Chromad: Add authentication flow

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h"
 
 #include "ash/common/system/chromeos/devicetype_utils.h"
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/guid.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/stl_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_shutdown.h"
 #include "chrome/browser/chromeos/input_method/input_method_util.h"
 #include "chrome/browser/chromeos/language_preferences.h"
+#include "chrome/browser/chromeos/login/helper.h"
 #include "chrome/browser/chromeos/login/screens/network_error.h"
 #include "chrome/browser/chromeos/login/ui/user_adding_screen.h"
 #include "chrome/browser/chromeos/login/users/chrome_user_manager.h"
 #include "chrome/browser/chromeos/net/network_portal_detector_impl.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/io_thread.h"
 #include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
 #include "chrome/browser/ui/webui/signin/signin_utils.h"
 #include "chrome/common/channel_info.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/grit/generated_resources.h"
 #include "chromeos/chromeos_switches.h"
+#include "chromeos/dbus/auth_policy_client.h"
+#include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/login/auth/user_context.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "chromeos/system/devicetype.h"
 #include "chromeos/system/version_loader.h"
 #include "components/login/localized_values_builder.h"
 #include "components/prefs/pref_service.h"
 #include "components/strings/grit/components_strings.h"
 #include "components/user_manager/known_user.h"
 #include "components/user_manager/user_manager.h"
 #include "components/version_info/version_info.h"
@@ skipping 20 matching lines @@
 // The possible modes that the Gaia signin screen can be in.
 enum GaiaScreenMode {
   // Default Gaia authentication will be used.
   GAIA_SCREEN_MODE_DEFAULT = 0,
 
   // Gaia offline mode will be used.
   GAIA_SCREEN_MODE_OFFLINE = 1,
 
   // An interstitial page will be used before SAML redirection.
   GAIA_SCREEN_MODE_SAML_INTERSTITIAL = 2,
+
+  // Offline UI for Active Directory authentication.
+  GAIA_SCREEN_MODE_AD = 3,
 };
 
+policy::DeviceMode GetDeviceMode() {
+  policy::BrowserPolicyConnectorChromeOS* connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  return connector->GetDeviceMode();
+}
+
 GaiaScreenMode GetGaiaScreenMode(const std::string& email, bool use_offline) {
+  if (GetDeviceMode() == policy::DEVICE_MODE_ENTERPRISE_AD)
+    return GAIA_SCREEN_MODE_AD;
+
   if (use_offline)
     return GAIA_SCREEN_MODE_OFFLINE;
 
   int authentication_behavior = 0;
   CrosSettings::Get()->GetInteger(kLoginAuthenticationBehavior,
                                   &authentication_behavior);
   if (authentication_behavior ==
       em::LoginAuthenticationBehaviorProto::SAML_INTERSTITIAL) {
     if (email.empty())
       return GAIA_SCREEN_MODE_SAML_INTERSTITIAL;
@@ skipping 10 matching lines @@
 
   return GAIA_SCREEN_MODE_DEFAULT;
 }
 
 std::string GetEnterpriseDomain() {
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   return connector->GetEnterpriseDomain();
 }
 
+std::string GetRealm() {
+  policy::BrowserPolicyConnectorChromeOS* connector =
+      g_browser_process->platform_part()->browser_policy_connector_chromeos();
+  return connector->GetRealm();
+}
+
 std::string GetChromeType() {
   switch (chromeos::GetDeviceType()) {
     case chromeos::DeviceType::kChromebox:
       return "chromebox";
     case chromeos::DeviceType::kChromebase:
       return "chromebase";
     case chromeos::DeviceType::kChromebit:
       return "chromebit";
     case chromeos::DeviceType::kChromebook:
       return "chromebook";
@@ skipping 123 matching lines @@
 
   GaiaScreenMode screen_mode = GetGaiaScreenMode(context.email,
                                                  context.use_offline);
   params.SetInteger("screenMode", screen_mode);
   if (screen_mode != GAIA_SCREEN_MODE_OFFLINE) {
     const std::string app_locale = g_browser_process->GetApplicationLocale();
     if (!app_locale.empty())
       params.SetString("hl", app_locale);
   }
 
+  std::string realm(GetRealm());
+  if (!realm.empty()) {
+    params.SetString("realm", realm);
+  }
+
   std::string enterprise_domain(GetEnterpriseDomain());
   if (!enterprise_domain.empty())
     params.SetString("enterpriseDomain", enterprise_domain);
 
   params.SetString("chromeType", GetChromeType());
   params.SetString("clientId",
                    GaiaUrls::GetInstance()->oauth2_chrome_client_id());
   params.SetString("clientVersion", version_info::GetVersionNumber());
   if (!platform_version.empty())
     params.SetString("platformVersion", platform_version);
@@ skipping 90 matching lines @@
   builder->Add("offlineLoginForgotPasswordDlg",
                IDS_OFFLINE_LOGIN_FORGOT_PASSWORD_DIALOG_TEXT);
   builder->Add("offlineLoginCloseBtn", IDS_OFFLINE_LOGIN_CLOSE_BUTTON_TEXT);
   builder->Add("enterpriseInfoMessage", IDS_LOGIN_DEVICE_MANAGED_BY_NOTICE);
   builder->Add("samlInterstitialMessage",
                 IDS_LOGIN_SAML_INTERSTITIAL_MESSAGE);
   builder->Add("samlInterstitialChangeAccountLink",
                IDS_LOGIN_SAML_INTERSTITIAL_CHANGE_ACCOUNT_LINK_TEXT);
   builder->Add("samlInterstitialNextBtn",
                IDS_LOGIN_SAML_INTERSTITIAL_NEXT_BUTTON_TEXT);
+
+  builder->Add("adAuthWelcomeMessage", IDS_AD_DOMAIN_AUTH_WELCOME_MESSAGE);
+  builder->Add("adLoginUser", IDS_AD_LOGIN_USER);
+  builder->Add("adLoginPassword", IDS_AD_LOGIN_PASSWORD);
 }
 
 void GaiaScreenHandler::Initialize() {
 }
 
 void GaiaScreenHandler::RegisterMessages() {
   AddCallback("webviewLoadAborted",
               &GaiaScreenHandler::HandleWebviewLoadAborted);
   AddCallback("completeLogin", &GaiaScreenHandler::HandleCompleteLogin);
   AddCallback("completeAuthentication",
               &GaiaScreenHandler::HandleCompleteAuthentication);
   AddCallback("completeAuthenticationAuthCodeOnly",
               &GaiaScreenHandler::HandleCompleteAuthenticationAuthCodeOnly);
   AddCallback("usingSAMLAPI", &GaiaScreenHandler::HandleUsingSAMLAPI);
   AddCallback("scrapedPasswordCount",
               &GaiaScreenHandler::HandleScrapedPasswordCount);
   AddCallback("scrapedPasswordVerificationFailed",
               &GaiaScreenHandler::HandleScrapedPasswordVerificationFailed);
   AddCallback("loginWebuiReady", &GaiaScreenHandler::HandleGaiaUIReady);
   AddCallback("toggleEasyBootstrap",
               &GaiaScreenHandler::HandleToggleEasyBootstrap);
   AddCallback("identifierEntered", &GaiaScreenHandler::HandleIdentifierEntered);
   AddCallback("updateOfflineLogin",
               &GaiaScreenHandler::set_offline_login_is_active);
   AddCallback("authExtensionLoaded",
               &GaiaScreenHandler::HandleAuthExtensionLoaded);
+  AddCallback("completeAdAuthentication",
+              &GaiaScreenHandler::HandleCompleteAdAuthentication);
 }
 
 void GaiaScreenHandler::OnPortalDetectionCompleted(
     const NetworkState* network,
     const NetworkPortalDetector::CaptivePortalState& state) {
   VLOG(1) << "OnPortalDetectionCompleted "
           << NetworkPortalDetector::CaptivePortalStatusString(state.status);
 
   const NetworkPortalDetector::CaptivePortalStatus previous_status =
       captive_portal_status_;
@@ skipping 62 matching lines @@
       user_manager::known_user::GetAccountId(authenticated_email, gaia_id);
 
   if (account_id.GetUserEmail() != canonicalized_email) {
     LOG(WARNING) << "Existing user '" << account_id.GetUserEmail()
                  << "' authenticated by alias '" << canonicalized_email << "'.";
   }
 
   return account_id;
 }
 
+void GaiaScreenHandler::HandleAdAuth(const std::string& username,
+                                     const Key& key,
+                                     int code,
+                                     const std::string& uid) {
+  if (code == 0) {
+    AccountId ac_id(GetAccountId(username, uid));

[Alexander Alekseev, 2016/11/24 07:12:40]

Could you add account_type parameter to GetAccountId() call?
(And, probably, down to AccountId constructor).
So that you could have constant account_is here.

[Roman Sorokin (ftl), 2016/11/24 15:22:26]

And change all the usages of known_user::GetAccountId ?

[Alexander Alekseev, 2016/11/25 08:07:07]

Yes, it seems to be a best solution.
Otherwise this is goin to be more error-prone.

I see about 20 calls to GetAccountId:
https://cs-staging.chromium.org/chromium/src/components/user_manager/known_us...


It should not be too difficult to add one more constant parameter to all of
them.

[xiyuan, 2016/11/28 23:43:05]

nit: ac_id -> account_id to make it easier to read

[Roman Sorokin (ftl), 2016/12/02 12:35:12]

Done.

[Roman Sorokin (ftl), 2016/12/02 12:35:12]

Done.

+    ac_id.SetAccountType(AccountId::kAd);
+    UserContext user_context(ac_id);
+    user_context.SetKey(key);
+    user_context.SetAuthFlow(UserContext::AUTH_FLOW_AD);
+    user_context.SetIsUsingOAuth(false);
+    user_context.SetUserType(user_manager::UserType::USER_TYPE_AD);
+    Delegate()->CompleteLogin(user_context);
+  } else {
+    // TODO(rsorokin): Proper error handling.
+    LOG(ERROR) << "Failed to auth " << username << ", code " << code;
+    LoadAuthExtension(true, false /* offline */);
+  }
+}
+
+void GaiaScreenHandler::HandleCompleteAdAuthentication(
+    const std::string& user_name,
+    const std::string& password) {
+  Delegate()->SetDisplayEmail(user_name);
+  set_populated_email(user_name);
+
+  login::GetPipeReadEnd(
+      password,
+      base::Bind(&GaiaScreenHandler::OnPasswordPipeReady,
+                 weak_factory_.GetWeakPtr(), user_name, Key(password)));
+}
+
+void GaiaScreenHandler::OnPasswordPipeReady(const std::string& user_name,
+                                            const Key& key,
+                                            base::ScopedFD password_fd) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  if (!password_fd.is_valid()) {
+    LOG(ERROR) << "Got invalid password_fd";
+    return;
+  }
+  chromeos::AuthPolicyClient* client =
+      chromeos::DBusThreadManager::Get()->GetAuthPolicyClient();
+  client->AuthenticateUser(
+      user_name, password_fd.get(),
+      base::Bind(&GaiaScreenHandler::HandleAdAuth, weak_factory_.GetWeakPtr(),
+                 user_name, key));
+}
+
 void GaiaScreenHandler::HandleCompleteAuthentication(
     const std::string& gaia_id,
     const std::string& email,
     const std::string& password,
     const std::string& auth_code,
     bool using_saml,
     const std::string& gaps_cookie) {
   if (!Delegate())
     return;
 
@@ skipping 362 matching lines @@
 bool GaiaScreenHandler::IsRestrictiveProxy() const {
   return !disable_restrictive_proxy_check_for_test_ &&
          !IsOnline(captive_portal_status_);
 }
 
 void GaiaScreenHandler::DisableRestrictiveProxyCheckForTest() {
   disable_restrictive_proxy_check_for_test_ = true;
 }
 
 }  // namespace chromeos