ChromeOS cryptohome should be able to use gaia id as user identifier.

chromeos/login/auth/cryptohome_authenticator.cc

Index: chromeos/login/auth/cryptohome_authenticator.cc
diff --git a/chromeos/login/auth/cryptohome_authenticator.cc b/chromeos/login/auth/cryptohome_authenticator.cc
index df430d08d0c69b60b5344f19362eca535b18128d..320a41729971e995cf853ab9072522916432b83c 100644
--- a/chromeos/login/auth/cryptohome_authenticator.cc
+++ b/chromeos/login/auth/cryptohome_authenticator.cc
@@ -13,6 +13,7 @@
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/weak_ptr.h"
+#include "chromeos/chromeos_switches.h"
 #include "chromeos/cryptohome/async_method_caller.h"
 #include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/cryptohome/homedir_methods.h"
@@ -27,6 +28,7 @@
 #include "chromeos/login_event_recorder.h"
 #include "components/device_event_log/device_event_log.h"
 #include "components/signin/core/account_id/account_id.h"
+#include "components/user_manager/known_user.h"
 #include "components/user_manager/user_type.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
@@ -149,12 +151,82 @@ void DoMount(const base::WeakPtr<AuthAttemptState>& attempt,
   }
 
   cryptohome::HomedirMethods::GetInstance()->MountEx(
-      cryptohome::Identification(
-          attempt->user_context.GetAccountId().GetUserEmail()),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       cryptohome::Authorization(auth_key), mount,
       base::Bind(&OnMount, attempt, resolver));
 }
 
+// Handle cryptohome migration status.
+void OnCryptohomeRenamed(const base::WeakPtr<AuthAttemptState>& attempt,
+                         scoped_refptr<CryptohomeAuthenticator> resolver,
+                         bool ephemeral,
+                         bool create_if_nonexistent,
+                         bool success,
+                         cryptohome::MountError return_code) {
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+      "CryptohomeRename-End", false);
+  const AccountId account_id = attempt->user_context.GetAccountId();
+  if (success) {
+    cryptohome::SetGaiaIdMigrationStatusDone(account_id);
+  } else {
+    LOG(ERROR) << "Failed to rename cryptohome for account_id='"
+               << account_id.Serialize() << "' (return_code=" << return_code
+               << ")";
+  }
+
+  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+}
+
+// This method migrates cryptohome identifier to gaia id (if needed),
+// and then calls Mount.
+void EnsureCryptohomeMigratedToGaiaId(
+    const base::WeakPtr<AuthAttemptState>& attempt,
+    scoped_refptr<CryptohomeAuthenticator> resolver,
+    bool ephemeral,
+    bool create_if_nonexistent) {
+  const bool is_gaiaid_migration_started = switches::IsGaiaIdMigrationStarted();
+  if (!is_gaiaid_migration_started) {
+    DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+    return;
+  }
+  const bool already_migrated = cryptohome::GetGaiaIdMigrationStatus(
+      attempt->user_context.GetAccountId());
+  const bool has_gaia_id =
+      !attempt->user_context.GetAccountId().GetGaiaId().empty();
+
+  bool need_migration = false;
+  if (!create_if_nonexistent && !already_migrated) {
+    if (has_gaia_id) {
+      need_migration = true;
+    } else {
+      LOG(WARNING) << "Account '"
+                   << attempt->user_context.GetAccountId().Serialize()
+                   << "' has no gaia id. Cryptohome migration skipped.";
+    }
+  }
+  if (need_migration) {
+    chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+        "CryptohomeRename-Start", false);
+    const std::string& cryptohome_id_from =
+        attempt->user_context.GetAccountId().GetUserEmail();  // Migrated
+    const std::string cryptohome_id_to =
+        attempt->user_context.GetAccountId().GetGaiaIdKey();
+
+    cryptohome::HomedirMethods::GetInstance()->RenameCryptohome(
+        cryptohome::Identification::FromString(cryptohome_id_from),
+        cryptohome::Identification::FromString(cryptohome_id_to),
+        base::Bind(&OnCryptohomeRenamed, attempt, resolver, ephemeral,
+                   create_if_nonexistent));
+    return;
+  }
+  if (!already_migrated && has_gaia_id) {
+    // Mark new users migrated.
+    cryptohome::SetGaiaIdMigrationStatusDone(
+        attempt->user_context.GetAccountId());
+  }
+  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+}

[stevenjb, 2016/02/23 19:27:34]

Can these be added separately?

[Alexander Alekseev, 2016/02/24 09:27:42]

What do you mean?

[stevenjb, 2016/02/24 17:25:43]

I was hoping it would be reasonable to add EnsureCryptohomeMigratedToGaiaId in a
separate CL (along with RenameCryptohome). With a CL this large if there are any
bugs in it (which may not show up until it gets to the PFQ), it will be very
difficult to revert it down the line. Breaking this up, even a little, would
help a lot.

[Alexander Alekseev, 2016/02/25 07:40:46]

Done.

+
 // Callback invoked when the system salt has been retrieved. Transforms the key
 // in |attempt->user_context| using Chrome's default hashing algorithm and the
 // system salt, then calls MountEx().
@@ -170,7 +242,8 @@ void OnGetSystemSalt(const base::WeakPtr<AuthAttemptState>& attempt,
       Key::KEY_TYPE_SALTED_SHA256_TOP_HALF,
       system_salt);
 
-  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+  EnsureCryptohomeMigratedToGaiaId(attempt, resolver, ephemeral,
+                                   create_if_nonexistent);
 }
 
 // Callback invoked when cryptohome's GetKeyDataEx() method has finished.
@@ -229,7 +302,8 @@ void OnGetKeyDataEx(
         attempt->user_context.GetKey()->Transform(
             static_cast<Key::KeyType>(*type),
             *salt);
-        DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+        EnsureCryptohomeMigratedToGaiaId(attempt, resolver, ephemeral,
+                                         create_if_nonexistent);
         return;
       }
     } else {
@@ -262,13 +336,13 @@ void StartMount(const base::WeakPtr<AuthAttemptState>& attempt,
 
   if (attempt->user_context.GetKey()->GetKeyType() !=
           Key::KEY_TYPE_PASSWORD_PLAIN) {
-    DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+    EnsureCryptohomeMigratedToGaiaId(attempt, resolver, ephemeral,
+                                     create_if_nonexistent);
     return;
   }
 
   cryptohome::HomedirMethods::GetInstance()->GetKeyDataEx(
-      cryptohome::Identification(
-          attempt->user_context.GetAccountId().GetUserEmail()),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       kCryptohomeGAIAKeyLabel, base::Bind(&OnGetKeyDataEx, attempt, resolver,
                                           ephemeral, create_if_nonexistent));
 }
@@ -284,7 +358,7 @@ void MountGuestAndGetHash(const base::WeakPtr<AuthAttemptState>& attempt,
                  attempt,
                  resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveHash, attempt, resolver));
 }
 
@@ -293,11 +367,11 @@ void MountPublic(const base::WeakPtr<AuthAttemptState>& attempt,
                  scoped_refptr<CryptohomeAuthenticator> resolver,
                  int flags) {
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountPublic(
-      attempt->user_context.GetAccountId().GetUserEmail(), flags,
+      cryptohome::Identification(attempt->user_context.GetAccountId()), flags,
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMountPublic-End", attempt, resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveHash, attempt, resolver));
 }
 
@@ -320,13 +394,13 @@ void Migrate(const base::WeakPtr<AuthAttemptState>& attempt,
       TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   if (passing_old_hash) {
     caller->AsyncMigrateKey(
-        attempt->user_context.GetAccountId().GetUserEmail(),
+        cryptohome::Identification(attempt->user_context.GetAccountId()),
         old_key->GetSecret(), new_key->GetSecret(),
         base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End",
                    attempt, resolver));
   } else {
     caller->AsyncMigrateKey(
-        attempt->user_context.GetAccountId().GetUserEmail(),
+        cryptohome::Identification(attempt->user_context.GetAccountId()),
         new_key->GetSecret(), old_key->GetSecret(),
         base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End",
                    attempt, resolver));
@@ -339,7 +413,7 @@ void Remove(const base::WeakPtr<AuthAttemptState>& attempt,
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
       "CryptohomeRemove-Start", false);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncRemove(
-      attempt->user_context.GetAccountId().GetUserEmail(),
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
       base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeRemove-End",
                  attempt, resolver));
 }
@@ -351,8 +425,8 @@ void CheckKey(const base::WeakPtr<AuthAttemptState>& attempt,
   scoped_ptr<Key> key =
       TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey(
-      attempt->user_context.GetAccountId().GetUserEmail(), key->GetSecret(),
-      base::Bind(&TriggerResolve, attempt, resolver));
+      cryptohome::Identification(attempt->user_context.GetAccountId()),
+      key->GetSecret(), base::Bind(&TriggerResolve, attempt, resolver));
 }
 
 }  // namespace
@@ -447,12 +521,11 @@ void CryptohomeAuthenticator::LoginAsSupervisedUser(
 
 void CryptohomeAuthenticator::LoginOffTheRecord() {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
-  current_state_.reset(
-      new AuthAttemptState(UserContext(user_manager::USER_TYPE_GUEST,
-                                       login::GuestAccountId().GetUserEmail()),
-                           false,    // unlock
-                           false,    // online_complete
-                           false));  // user_is_new
+  current_state_.reset(new AuthAttemptState(
+      UserContext(user_manager::USER_TYPE_GUEST, login::GuestAccountId()),
+      false,    // unlock
+      false,    // online_complete
+      false));  // user_is_new
   remove_user_data_on_failure_ = false;
   ephemeral_mount_attempted_ = true;
   MountGuestAndGetHash(current_state_->AsWeakPtr(),
@@ -477,14 +550,14 @@ void CryptohomeAuthenticator::LoginAsPublicSession(
 }
 
 void CryptohomeAuthenticator::LoginAsKioskAccount(
-    const std::string& app_user_id,
+    const AccountId& app_account_id,
     bool use_guest_mount) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
 
-  const std::string user_id =
-      use_guest_mount ? login::GuestAccountId().GetUserEmail() : app_user_id;
+  const AccountId& account_id =
+      use_guest_mount ? login::GuestAccountId() : app_account_id;
   current_state_.reset(new AuthAttemptState(
-      UserContext(user_manager::USER_TYPE_KIOSK_APP, user_id),
+      UserContext(user_manager::USER_TYPE_KIOSK_APP, account_id),
       false,    // unlock
       false,    // online_complete
       false));  // user_is_new