
+void OnCryptohomeRenamed(const base::WeakPtr<AuthAttemptState>& attempt,
+                         scoped_refptr<CryptohomeAuthenticator> resolver,
+                         bool ephemeral,
+                         bool create_if_nonexistent,
+                         bool success,
+                         cryptohome::MountError return_code) {
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+      "CryptohomeRename-End", false);
+  const AccountId account_id = attempt->user_context.GetAccountId();
+  if (success) {
+    cryptohome::SetGaiaIdMigrationStatusDone(account_id);
+  } else {
+    LOG(ERROR) << "Failed to rename cryptohome for account_id='"
+               << account_id.Serialize() << "' (return_code=" << return_code
+               << ")";
+  }
+
+  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+}
+
+// This method migrates cryptohome identifier to gaia id (if needed),
+// and then calls Mount.
+void MigrateCryptohomeToGaiaId(const base::WeakPtr<AuthAttemptState>& attempt,
+                               scoped_refptr<CryptohomeAuthenticator> resolver,
+                               bool ephemeral,
+                               bool create_if_nonexistent) {
+  const bool is_gaiaid_migration_started = switches::IsGaiaIdMigrationStarted();

[dzhioev (left Google), 2016/02/20 07:15:13]

Let's put:

if (switches::IsGaiaIdMigrationStarted()) {
  DoMount(...);
  return;
}

at the beginning of the function and get rid of |is_gaiaid_migration_started|.

[Alexander Alekseev, 2016/02/20 08:07:11]

Done.

+  const bool already_migrated = cryptohome::GetGaiaIdMigrationStatus(
+      attempt->user_context.GetAccountId());
+  const bool has_gaia_id =
+      !attempt->user_context.GetAccountId().GetGaiaId().empty();
+
+  bool need_migration = false;
+  if (is_gaiaid_migration_started && !create_if_nonexistent &&

[dzhioev (left Google), 2016/02/20 07:15:13]

Why do you check |create_if_nonexistent| here?

[Alexander Alekseev, 2016/02/20 08:07:11]

create_if_nonexistent is set for GuestUser and new users only.
So this prevents attempts to rename non-existing cryptohomes.

+      !already_migrated) {
+    if (has_gaia_id) {
+      need_migration = true;
+    } else {
+      LOG(WARNING) << "Account '"
+                   << attempt->user_context.GetAccountId().Serialize()
+                   << "' has no gaia id. Cryptohome migration skipped.";
+    }
+  }
+  if (need_migration) {
+    chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+        "CryptohomeRename-Start", false);
+    const std::string& cryptohome_id_from =
+        attempt->user_context.GetAccountId().GetUserEmail();  // Migrated
+    const std::string cryptohome_id_to =
+        attempt->user_context.GetAccountId().GetGaiaIdKey();
+
+    cryptohome::HomedirMethods::GetInstance()->RenameCryptohome(
+        cryptohome::Identification::FromString(cryptohome_id_from),
+        cryptohome::Identification::FromString(cryptohome_id_to),
+        base::Bind(&OnCryptohomeRenamed, attempt, resolver, ephemeral,
+                   create_if_nonexistent));
+    return;
+  }
+  if (is_gaiaid_migration_started && !already_migrated && has_gaia_id) {
+    // Mark new users migrated.
+    cryptohome::SetGaiaIdMigrationStatusDone(
+        attempt->user_context.GetAccountId());
+  }
+  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+}
+
 // Callback invoked when the system salt has been retrieved. Transforms the key
 // in |attempt->user_context| using Chrome's default hashing algorithm and the
 // system salt, then calls MountEx().
 void OnGetSystemSalt(const base::WeakPtr<AuthAttemptState>& attempt,
                      scoped_refptr<CryptohomeAuthenticator> resolver,
                      bool ephemeral,
                      bool create_if_nonexistent,
                      const std::string& system_salt) {
   DCHECK_EQ(Key::KEY_TYPE_PASSWORD_PLAIN,
             attempt->user_context.GetKey()->GetKeyType());
 
   attempt->user_context.GetKey()->Transform(
       Key::KEY_TYPE_SALTED_SHA256_TOP_HALF,
       system_salt);
 
-  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+  MigrateCryptohomeToGaiaId(attempt, resolver, ephemeral,

[dzhioev (left Google), 2016/02/20 07:15:13]

MigrateCryptohomeToGaiaId name is confusing, because migration is not the
function main purpose. Maybe rename to MaybeMigrateToGaiaIdAndMount?

[Alexander Alekseev, 2016/02/20 08:07:11]

Done.

+                            create_if_nonexistent);
 }
 
 // Callback invoked when cryptohome's GetKeyDataEx() method has finished.
 // * If GetKeyDataEx() returned metadata indicating the hashing algorithm and
 //   salt that were used to generate the key for this user's cryptohome,
 //   transforms the key in |attempt->user_context| with the same parameters.
 // * Otherwise, starts the retrieval of the system salt so that the key in
 //   |attempt->user_context| can be transformed with Chrome's default hashing
 //   algorithm and the system salt.
 // The resulting key is then passed to cryptohome's MountEx().
@@ skipping 38 matching lines @@
 
         if (!salt) {
           LOGIN_LOG(ERROR) << "Missing salt.";
           RecordKeyErrorAndResolve(attempt, resolver);
           return;
         }
 
         attempt->user_context.GetKey()->Transform(
             static_cast<Key::KeyType>(*type),
             *salt);
-        DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+        MigrateCryptohomeToGaiaId(attempt, resolver, ephemeral,
+                                  create_if_nonexistent);
         return;
       }
     } else {
       LOGIN_LOG(EVENT) << "GetKeyDataEx() returned " << key_definitions.size()
                        << " entries.";
     }
   }
 
   SystemSaltGetter::Get()->GetSystemSalt(base::Bind(&OnGetSystemSalt,
                                                     attempt,
@@ skipping 12 matching lines @@
 //   transformed accordingly before calling MountEx().
 void StartMount(const base::WeakPtr<AuthAttemptState>& attempt,
                 scoped_refptr<CryptohomeAuthenticator> resolver,
                 bool ephemeral,
                 bool create_if_nonexistent) {
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeMount-Start", false);
 
   if (attempt->user_context.GetKey()->GetKeyType() !=
           Key::KEY_TYPE_PASSWORD_PLAIN) {
-    DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+    MigrateCryptohomeToGaiaId(attempt, resolver, ephemeral,
+                              create_if_nonexistent);
     return;
   }
 
   cryptohome::HomedirMethods::GetInstance()->GetKeyDataEx(
-      cryptohome::Identification(
-          attempt->user_context.GetAccountId().GetUserEmail()),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       kCryptohomeGAIAKeyLabel, base::Bind(&OnGetKeyDataEx, attempt, resolver,
                                           ephemeral, create_if_nonexistent));
 }
 
 // Calls cryptohome's mount method for guest and also get the user hash from
 // cryptohome.
 void MountGuestAndGetHash(const base::WeakPtr<AuthAttemptState>& attempt,
                           scoped_refptr<CryptohomeAuthenticator> resolver) {
   attempt->UsernameHashRequested();
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountGuest(
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMount-End",
                  attempt,
                  resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveHash, attempt, resolver));
 }
 
 // Calls cryptohome's MountPublic method
 void MountPublic(const base::WeakPtr<AuthAttemptState>& attempt,
                  scoped_refptr<CryptohomeAuthenticator> resolver,
                  int flags) {
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountPublic(
-      attempt->user_context.GetAccountId().GetUserEmail(), flags,
+      cryptohome::Identification(attempt->user_context.GetAccountId()), flags,
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMountPublic-End", attempt, resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveHash, attempt, resolver));
 }
 
 // Calls cryptohome's key migration method.
 void Migrate(const base::WeakPtr<AuthAttemptState>& attempt,
              scoped_refptr<CryptohomeAuthenticator> resolver,
              bool passing_old_hash,
              const std::string& old_password,
              const std::string& system_salt) {
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeMigrate-Start", false);
   cryptohome::AsyncMethodCaller* caller =
       cryptohome::AsyncMethodCaller::GetInstance();
 
   // TODO(bartfab): Retrieve the hashing algorithm and salt to use for |old_key|
   // from cryptohomed.
   scoped_ptr<Key> old_key =
       TransformKeyIfNeeded(Key(old_password), system_salt);
   scoped_ptr<Key> new_key =
       TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   if (passing_old_hash) {
     caller->AsyncMigrateKey(
-        attempt->user_context.GetAccountId().GetUserEmail(),
+        cryptohome::Identification(attempt->user_context.GetAccountId()),
         old_key->GetSecret(), new_key->GetSecret(),
         base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End",
                    attempt, resolver));
   } else {
     caller->AsyncMigrateKey(
-        attempt->user_context.GetAccountId().GetUserEmail(),
+        cryptohome::Identification(attempt->user_context.GetAccountId()),
         new_key->GetSecret(), old_key->GetSecret(),
         base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End",
                    attempt, resolver));
   }
 }
 
 // Calls cryptohome's remove method.
 void Remove(const base::WeakPtr<AuthAttemptState>& attempt,
             scoped_refptr<CryptohomeAuthenticator> resolver) {
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeRemove-Start", false);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncRemove(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeRemove-End",
                  attempt, resolver));
 }
 
 // Calls cryptohome's key check method.
 void CheckKey(const base::WeakPtr<AuthAttemptState>& attempt,
               scoped_refptr<CryptohomeAuthenticator> resolver,
               const std::string& system_salt) {
   scoped_ptr<Key> key =
       TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey(
-      attempt->user_context.GetAccountId().GetUserEmail(), key->GetSecret(),
-      base::Bind(&TriggerResolve, attempt, resolver));
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
+      key->GetSecret(), base::Bind(&TriggerResolve, attempt, resolver));
 }
 
 }  // namespace
 
 CryptohomeAuthenticator::CryptohomeAuthenticator(
     scoped_refptr<base::TaskRunner> task_runner,
     AuthStatusConsumer* consumer)
     : Authenticator(consumer),
       task_runner_(task_runner),
       migrate_attempted_(false),
@@ skipping 74 matching lines @@
                                             false,    // online_complete
                                             false));  // user_is_new
   remove_user_data_on_failure_ = false;
   StartMount(current_state_->AsWeakPtr(),
              scoped_refptr<CryptohomeAuthenticator>(this),
              false /* ephemeral */, false /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::LoginOffTheRecord() {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
-  current_state_.reset(
-      new AuthAttemptState(UserContext(user_manager::USER_TYPE_GUEST,
-                                       login::GuestAccountId().GetUserEmail()),
-                           false,    // unlock
-                           false,    // online_complete
-                           false));  // user_is_new
+  current_state_.reset(new AuthAttemptState(
+      UserContext(user_manager::USER_TYPE_GUEST, login::GuestAccountId()),
+      false,    // unlock
+      false,    // online_complete
+      false));  // user_is_new
   remove_user_data_on_failure_ = false;
   ephemeral_mount_attempted_ = true;
   MountGuestAndGetHash(current_state_->AsWeakPtr(),
                        scoped_refptr<CryptohomeAuthenticator>(this));
 }
 
 void CryptohomeAuthenticator::LoginAsPublicSession(
     const UserContext& user_context) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
   DCHECK_EQ(user_manager::USER_TYPE_PUBLIC_ACCOUNT, user_context.GetUserType());
 
   current_state_.reset(
       new AuthAttemptState(user_context,
                            false,    // unlock
                            false,    // online_complete
                            false));  // user_is_new
   remove_user_data_on_failure_ = false;
   ephemeral_mount_attempted_ = true;
   StartMount(current_state_->AsWeakPtr(),
              scoped_refptr<CryptohomeAuthenticator>(this), true /* ephemeral */,
              true /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::LoginAsKioskAccount(
-    const std::string& app_user_id,
+    const AccountId& app_account_id,
     bool use_guest_mount) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
 
-  const std::string user_id =
-      use_guest_mount ? login::GuestAccountId().GetUserEmail() : app_user_id;
+  const AccountId& account_id =
+      use_guest_mount ? login::GuestAccountId() : app_account_id;
   current_state_.reset(new AuthAttemptState(
-      UserContext(user_manager::USER_TYPE_KIOSK_APP, user_id),
+      UserContext(user_manager::USER_TYPE_KIOSK_APP, account_id),
       false,    // unlock
       false,    // online_complete
       false));  // user_is_new
 
   remove_user_data_on_failure_ = true;
   if (!use_guest_mount) {
     MountPublic(current_state_->AsWeakPtr(),
                 scoped_refptr<CryptohomeAuthenticator>(this),
                 cryptohome::CREATE_IF_MISSING);
   } else {
@@ skipping 375 matching lines @@
   Resolve();
 }
 
 void CryptohomeAuthenticator::SetOwnerState(bool owner_check_finished,
                                             bool check_result) {
   owner_is_verified_ = owner_check_finished;
   user_can_login_ = check_result;
 }
 
 }  // namespace chromeos