Chromium Code Reviews Chromium Code Reviews
Issue 1693383003:
ChromeOS cryptohome should be able to use gaia id as user identifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: chromeos/login/auth/cryptohome_authenticator.cc |
| diff --git a/chromeos/login/auth/cryptohome_authenticator.cc b/chromeos/login/auth/cryptohome_authenticator.cc |
| index df430d08d0c69b60b5344f19362eca535b18128d..0141ea5e3b29a023f50894651d28fcaecfecb529 100644 |
| --- a/chromeos/login/auth/cryptohome_authenticator.cc |
| +++ b/chromeos/login/auth/cryptohome_authenticator.cc |
| @@ -13,6 +13,7 @@ |
| #include "base/location.h" |
| #include "base/logging.h" |
| #include "base/memory/weak_ptr.h" |
| +#include "chromeos/chromeos_switches.h" |
| #include "chromeos/cryptohome/async_method_caller.h" |
| #include "chromeos/cryptohome/cryptohome_parameters.h" |
| #include "chromeos/cryptohome/homedir_methods.h" |
| @@ -27,6 +28,7 @@ |
| #include "chromeos/login_event_recorder.h" |
| #include "components/device_event_log/device_event_log.h" |
| #include "components/signin/core/account_id/account_id.h" |
| +#include "components/user_manager/known_user.h" |
| #include "components/user_manager/user_type.h" |
| #include "third_party/cros_system_api/dbus/service_constants.h" |
| @@ -45,6 +47,9 @@ const char kKeyProviderDataTypeName[] = "type"; |
| // credentials is stored. |
| const char kKeyProviderDataSaltName[] = "salt"; |
| +// Subsystem name for GaiaId migration status. |
| +const char kCryptohome[] = "cryptohome"; |
| + |
| // Hashes |key| with |system_salt| if it its type is KEY_TYPE_PASSWORD_PLAIN. |
| // Returns the keys unmodified otherwise. |
| scoped_ptr<Key> TransformKeyIfNeeded(const Key& key, |
| @@ -115,6 +120,25 @@ void OnMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| resolver->Resolve(); |
| } |
| +// Handle cryptohome migration status. |
| +void OnCryptohomeRenamed(const AccountId& account_id, |
| + const base::Closure& callback, |
| + bool success, |
| + cryptohome::MountError return_code) { |
| + chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker( |
| + "CryptohomeRename-End", false); |
| + if (success) { |
| + user_manager::known_user::SetGaiaIdMigrationStatusDone(account_id, |
| + kCryptohome); |
| + } else { |
| + LOG(ERROR) << "Failed to rename cryptohome for account_id={" |
| + << account_id.Serialize() << "} (return_code=" << return_code |
| + << ")"; |
|
xiyuan
2016/02/17 23:14:26
What happens if we run into this? User sees a logi
Alexander Alekseev
2016/02/18 13:45:15
You're right. I've updated cryprohome::Identificat
|
| + } |
| + |
| + callback.Run(); |
| +} |
| + |
| // Calls cryptohome's MountEx() method. The key in |attempt->user_context| must |
| // not be a plain text password. If the user provided a plain text password, |
| // that password must be transformed to another key type (by salted hashing) |
| @@ -147,12 +171,36 @@ void DoMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| kCryptohomeGAIAKeyLabel, |
| cryptohome::PRIV_DEFAULT)); |
| } |
| - |
| - cryptohome::HomedirMethods::GetInstance()->MountEx( |
| - cryptohome::Identification( |
| - attempt->user_context.GetAccountId().GetUserEmail()), |
| + const bool is_gaiaid_migration_started = switches::IsGaiaIdMigrationStarted(); |
| + const base::Closure do_call_mount_ex = base::Bind( |
| + &cryptohome::HomedirMethods::MountEx, |
| + base::Unretained(cryptohome::HomedirMethods::GetInstance()), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| cryptohome::Authorization(auth_key), mount, |
| base::Bind(&OnMount, attempt, resolver)); |
| + if (is_gaiaid_migration_started && !create_if_nonexistent && |
| + !user_manager::known_user::GetGaiaIdMigrationStatus( |
| + attempt->user_context.GetAccountId(), kCryptohome)) { |
| + chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker( |
| + "CryptohomeRename-Start", false); |
| + const std::string& cryptohome_id_from = |
| + attempt->user_context.GetAccountId().GetUserEmail(); // Migrated |
| + const std::string cryptohome_id_to = |
| + attempt->user_context.GetAccountId().GetGaiaIdKey(); |
|
xiyuan
2016/02/17 23:14:26
This looks like for the existing users. How can we
Alexander Alekseev
2016/02/18 13:45:15
You're right. I will also split migration from mou
|
| + |
| + cryptohome::HomedirMethods::GetInstance()->RenameCryptohome( |
| + cryptohome::Identification::FromString(cryptohome_id_from), |
| + cryptohome::Identification::FromString(cryptohome_id_to), |
| + base::Bind(&OnCryptohomeRenamed, attempt->user_context.GetAccountId(), |
| + do_call_mount_ex)); |
| + } else { |
| + // Mark new users migrated. |
| + if (is_gaiaid_migration_started) { |
| + user_manager::known_user::SetGaiaIdMigrationStatusDone( |
| + attempt->user_context.GetAccountId(), kCryptohome); |
| + } |
| + do_call_mount_ex.Run(); |
| + } |
| } |
| // Callback invoked when the system salt has been retrieved. Transforms the key |
| @@ -267,8 +315,7 @@ void StartMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| } |
| cryptohome::HomedirMethods::GetInstance()->GetKeyDataEx( |
| - cryptohome::Identification( |
| - attempt->user_context.GetAccountId().GetUserEmail()), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| kCryptohomeGAIAKeyLabel, base::Bind(&OnGetKeyDataEx, attempt, resolver, |
| ephemeral, create_if_nonexistent)); |
| } |
| @@ -284,7 +331,7 @@ void MountGuestAndGetHash(const base::WeakPtr<AuthAttemptState>& attempt, |
| attempt, |
| resolver)); |
| cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername( |
| - attempt->user_context.GetAccountId().GetUserEmail(), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| base::Bind(&TriggerResolveHash, attempt, resolver)); |
| } |
| @@ -293,11 +340,11 @@ void MountPublic(const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| int flags) { |
| cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountPublic( |
| - attempt->user_context.GetAccountId().GetUserEmail(), flags, |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), flags, |
| base::Bind(&TriggerResolveWithLoginTimeMarker, |
| "CryptohomeMountPublic-End", attempt, resolver)); |
| cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername( |
| - attempt->user_context.GetAccountId().GetUserEmail(), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| base::Bind(&TriggerResolveHash, attempt, resolver)); |
| } |
| @@ -320,13 +367,13 @@ void Migrate(const base::WeakPtr<AuthAttemptState>& attempt, |
| TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt); |
| if (passing_old_hash) { |
| caller->AsyncMigrateKey( |
| - attempt->user_context.GetAccountId().GetUserEmail(), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| old_key->GetSecret(), new_key->GetSecret(), |
| base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End", |
| attempt, resolver)); |
| } else { |
| caller->AsyncMigrateKey( |
| - attempt->user_context.GetAccountId().GetUserEmail(), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| new_key->GetSecret(), old_key->GetSecret(), |
| base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeMount-End", |
| attempt, resolver)); |
| @@ -339,7 +386,7 @@ void Remove(const base::WeakPtr<AuthAttemptState>& attempt, |
| chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker( |
| "CryptohomeRemove-Start", false); |
| cryptohome::AsyncMethodCaller::GetInstance()->AsyncRemove( |
| - attempt->user_context.GetAccountId().GetUserEmail(), |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| base::Bind(&TriggerResolveWithLoginTimeMarker, "CryptohomeRemove-End", |
| attempt, resolver)); |
| } |
| @@ -351,8 +398,8 @@ void CheckKey(const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_ptr<Key> key = |
| TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt); |
| cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey( |
| - attempt->user_context.GetAccountId().GetUserEmail(), key->GetSecret(), |
| - base::Bind(&TriggerResolve, attempt, resolver)); |
| + cryptohome::Identification(attempt->user_context.GetAccountId()), |
| + key->GetSecret(), base::Bind(&TriggerResolve, attempt, resolver)); |
| } |
| } // namespace |
| @@ -447,12 +494,11 @@ void CryptohomeAuthenticator::LoginAsSupervisedUser( |
| void CryptohomeAuthenticator::LoginOffTheRecord() { |
| DCHECK(task_runner_->RunsTasksOnCurrentThread()); |
| - current_state_.reset( |
| - new AuthAttemptState(UserContext(user_manager::USER_TYPE_GUEST, |
| - login::GuestAccountId().GetUserEmail()), |
| - false, // unlock |
| - false, // online_complete |
| - false)); // user_is_new |
| + current_state_.reset(new AuthAttemptState( |
| + UserContext(user_manager::USER_TYPE_GUEST, login::GuestAccountId()), |
| + false, // unlock |
| + false, // online_complete |
| + false)); // user_is_new |
| remove_user_data_on_failure_ = false; |
| ephemeral_mount_attempted_ = true; |
| MountGuestAndGetHash(current_state_->AsWeakPtr(), |
| @@ -481,10 +527,12 @@ void CryptohomeAuthenticator::LoginAsKioskAccount( |
| bool use_guest_mount) { |
| DCHECK(task_runner_->RunsTasksOnCurrentThread()); |
| - const std::string user_id = |
| - use_guest_mount ? login::GuestAccountId().GetUserEmail() : app_user_id; |
| + const AccountId account_id = |
| + use_guest_mount |
| + ? login::GuestAccountId() |
| + : AccountId::FromUserEmail(login::CanonicalizeUserID(app_user_id)); |
|
xiyuan
2016/02/17 23:14:26
We should not call login::CanonicalizeUserID for k
Alexander Alekseev
2016/02/18 13:45:15
This has always happened in UserContext constructo
|
| current_state_.reset(new AuthAttemptState( |
| - UserContext(user_manager::USER_TYPE_KIOSK_APP, user_id), |
| + UserContext(user_manager::USER_TYPE_KIOSK_APP, account_id), |
| false, // unlock |
| false, // online_complete |
| false)); // user_is_new |
