cros: Added policies for screen unlock.

chrome/browser/chromeos/login/quick_unlock/pin_storage.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage.h"
 
 #include "base/base64.h"
 #include "base/strings/string_util.h"
 #include "chrome/browser/chromeos/login/quick_unlock/quick_unlock_utils.h"
 #include "chrome/common/pref_names.h"
@@ skipping 22 matching lines @@
 // Computes the hash for |pin| and |salt|.
 std::string ComputeSecret(const std::string& pin, const std::string& salt) {
   Key key(pin);
   key.Transform(Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234, salt);
   return key.GetSecret();
 }
 
 }  // namespace
 
 // static
-const base::TimeDelta PinStorage::kStrongAuthTimeout =
-    base::TimeDelta::FromHours(24);
-
-// static
 void PinStorage::RegisterProfilePrefs(
     user_prefs::PrefRegistrySyncable* registry) {
   registry->RegisterStringPref(prefs::kQuickUnlockPinSalt, "",
                                user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
   registry->RegisterStringPref(prefs::kQuickUnlockPinSecret, "",
                                user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
 }
 
 PinStorage::PinStorage(PrefService* pref_service)
     : pref_service_(pref_service) {}
 
 PinStorage::~PinStorage() {}
 
 void PinStorage::MarkStrongAuth() {
   last_strong_auth_ = base::Time::Now();
   ResetUnlockAttemptCount();
 }
 
 bool PinStorage::HasStrongAuth() const {
   return !last_strong_auth_.is_null();
 }
 
+bool PinStorage::NeedsStrongAuth() const {
+  PasswordConfirmation strong_auth_interval =
+      static_cast<PasswordConfirmation>(pref_service_->GetInteger(
+          prefs::kScreenUnlockPasswordConfirmationFrequency));
+  base::TimeDelta strong_auth_timeout;
+  switch (strong_auth_interval) {

[jdufault, 2016/10/04 17:55:06]

Have a helper function that converts PasswordConfirmation enums to
base::TimeDelta values and call that helper function instead of embedding the
switch statement.

[sammiequon, 2016/10/18 22:47:49]

Done.

+    case PasswordConfirmation::SIX_HOURS:
+      strong_auth_timeout = base::TimeDelta::FromHours(6);
+      break;
+    case PasswordConfirmation::TWELVE_HOURS:
+      strong_auth_timeout = base::TimeDelta::FromHours(12);
+      break;
+    case PasswordConfirmation::DAY:
+      strong_auth_timeout = base::TimeDelta::FromDays(1);
+      break;
+    case PasswordConfirmation::WEEK:
+      strong_auth_timeout = base::TimeDelta::FromDays(7);
+      break;
+    default:
+      NOTREACHED();
+      return true;
+  }
+
+  return TimeSinceLastStrongAuth() > strong_auth_timeout;
+}
+
 base::TimeDelta PinStorage::TimeSinceLastStrongAuth() const {
   DCHECK(!last_strong_auth_.is_null());
   return base::Time::Now() - last_strong_auth_;
 }
 
 void PinStorage::AddUnlockAttempt() {
   ++unlock_attempt_count_;
 }
 
 void PinStorage::ResetUnlockAttemptCount() {
@@ skipping 10 matching lines @@
 
   pref_service_->SetString(prefs::kQuickUnlockPinSalt, salt);
   pref_service_->SetString(prefs::kQuickUnlockPinSecret, secret);
 }
 
 void PinStorage::RemovePin() {
   pref_service_->SetString(prefs::kQuickUnlockPinSalt, "");
   pref_service_->SetString(prefs::kQuickUnlockPinSecret, "");
 }
 
+bool PinStorage::IsPinUnlockEnabled() const {

[jdufault, 2016/10/04 17:55:05]

Implement this as part of IsQuickUnlockEnabled(). You may need to pass the
function some additional params.

[sammiequon, 2016/10/18 22:47:49]

Aren't these seperate, like quick unlock could be enabled but pin unlock
disabled and say, pattern unlock enabled.

[jdufault, 2016/10/21 19:03:44]

There's more code than just PinStorage that needs to know if PIN is
enabled/disabled by policy (ie, settings). We can refactor IsQuickUnlockEnabled
down the line to support multiple quick unlock modes when needed.

We already support multiple modes in the private API only because it is
significantly harder to make changes, so we wanted to nail the final design down
immediately.

[sammiequon, 2016/10/21 23:49:24]

Done.

+  const base::ListValue* screen_lock_whitelist =
+      pref_service_->GetList(prefs::kScreenUnlockWhitelist);
+  auto all_value = base::StringValue("all");

[jdufault, 2016/10/04 17:55:05]

Is this how other policy code handles logic like this?

[sammiequon, 2016/10/18 22:47:49]

https://cs.chromium.org/chromium/src/chrome/browser/extensions/api/enterprise...

A couple do.

+  auto pin_value = base::StringValue("pin");
+  return screen_lock_whitelist->Find(all_value) !=
+             screen_lock_whitelist->end() ||
+         screen_lock_whitelist->Find(pin_value) != screen_lock_whitelist->end();
+}
+
 std::string PinStorage::PinSalt() const {
   return pref_service_->GetString(prefs::kQuickUnlockPinSalt);
 }
 
 std::string PinStorage::PinSecret() const {
   return pref_service_->GetString(prefs::kQuickUnlockPinSecret);
 }
 
 bool PinStorage::IsPinAuthenticationAvailable() const {
   const bool exceeded_unlock_attempts =
       unlock_attempt_count() >= kMaximumUnlockAttempts;
-  const bool has_strong_auth =
-      HasStrongAuth() && TimeSinceLastStrongAuth() < kStrongAuthTimeout;
+  const bool has_strong_auth = HasStrongAuth() && !NeedsStrongAuth();
 
-  return IsQuickUnlockEnabled() && IsPinSet() && has_strong_auth &&
-         !exceeded_unlock_attempts;
+  return IsPinUnlockEnabled() && IsQuickUnlockEnabled() && IsPinSet() &&
+         has_strong_auth && !exceeded_unlock_attempts;
 }
 
 bool PinStorage::TryAuthenticatePin(const std::string& pin) {
   if (!IsPinAuthenticationAvailable())
     return false;
 
   AddUnlockAttempt();
   return ComputeSecret(pin, PinSalt()) == PinSecret();
 }
 
 }  // namespace chromeos