Implemented profile-aware owner key loading.

chrome/browser/chromeos/settings/device_settings_service.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/settings/device_settings_service.h"
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop/message_loop.h"
 #include "base/stl_util.h"
 #include "base/time/time.h"
 #include "chrome/browser/chrome_notification_types.h"
+#include "chrome/browser/chrome_notification_types.h"
+#include "chrome/browser/chromeos/login/user.h"
+#include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/settings/owner_key_util.h"
 #include "chrome/browser/chromeos/settings/session_manager_operation.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_source.h"
 #include "crypto/rsa_private_key.h"
 
 namespace em = enterprise_management;
@@ skipping 52 matching lines @@
     : session_manager_client_(NULL),
       store_status_(STORE_SUCCESS),
       waiting_for_tpm_token_(true),
       owner_key_loaded_with_tpm_token_(false),
       load_retries_left_(kMaxLoadRetries),
       weak_factory_(this) {
   if (TPMTokenLoader::IsInitialized()) {
     waiting_for_tpm_token_ = !TPMTokenLoader::Get()->IsTPMTokenReady();
     TPMTokenLoader::Get()->AddObserver(this);
   }
+  registrar_.Add(this,
+                 chrome::NOTIFICATION_PROFILE_ADDED,
+                 content::NotificationService::AllSources());
 }
 
 DeviceSettingsService::~DeviceSettingsService() {
   DCHECK(pending_operations_.empty());
   if (TPMTokenLoader::IsInitialized())
     TPMTokenLoader::Get()->RemoveObserver(this);
 }
 
 void DeviceSettingsService::SetSessionManager(
     SessionManagerClient* session_manager_client,
@@ skipping 177 matching lines @@
 }
 
 void DeviceSettingsService::OnTPMTokenReady() {
   waiting_for_tpm_token_ = false;
 
   // TPMTokenLoader initializes the TPM and NSS database which is necessary to
   // determine ownership. Force a reload once we know these are initialized.
   EnsureReload(true);
 }
 
+void DeviceSettingsService::Observe(
+    int type,
+    const content::NotificationSource& source,
+    const content::NotificationDetails& details) {
+  if (type != chrome::NOTIFICATION_PROFILE_ADDED) {
+    NOTREACHED();
+    return;
+  }
+  Profile* profile = content::Source<Profile>(source).ptr();

[Mattias Nissler (ping if slow), 2014/05/12 08:26:43]

chrome/browser/chromeos/settings deliberately doesn't know or bother about
Profiles and Users. Note that a lot of code directly or indirectly depends on
DeviceSettingsService, adding a dependency to Profile here essentially creates a
dependency cycle, which I'd like to avoid.

AFAICT, you're adding all this code here in order to retrieve the NSS slot
reference. Can we instead just pass this in, similar as is already done for the
username via SetUsername()?

[ygorshenin1, 2014/05/12 08:35:43]

You mean to directly pass NSS slot instead of username, right?

On 2014/05/12 08:26:43, Mattias Nissler wrote:

[Mattias Nissler (ping if slow), 2014/05/12 08:40:31]

Yes, my idea was indeed to pass the NSS slot reference to use. We'll still need
the user name, so we'd probably rename the function to InitOwner (or somesuch)
and then pass both the user name and the NSS slot reference.

An alternative solution could be to break the entire write path out of
DeviceSettingsService, i.e. move out SignAndStore() into a Profile-dependent
service and have that service produce and sign the policy blob itself and then
call Store(). Thinking of it, hadn't we arrived on that solution on some bug
discussion or something?

[ygorshenin1, 2014/05/12 08:56:54]

SignAndStore() is implicitly called from DeviceSettingsProvider::DoSet(). So we
need to make all CrosSettingsProviders BCKS. I'd prefer to do that in a separate
CL, as it requires a lot of changes.

[ygorshenin1, 2014/05/13 09:46:13]

All User/Profile-related things are extracted into OwnerKeyReloader.

On 2014/05/12 08:56:54, ygorshenin1 wrote:

+  if (!profile || !UserManager::IsInitialized())
+    return;
+  const User* user = UserManager::Get()->GetUserByProfile(profile);
+  if (user && user->email() == username_ && user->is_logged_in()) {
+    owner_key_ = NULL;
+    EnsureReload(true);
+  }
+}
+
 void DeviceSettingsService::Enqueue(SessionManagerOperation* operation) {
   pending_operations_.push_back(operation);
   if (pending_operations_.front() == operation)
     StartNextOperation();
 }
 
 void DeviceSettingsService::EnqueueLoad(bool force_key_load) {
   SessionManagerOperation* operation =
       new LoadSettingsOperation(
           base::Bind(&DeviceSettingsService::HandleCompletedOperation,
                      weak_factory_.GetWeakPtr(),
                      base::Closure()));
   operation->set_force_key_load(force_key_load);
+  operation->set_username(username_);
   Enqueue(operation);
 }
 
 void DeviceSettingsService::EnsureReload(bool force_key_load) {
-  if (!pending_operations_.empty())
+  if (!pending_operations_.empty()) {
+    pending_operations_.front()->set_username(username_);
     pending_operations_.front()->RestartLoad(force_key_load);
-  else
+  } else {
     EnqueueLoad(force_key_load);
+  }
 }
 
 void DeviceSettingsService::StartNextOperation() {
   if (!pending_operations_.empty() &&
       session_manager_client_ &&
       owner_key_util_.get()) {
     pending_operations_.front()->Start(session_manager_client_,
                                        owner_key_util_, owner_key_);
   }
 }
@@ skipping 161 matching lines @@
   DeviceSettingsService::Initialize();
 }
 
 ScopedTestDeviceSettingsService::~ScopedTestDeviceSettingsService() {
   // Clean pending operations.
   DeviceSettingsService::Get()->UnsetSessionManager();
   DeviceSettingsService::Shutdown();
 }
 
 }  // namespace chromeos