ChromeOS cryptohome should be able to use gaia id as user identifier.

chromeos/login/auth/cryptohome_authenticator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/login/auth/cryptohome_authenticator.h"
 
 #include <stdint.h>
 
 #include <vector>
 
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/weak_ptr.h"
+#include "chromeos/chromeos_switches.h"
 #include "chromeos/cryptohome/async_method_caller.h"
 #include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/cryptohome/homedir_methods.h"
 #include "chromeos/cryptohome/system_salt_getter.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/login/auth/auth_status_consumer.h"
 #include "chromeos/login/auth/key.h"
 #include "chromeos/login/auth/user_context.h"
 #include "chromeos/login/login_state.h"
 #include "chromeos/login/user_names.h"
 #include "chromeos/login_event_recorder.h"
 #include "components/device_event_log/device_event_log.h"
 #include "components/signin/core/account_id/account_id.h"
+#include "components/user_manager/known_user.h"
 #include "components/user_manager/user_type.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
 namespace {
 
 // The label used for the key derived from the user's GAIA credentials.
 const char kCryptohomeGAIAKeyLabel[] = "gaia";
 
 // The name under which the type of key generated from the user's GAIA
 // credentials is stored.
 const char kKeyProviderDataTypeName[] = "type";
 
 // The name under which the salt used to generate a key from the user's GAIA
 // credentials is stored.
 const char kKeyProviderDataSaltName[] = "salt";
 
+// Subsystem name for GaiaId migration status.
+const char kCryptohome[] = "cryptohome";
+
 // Hashes |key| with |system_salt| if it its type is KEY_TYPE_PASSWORD_PLAIN.
 // Returns the keys unmodified otherwise.
 scoped_ptr<Key> TransformKeyIfNeeded(const Key& key,
                                      const std::string& system_salt) {
   scoped_ptr<Key> result(new Key(key));
   if (result->GetKeyType() == Key::KEY_TYPE_PASSWORD_PLAIN)
     result->Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt);
 
   return result;
 }
@@ skipping 50 matching lines @@
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker("CryptohomeMount-End",
                                                           false);
   attempt->RecordCryptohomeStatus(success, return_code);
   if (success)
     attempt->RecordUsernameHash(mount_hash);
   else
     attempt->RecordUsernameHashFailed();
   resolver->Resolve();
 }
 
+// Handle cryptohome migration status.
+void OnCryptohomeRenamed(const AccountId& account_id,
+                         const base::Closure& callback,
+                         bool success,
+                         cryptohome::MountError return_code) {
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+      "CryptohomeRename-End", false);
+  if (success) {
+    user_manager::known_user::SetGaiaIdMigrationStatusDone(account_id,
+                                                           kCryptohome);
+  } else {
+    LOG(ERROR) << "Failed to rename cryptohome for account_id={"
+               << account_id.Serialize() << "} (return_code=" << return_code
+               << ")";

[xiyuan, 2016/02/17 23:14:26]

What happens if we run into this? User sees a login error? Or we create a new
cryptohome and leave the old one around? None of these is ideal. I wonder
whether it makes sense to also have a error_callback to mount using the old id
so that we don't lock user out on the failure case.

[Alexander Alekseev, 2016/02/18 13:45:15]

You're right. I've updated cryprohome::Identification.

+  }
+
+  callback.Run();
+}
+
 // Calls cryptohome's MountEx() method. The key in |attempt->user_context| must
 // not be a plain text password. If the user provided a plain text password,
 // that password must be transformed to another key type (by salted hashing)
 // before calling this method.
 void DoMount(const base::WeakPtr<AuthAttemptState>& attempt,
              scoped_refptr<CryptohomeAuthenticator> resolver,
              bool ephemeral,
              bool create_if_nonexistent) {
   const Key* key = attempt->user_context.GetKey();
   // If the |key| is a plain text password, crash rather than attempting to
@@ skipping 12 matching lines @@
   const cryptohome::KeyDefinition auth_key(key->GetSecret(),
                                            std::string(),
                                            cryptohome::PRIV_DEFAULT);
   cryptohome::MountParameters mount(ephemeral);
   if (create_if_nonexistent) {
     mount.create_keys.push_back(cryptohome::KeyDefinition(
         key->GetSecret(),
         kCryptohomeGAIAKeyLabel,
         cryptohome::PRIV_DEFAULT));
   }
-
-  cryptohome::HomedirMethods::GetInstance()->MountEx(
-      cryptohome::Identification(
-          attempt->user_context.GetAccountId().GetUserEmail()),
+  const bool is_gaiaid_migration_started = switches::IsGaiaIdMigrationStarted();
+  const base::Closure do_call_mount_ex = base::Bind(
+      &cryptohome::HomedirMethods::MountEx,
+      base::Unretained(cryptohome::HomedirMethods::GetInstance()),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       cryptohome::Authorization(auth_key), mount,
       base::Bind(&OnMount, attempt, resolver));
+  if (is_gaiaid_migration_started && !create_if_nonexistent &&
+      !user_manager::known_user::GetGaiaIdMigrationStatus(
+          attempt->user_context.GetAccountId(), kCryptohome)) {
+    chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+        "CryptohomeRename-Start", false);
+    const std::string& cryptohome_id_from =
+        attempt->user_context.GetAccountId().GetUserEmail();  // Migrated
+    const std::string cryptohome_id_to =
+        attempt->user_context.GetAccountId().GetGaiaIdKey();

[xiyuan, 2016/02/17 23:14:26]

This looks like for the existing users. How can we be sure that we already have
gaiaId for those users?

[Alexander Alekseev, 2016/02/18 13:45:15]

You're right. I will also split migration from mount.

+
+    cryptohome::HomedirMethods::GetInstance()->RenameCryptohome(
+        cryptohome::Identification::FromString(cryptohome_id_from),
+        cryptohome::Identification::FromString(cryptohome_id_to),
+        base::Bind(&OnCryptohomeRenamed, attempt->user_context.GetAccountId(),
+                   do_call_mount_ex));
+  } else {
+    // Mark new users migrated.
+    if (is_gaiaid_migration_started) {
+      user_manager::known_user::SetGaiaIdMigrationStatusDone(
+          attempt->user_context.GetAccountId(), kCryptohome);
+    }
+    do_call_mount_ex.Run();
+  }
 }
 
 // Callback invoked when the system salt has been retrieved. Transforms the key
 // in |attempt->user_context| using Chrome's default hashing algorithm and the
 // system salt, then calls MountEx().
 void OnGetSystemSalt(const base::WeakPtr<AuthAttemptState>& attempt,
                      scoped_refptr<CryptohomeAuthenticator> resolver,
                      bool ephemeral,
                      bool create_if_nonexistent,
                      const std::string& system_salt) {
@@ skipping 94 matching lines @@
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeMount-Start", false);
 
   if (attempt->user_context.GetKey()->GetKeyType() !=
           Key::KEY_TYPE_PASSWORD_PLAIN) {
     DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
     return;
   }
 
   cryptohome::HomedirMethods::GetInstance()->GetKeyDataEx(
-      cryptohome::Identification(
-          attempt->user_context.GetAccountId().GetUserEmail()),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       kCryptohomeGAIAKeyLabel, base::Bind(&OnGetKeyDataEx, attempt, resolver,
                                           ephemeral, create_if_nonexistent));
 }
 
 // Calls cryptohome's mount method for guest and also get the user hash from
 // cryptohome.
 void MountGuestAndGetHash(const base::WeakPtr<AuthAttemptState>& attempt,
                           scoped_refptr<CryptohomeAuthenticator> resolver) {
   attempt->UsernameHashRequested();
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountGuest(
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMount-End",
                  attempt,
                  resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveHash, attempt, resolver));
 }
 
 // Calls cryptohome's MountPublic method
 void MountPublic(const base::WeakPtr<AuthAttemptState>& attempt,
                  scoped_refptr<CryptohomeAuthenticator> resolver,
                  int flags) {
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountPublic(
-      attempt->user_context.GetAccountId().GetUserEmail(), flags,
+      cryptohome::Identification(attempt->user_context.GetAccountId()), flags,
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMountPublic-End", attempt, resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveHash, attempt, resolver));
 }
 
 // Calls cryptohome's key migration method.
 void Migrate(const base::WeakPtr<AuthAttemptState>& attempt,
              scoped_refptr<CryptohomeAuthenticator> resolver,
              bool passing_old_hash,
              const std::string& old_password,
              const std::string& system_salt) {
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeMigrate-Start", false);
   cryptohome::AsyncMethodCaller* caller =
       cryptohome::AsyncMethodCaller::GetInstance();
 
   // TODO(bartfab): Retrieve the hashing algorithm and salt to use for |old_key|
   // from cryptohomed.
   scoped_ptr<Key> old_key =
       TransformKeyIfNeeded(Key(old_password), system_salt);
   scoped_ptr<Key> new_key =
       TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   if (passing_old_hash) {
     caller->AsyncMigrateKey(
-        attempt->user_context.GetAccountId().GetUserEmail(),
+        cryptohome::Identification(attempt->user_context.GetAccountId()),
         old_key->GetSecret(), new_key->GetSecret(),
         base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End",
                    attempt, resolver));
   } else {
     caller->AsyncMigrateKey(
-        attempt->user_context.GetAccountId().GetUserEmail(),
+        cryptohome::Identification(attempt->user_context.GetAccountId()),
         new_key->GetSecret(), old_key->GetSecret(),
         base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End",
                    attempt, resolver));
   }
 }
 
 // Calls cryptohome's remove method.
 void Remove(const base::WeakPtr<AuthAttemptState>& attempt,
             scoped_refptr<CryptohomeAuthenticator> resolver) {
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeRemove-Start", false);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncRemove(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeRemove-End",
                  attempt, resolver));
 }
 
 // Calls cryptohome's key check method.
 void CheckKey(const base::WeakPtr<AuthAttemptState>& attempt,
               scoped_refptr<CryptohomeAuthenticator> resolver,
               const std::string& system_salt) {
   scoped_ptr<Key> key =
       TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey(
-      attempt->user_context.GetAccountId().GetUserEmail(), key->GetSecret(),
-      base::Bind(&TriggerResolve, attempt, resolver));
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
+      key->GetSecret(), base::Bind(&TriggerResolve, attempt, resolver));
 }
 
 }  // namespace
 
 CryptohomeAuthenticator::CryptohomeAuthenticator(
     scoped_refptr<base::TaskRunner> task_runner,
     AuthStatusConsumer* consumer)
     : Authenticator(consumer),
       task_runner_(task_runner),
       migrate_attempted_(false),
@@ skipping 74 matching lines @@
                                             false,    // online_complete
                                             false));  // user_is_new
   remove_user_data_on_failure_ = false;
   StartMount(current_state_->AsWeakPtr(),
              scoped_refptr<CryptohomeAuthenticator>(this),
              false /* ephemeral */, false /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::LoginOffTheRecord() {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
-  current_state_.reset(
-      new AuthAttemptState(UserContext(user_manager::USER_TYPE_GUEST,
-                                       login::GuestAccountId().GetUserEmail()),
-                           false,    // unlock
-                           false,    // online_complete
-                           false));  // user_is_new
+  current_state_.reset(new AuthAttemptState(
+      UserContext(user_manager::USER_TYPE_GUEST, login::GuestAccountId()),
+      false,    // unlock
+      false,    // online_complete
+      false));  // user_is_new
   remove_user_data_on_failure_ = false;
   ephemeral_mount_attempted_ = true;
   MountGuestAndGetHash(current_state_->AsWeakPtr(),
                        scoped_refptr<CryptohomeAuthenticator>(this));
 }
 
 void CryptohomeAuthenticator::LoginAsPublicSession(
     const UserContext& user_context) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
   DCHECK_EQ(user_manager::USER_TYPE_PUBLIC_ACCOUNT, user_context.GetUserType());
 
   current_state_.reset(
       new AuthAttemptState(user_context,
                            false,    // unlock
                            false,    // online_complete
                            false));  // user_is_new
   remove_user_data_on_failure_ = false;
   ephemeral_mount_attempted_ = true;
   StartMount(current_state_->AsWeakPtr(),
              scoped_refptr<CryptohomeAuthenticator>(this), true /* ephemeral */,
              true /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::LoginAsKioskAccount(
     const std::string& app_user_id,
     bool use_guest_mount) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
 
-  const std::string user_id =
-      use_guest_mount ? login::GuestAccountId().GetUserEmail() : app_user_id;
+  const AccountId account_id =
+      use_guest_mount
+          ? login::GuestAccountId()
+          : AccountId::FromUserEmail(login::CanonicalizeUserID(app_user_id));

[xiyuan, 2016/02/17 23:14:26]

We should not call login::CanonicalizeUserID for kiosk app since |app_user_id|
is not necessarily an email. Since we already use the value as is, we should not
change it. Otherwise, existing kiosk app would be switched to new cryptohome and
lose all its local data.

[Alexander Alekseev, 2016/02/18 13:45:15]

This has always happened in UserContext constructor (see
chromeos/login/auth/user_context.cc below). As now UserContext requires
AccountId, I moved this transformation here.

   current_state_.reset(new AuthAttemptState(
-      UserContext(user_manager::USER_TYPE_KIOSK_APP, user_id),
+      UserContext(user_manager::USER_TYPE_KIOSK_APP, account_id),
       false,    // unlock
       false,    // online_complete
       false));  // user_is_new
 
   remove_user_data_on_failure_ = true;
   if (!use_guest_mount) {
     MountPublic(current_state_->AsWeakPtr(),
                 scoped_refptr<CryptohomeAuthenticator>(this),
                 cryptohome::CREATE_IF_MISSING);
   } else {
@@ skipping 375 matching lines @@
   Resolve();
 }
 
 void CryptohomeAuthenticator::SetOwnerState(bool owner_check_finished,
                                             bool check_result) {
   owner_is_verified_ = owner_check_finished;
   user_can_login_ = check_result;
 }
 
 }  // namespace chromeos