Lock profile before sign in when force sign in is enabled.

chrome/browser/ui/webui/signin/inline_login_handler_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/signin/inline_login_handler_impl.h"
 
 #include <stddef.h>
 
 #include <string>
 #include <vector>
@@ skipping 216 matching lines @@
 }
 
 void CloseModalSigninIfNeeded(InlineLoginHandlerImpl* handler) {
   if (handler && switches::UsePasswordSeparatedSigninFlow()) {
     Browser* browser = handler->GetDesktopBrowser();
     if (browser)
       browser->CloseModalSigninWindow();
   }
 }
 
+void HideUserManager(const base::FilePath profile_path,

[anthonyvd, 2016/11/04 21:31:02]

This function does a lot more than just closing the User Manager, can it be
renamed to something more descriptive?

[zmin, 2016/11/04 22:11:53]

How about UnlockProfileAndHideLoginUI?

I also removed the last two args as I found that they are useless right bow.

+                     InlineLoginHandlerImpl* handler,
+                     Profile* profile,
+                     Profile::CreateStatus status) {
+  ProfileManager* profile_manager = g_browser_process->profile_manager();
+  if (profile_manager) {
+    ProfileAttributesEntry* entry;
+    if (profile_manager->GetProfileAttributesStorage()
+            .GetProfileAttributesWithPath(profile_path, &entry)) {
+      entry->SetIsSigninRequired(false);
+    }
+  }
+  if (handler)
+    handler->web_ui()->CallJavascriptFunctionUnsafe("inline.login.closeDialog");
+  UserManager::Hide();
+}
+
+bool IsCrossAccountError(Profile* profile,
+                         const std::string& email,
+                         const std::string& gaia_id) {
+  InvestigatorDependencyProvider provider(profile);
+  InvestigatedScenario scenario =
+      SigninInvestigator(email, gaia_id, &provider).Investigate();
+
+  return scenario == InvestigatedScenario::DIFFERENT_ACCOUNT;
+}
+
 }  // namespace
 
 InlineSigninHelper::InlineSigninHelper(
     base::WeakPtr<InlineLoginHandlerImpl> handler,
     net::URLRequestContextGetter* getter,
     Profile* profile,
+    Profile::CreateStatus create_status,
     const GURL& current_url,
     const std::string& email,
     const std::string& gaia_id,
     const std::string& password,
     const std::string& session_index,
     const std::string& auth_code,
     const std::string& signin_scoped_device_id,
     bool choose_what_to_sync,
     bool confirm_untrusted_signin)
     : gaia_auth_fetcher_(this, GaiaConstants::kChromeSource, getter),
       handler_(handler),
       profile_(profile),
+      create_status_(create_status),
       current_url_(current_url),
       email_(email),
       gaia_id_(gaia_id),
       password_(password),
       session_index_(session_index),
       auth_code_(auth_code),
       choose_what_to_sync_(choose_what_to_sync),
       confirm_untrusted_signin_(confirm_untrusted_signin) {
   DCHECK(profile_);
   DCHECK(!email_.empty());
   if (!auth_code_.empty()) {
     gaia_auth_fetcher_.StartAuthCodeForOAuth2TokenExchangeWithDeviceId(
         auth_code, signin_scoped_device_id);
   } else {
     DCHECK(!session_index_.empty());
     gaia_auth_fetcher_.StartCookieForOAuthLoginTokenExchangeWithDeviceId(
         session_index_, signin_scoped_device_id);
   }
 }
 
 InlineSigninHelper::~InlineSigninHelper() {}
 
 void InlineSigninHelper::OnClientOAuthSuccess(const ClientOAuthResult& result) {
+  if (signin::IsForceSigninEnabled()) {
+    // With force sign in enabled, the browser window won't be opened until now.
+    profiles::OpenBrowserWindowForProfile(
+        base::Bind(&InlineSigninHelper::OnClientOAuthSuccessAndBrowserOpened,
+                   base::Unretained(this), result),
+        true, false, profile_, create_status_);
+  } else {
+    OnClientOAuthSuccessAndBrowserOpened(result, profile_, create_status_);
+  }
+}
+
+void InlineSigninHelper::OnClientOAuthSuccessAndBrowserOpened(
+    const ClientOAuthResult& result,
+    Profile* profile,
+    Profile::CreateStatus status) {
+  HideUserManager(profile_->GetPath(), handler_.get(), profile, status);
   content::WebContents* contents = NULL;
   Browser* browser = NULL;
   if (handler_) {
     contents = handler_->web_ui()->GetWebContents();
     browser = handler_->GetDesktopBrowser();
   }
 
   AboutSigninInternals* about_signin_internals =
       AboutSigninInternalsFactory::GetForProfile(profile_);
   about_signin_internals->OnRefreshTokenReceived("Successful");
@@ skipping 86 matching lines @@
   new OneClickSigninSyncStarter(
       profile_, browser, gaia_id_, email_, password_, refresh_token, start_mode,
       contents, confirmation_required, current_url, continue_url,
       base::Bind(&InlineLoginHandlerImpl::SyncStarterCallback, handler_));
 }
 
 bool InlineSigninHelper::HandleCrossAccountError(
     const std::string& refresh_token,
     OneClickSigninSyncStarter::ConfirmationRequired confirmation_required,
     OneClickSigninSyncStarter::StartSyncMode start_mode) {
+  // With force sign in enabled, cross account sign in will be rejected in the
+  // early stage so there is no need to show the warning page here.
+  if (signin::IsForceSigninEnabled())
+    return false;
+
   std::string last_email =
       profile_->GetPrefs()->GetString(prefs::kGoogleServicesLastUsername);
 
-  InvestigatorDependencyProvider provider(profile_);
-  InvestigatedScenario scenario =
-      SigninInvestigator(email_, gaia_id_, &provider).Investigate();
-
   // TODO(skym): Warn for high risk upgrade scenario, crbug.com/572754.
-  if (scenario != InvestigatedScenario::DIFFERENT_ACCOUNT) {
+  if (!IsCrossAccountError(profile_, email_, gaia_id_))
     return false;
-  }
 
   Browser* browser = chrome::FindLastActiveWithProfile(profile_);
   content::WebContents* web_contents =
       browser->tab_strip_model()->GetActiveWebContents();
 
   ConfirmEmailDialogDelegate::AskForConfirmation(
       web_contents,
       last_email,
       email_,
       base::Bind(&InlineSigninHelper::ConfirmEmailAction,
@@ skipping 162 matching lines @@
               gaia::AreEmailsSame(email, profile_email)) {
             if (error_message) {
               error_message->assign(
                   l10n_util::GetStringUTF8(IDS_SYNC_USER_NAME_IN_USE_ERROR));
             }
             return false;
           }
         }
       }
     }
+
+    // With force sign in enabled, cross account sign in is not allowed.
+    if (signin::IsForceSigninEnabled() &&
+        IsCrossAccountError(profile, email, gaia_id)) {
+      if (error_message) {
+        std::string last_email =
+            profile->GetPrefs()->GetString(prefs::kGoogleServicesLastUsername);
+        error_message->assign(l10n_util::GetStringFUTF8(
+            IDS_SYNC_USED_PROFILE_ERROR, base::UTF8ToUTF16(last_email)));
+      }
+      return false;
+    }
   }
 
   return true;
 }
 
 void InlineLoginHandlerImpl::SetExtraInitParams(base::DictionaryValue& params) {
   params.SetString("service", "chromiumsync");
 
   // If this was called from the user manager to reauthenticate the profile,
   // make sure the webui is aware.
@@ skipping 97 matching lines @@
           contents->GetBrowserContext(), signin::GetSigninPartitionURL());
 
   // If this was called from the user manager to reauthenticate the profile,
   // the current profile is the system profile.  In this case, use the email to
   // find the right profile to reauthenticate.  Otherwise the profile can be
   // taken from web_ui().
   Profile* profile = Profile::FromWebUI(web_ui());
   if (IsSystemProfile(profile)) {
     ProfileManager* manager = g_browser_process->profile_manager();
     base::FilePath path = profiles::GetPathOfProfileWithEmail(manager, email);
+    if (path.empty()) {
+      path = UserManager::GetSigninProfilePath();
+    }
     if (!path.empty()) {
       signin_metrics::Reason reason =
           signin::GetSigninReasonForPromoURL(current_url);
       // If we are only reauthenticating a profile in the user manager (and not
       // unlocking it), load the profile and finish the login.
       if (reason == signin_metrics::Reason::REASON_REAUTHENTICATION) {
         FinishCompleteLoginParams params(
             this, partition, current_url, base::FilePath(),
             confirm_untrusted_signin_, email, gaia_id, password, session_index,
             auth_code, choose_what_to_sync);
         ProfileManager::CreateCallback callback =
             base::Bind(&InlineLoginHandlerImpl::FinishCompleteLogin, params);
         profiles::LoadProfileAsync(path, callback);
       } else {
         // Otherwise, switch to the profile and finish the login. Pass the
         // profile path so it can be marked as unlocked. Don't pass a handler
         // pointer since it will be destroyed before the callback runs.
-        FinishCompleteLoginParams params(nullptr, partition, current_url, path,
+        bool is_force_signin_enabled = signin::IsForceSigninEnabled();
+        InlineLoginHandlerImpl* handler = nullptr;
+        if (is_force_signin_enabled)
+          handler = this;
+        FinishCompleteLoginParams params(handler, partition, current_url, path,
                                          confirm_untrusted_signin_, email,
                                          gaia_id, password, session_index,
                                          auth_code, choose_what_to_sync);
         ProfileManager::CreateCallback callback =
             base::Bind(&InlineLoginHandlerImpl::FinishCompleteLogin, params);
-        profiles::SwitchToProfile(path, true, callback,
-                                  ProfileMetrics::SWITCH_PROFILE_UNLOCK);
+        if (is_force_signin_enabled) {
+          // Browser window will be opened after ClientOAuthSuccess.
+          profiles::LoadProfileAsync(path, callback);
+        } else {
+          profiles::SwitchToProfile(path, true, callback,
+                                    ProfileMetrics::SWITCH_PROFILE_UNLOCK);
+        }
       }
     }
   } else {
     FinishCompleteLogin(
         FinishCompleteLoginParams(this, partition, current_url,
                                   base::FilePath(), confirm_untrusted_signin_,
                                   email, gaia_id, password, session_index,
                                   auth_code, choose_what_to_sync),
         profile,
         Profile::CREATE_STATUS_CREATED);
@@ skipping 37 matching lines @@
     Profile::CreateStatus status) {
   // When doing a SAML sign in, this email check may result in a false
   // positive.  This happens when the user types one email address in the
   // gaia sign in page, but signs in to a different account in the SAML sign in
   // page.
   std::string default_email;
   std::string validate_email;
   if (net::GetValueForKeyInQuery(params.url, "email", &default_email) &&
       net::GetValueForKeyInQuery(params.url, "validateEmail",
                                  &validate_email) &&
-      validate_email == "1") {
+      validate_email == "1" && !default_email.empty()) {
     if (!gaia::AreEmailsSame(params.email, default_email)) {
       if (params.handler) {
         params.handler->HandleLoginError(
             l10n_util::GetStringFUTF8(IDS_SYNC_WRONG_EMAIL,
                                       base::UTF8ToUTF16(default_email)),
             base::UTF8ToUTF16(params.email));
       }
       return;
     }
   }
@@ skipping 47 matching lines @@
 
   SigninClient* signin_client =
       ChromeSigninClientFactory::GetForProfile(profile);
   std::string signin_scoped_device_id =
       signin_client->GetSigninScopedDeviceId();
   base::WeakPtr<InlineLoginHandlerImpl> handler_weak_ptr;
   if (params.handler)
     handler_weak_ptr = params.handler->GetWeakPtr();
 
   // InlineSigninHelper will delete itself.
-  new InlineSigninHelper(handler_weak_ptr,
-                         params.partition->GetURLRequestContext(), profile,
-                         params.url,
-                         params.email, params.gaia_id, params.password,
-                         params.session_index, params.auth_code,
-                         signin_scoped_device_id,
-                         params.choose_what_to_sync,
-                         params.confirm_untrusted_signin);
+  new InlineSigninHelper(
+      handler_weak_ptr, params.partition->GetURLRequestContext(), profile,
+      status, params.url, params.email, params.gaia_id, params.password,
+      params.session_index, params.auth_code, signin_scoped_device_id,
+      params.choose_what_to_sync, params.confirm_untrusted_signin);
 
   // If opened from user manager to unlock a profile, make sure the user manager
   // is closed and that the profile is marked as unlocked.
-  if (!params.profile_path.empty()) {
-    UserManager::Hide();
-    ProfileManager* profile_manager = g_browser_process->profile_manager();
-    if (profile_manager) {
-      ProfileAttributesEntry* entry;
-      if (profile_manager->GetProfileAttributesStorage()
-              .GetProfileAttributesWithPath(params.profile_path, &entry)) {
-        entry->SetIsSigninRequired(false);
-      }
-    }
+  if (!params.profile_path.empty() && !signin::IsForceSigninEnabled()) {
+    HideUserManager(params.profile_path, params.handler, profile, status);
   }
-
-  if (params.handler)
-    params.handler->web_ui()->CallJavascriptFunctionUnsafe(
-        "inline.login.closeDialog");
 }
 
 void InlineLoginHandlerImpl::HandleLoginError(const std::string& error_msg,
                                               const base::string16& email) {
   SyncStarterCallback(OneClickSigninSyncStarter::SYNC_SETUP_FAILURE);
   Browser* browser = GetDesktopBrowser();
   Profile* profile = Profile::FromWebUI(web_ui());
 
+  if (IsSystemProfile(profile))
+    profile = g_browser_process->profile_manager()->GetProfileByPath(
+        UserManager::GetSigninProfilePath());
   CloseModalSigninIfNeeded(this);
-  if (browser && !error_msg.empty()) {
+  if (!error_msg.empty()) {
     LoginUIServiceFactory::GetForProfile(profile)->DisplayLoginResult(
         browser, base::UTF8ToUTF16(error_msg), email);
   }
 }
 
 Browser* InlineLoginHandlerImpl::GetDesktopBrowser() {
   Browser* browser = chrome::FindBrowserWithWebContents(
       web_ui()->GetWebContents());
   if (!browser)
     browser = chrome::FindLastActiveWithProfile(Profile::FromWebUI(web_ui()));
@@ skipping 43 matching lines @@
     }
 
     if (show_account_management) {
       browser->window()->ShowAvatarBubbleFromAvatarButton(
           BrowserWindow::AVATAR_BUBBLE_MODE_ACCOUNT_MANAGEMENT,
           signin::ManageAccountsParams(),
           signin_metrics::AccessPoint::ACCESS_POINT_AVATAR_BUBBLE_SIGN_IN);
     }
   }
 }