ChromeOS cryptohome should be able to use gaia id as user identifier.

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
 
 #include <stddef.h>
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/metrics/histogram.h"
 #include "base/sequenced_task_runner.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "chrome/browser/chromeos/policy/user_policy_disk_cache.h"
 #include "chrome/browser/chromeos/policy/user_policy_token_loader.h"
+#include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "policy/proto/cloud_policy.pb.h"
 #include "policy/proto/device_management_local.pb.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
@@ skipping 138 matching lines @@
       return CloudPolicyStore::STATUS_LOAD_ERROR;
   }
   NOTREACHED();
   return CloudPolicyStore::STATUS_OK;
 }
 
 UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS(
     chromeos::CryptohomeClient* cryptohome_client,
     chromeos::SessionManagerClient* session_manager_client,
     scoped_refptr<base::SequencedTaskRunner> background_task_runner,
-    const std::string& username,
+    const AccountId& account_id,
     const base::FilePath& user_policy_key_dir,
     const base::FilePath& legacy_token_cache_file,
     const base::FilePath& legacy_policy_cache_file)
     : UserCloudPolicyStoreBase(background_task_runner),
       cryptohome_client_(cryptohome_client),
       session_manager_client_(session_manager_client),
-      username_(username),
+      account_id_(account_id),
       user_policy_key_dir_(user_policy_key_dir),
       legacy_cache_dir_(legacy_token_cache_file.DirName()),
       legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
                                                  legacy_policy_cache_file,
                                                  background_task_runner)),
       legacy_caches_loaded_(false),
       policy_key_loaded_(false),
       weak_factory_(this) {}
 
 UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
 
 void UserCloudPolicyStoreChromeOS::Store(
     const em::PolicyFetchResponse& policy) {
   // Cancel all pending requests.
   weak_factory_.InvalidateWeakPtrs();
   scoped_ptr<em::PolicyFetchResponse> response(
       new em::PolicyFetchResponse(policy));
   EnsurePolicyKeyLoaded(
       base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore,
                  weak_factory_.GetWeakPtr(),
                  base::Passed(&response)));
 }
 
 void UserCloudPolicyStoreChromeOS::Load() {
   // Cancel all pending requests.
   weak_factory_.InvalidateWeakPtrs();
   session_manager_client_->RetrievePolicyForUser(
-      username_,
+      cryptohome::Identification(account_id_).id(),
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrieved,
                  weak_factory_.GetWeakPtr()));
 }
 
 void UserCloudPolicyStoreChromeOS::LoadImmediately() {
   // This blocking DBus call is in the startup path and will block the UI
   // thread. This only happens when the Profile is created synchronously, which
   // on ChromeOS happens whenever the browser is restarted into the same
   // session. That happens when the browser crashes, or right after signin if
   // the user has flags configured in about:flags.
   // However, on those paths we must load policy synchronously so that the
   // Profile initialization never sees unmanaged prefs, which would lead to
   // data loss. http://crbug.com/263061
   std::string policy_blob =
-      session_manager_client_->BlockingRetrievePolicyForUser(username_);
+      session_manager_client_->BlockingRetrievePolicyForUser(
+          cryptohome::Identification(account_id_).id());
   if (policy_blob.empty()) {
     // The session manager doesn't have policy, or the call failed.
     // Just notify that the load is done, and don't bother with the legacy
     // caches in this case.
     NotifyStoreLoaded();
     return;
   }
 
   scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse());
   if (!policy->ParseFromString(policy_blob)) {
     status_ = STATUS_PARSE_ERROR;
     NotifyStoreError();
     return;
   }
 
   std::string sanitized_username =
-      cryptohome_client_->BlockingGetSanitizedUsername(username_);
+      cryptohome_client_->BlockingGetSanitizedUsername(
+          cryptohome::Identification(account_id_).id());
   if (sanitized_username.empty()) {
     status_ = STATUS_LOAD_ERROR;
     NotifyStoreError();
     return;
   }
 
   policy_key_path_ = user_policy_key_dir_.Append(
       base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
   LoadPolicyKey(policy_key_path_, &policy_key_);
   policy_key_loaded_ = true;
 
   scoped_ptr<UserCloudPolicyValidator> validator =
       CreateValidatorForLoad(std::move(policy));
   validator->RunValidation();
   OnRetrievedPolicyValidated(validator.get());
 }
 
 void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
     scoped_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator.
   scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator(
       std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
-  validator->ValidateUsername(username_, true);
+  validator->ValidateUsername(account_id_.GetUserEmail(), true);
   if (policy_key_.empty()) {
     validator->ValidateInitialKey(GetPolicyVerificationKey(),
-                                  ExtractDomain(username_));
+                                  ExtractDomain(account_id_.GetUserEmail()));
   } else {
     const bool allow_rotation = true;
-    validator->ValidateSignature(policy_key_,
-                                 GetPolicyVerificationKey(),
-                                 ExtractDomain(username_),
+    validator->ValidateSignature(policy_key_, GetPolicyVerificationKey(),
+                                 ExtractDomain(account_id_.GetUserEmail()),
                                  allow_rotation);
   }
 
   // Start validation. The Validator will delete itself once validation is
   // complete.
   validator.release()->StartValidation(
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
                  weak_factory_.GetWeakPtr()));
 }
 
@@ skipping 13 matching lines @@
   }
 
   std::string policy_blob;
   if (!validator->policy()->SerializeToString(&policy_blob)) {
     status_ = STATUS_SERIALIZE_ERROR;
     NotifyStoreError();
     return;
   }
 
   session_manager_client_->StorePolicyForUser(
-      username_,
-      policy_blob,
+      cryptohome::Identification(account_id_).id(), policy_blob,
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyStored,
                  weak_factory_.GetWeakPtr()));
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyStored(bool success) {
   if (!success) {
     status_ = STATUS_STORE_ERROR;
     NotifyStoreError();
   } else {
     // Load the policy right after storing it, to make sure it was accepted by
@@ skipping 86 matching lines @@
     const std::string& dm_token,
     const std::string& device_id,
     Status status,
     scoped_ptr<em::PolicyFetchResponse> policy) {
   status_ = status;
   if (policy.get()) {
     // Create and configure a validator for the loaded legacy policy. Note that
     // the signature on this policy is not verified.
     scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator(
         std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
-    validator->ValidateUsername(username_, true);
+    validator->ValidateUsername(account_id_.GetUserEmail(), true);
     validator.release()->StartValidation(
         base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated,
                    weak_factory_.GetWeakPtr(),
                    dm_token,
                    device_id));
   } else {
     InstallLegacyTokens(dm_token, device_id);
   }
 }
 
@@ skipping 92 matching lines @@
   callback.Run();
 }
 
 void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
     const base::Closure& callback) {
   if (policy_key_loaded_) {
     callback.Run();
   } else {
     // Get the hashed username that's part of the key's path, to determine
     // |policy_key_path_|.
-    cryptohome_client_->GetSanitizedUsername(username_,
+    cryptohome_client_->GetSanitizedUsername(
+        account_id_.GetUserEmail(),

[xiyuan, 2016/02/17 23:14:25]

Should we use cryptohome::Identification(account_id_).id() instead since we were
using that for cryptohome_client_->BlockingGetSanitizedUsername(...) around line
250?

[Alexander Alekseev, 2016/02/18 13:45:14]

you are right.
This is why I was talking about using cryptohome::Identification in
chromeos/dbus. I missed this string.

         base::Bind(&UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername,
-                   weak_factory_.GetWeakPtr(),
-                   callback));
+                   weak_factory_.GetWeakPtr(), callback));
   }
 }
 
 void UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername(
     const base::Closure& callback,
     chromeos::DBusMethodCallStatus call_status,
     const std::string& sanitized_username) {
   // The default empty path will always yield an empty key.
   if (call_status == chromeos::DBUS_METHOD_CALL_SUCCESS &&
       !sanitized_username.empty()) {
     policy_key_path_ = user_policy_key_dir_.Append(
         base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
   } else {
     SampleValidationFailure(VALIDATION_FAILURE_DBUS);
   }
   ReloadPolicyKey(callback);
 }
 
 scoped_ptr<UserCloudPolicyValidator>
 UserCloudPolicyStoreChromeOS::CreateValidatorForLoad(
     scoped_ptr<em::PolicyFetchResponse> policy) {
   scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator(
       std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE);
-  validator->ValidateUsername(username_, true);
+  validator->ValidateUsername(account_id_.GetUserEmail(), true);
   const bool allow_rotation = false;
   const std::string empty_key = std::string();
   // The policy loaded from session manager need not be validated using the
   // verification key since it is secure, and since there may be legacy policy
   // data that was stored without a verification key. Hence passing an empty
   // value for the verification key.
-  validator->ValidateSignature(
-      policy_key_, empty_key, ExtractDomain(username_), allow_rotation);
+  validator->ValidateSignature(policy_key_, empty_key,
+                               ExtractDomain(account_id_.GetUserEmail()),
+                               allow_rotation);
   return validator;
 }
 }  // namespace policy