Chromium Code Reviews Chromium Code Reviews
Issue 2798023005:
Force encryption migration if the device supports ARC. (Closed)
| Index: chromeos/login/auth/cryptohome_authenticator.cc |
| diff --git a/chromeos/login/auth/cryptohome_authenticator.cc b/chromeos/login/auth/cryptohome_authenticator.cc |
| index 2795b308543933b04e66c6624e493cc2b1cb13b0..e6513f2098569191e28fd20613da1dd052ce2f6f 100644 |
| --- a/chromeos/login/auth/cryptohome_authenticator.cc |
| +++ b/chromeos/login/auth/cryptohome_authenticator.cc |
| @@ -149,7 +149,8 @@ void OnMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| void DoMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| bool ephemeral, |
| - bool create_if_nonexistent) { |
| + bool create_if_nonexistent, |
| + bool force_dircrypto_if_available) { |
|
xiyuan
2017/04/05 21:15:11
I don't think we need this extra arg. |attempt| ho
fukino
2017/04/06 14:22:17
Done.
I didn't noticed that we can use |attempt|.
|
| const Key* key = attempt->user_context.GetKey(); |
| // If the |key| is a plain text password, crash rather than attempting to |
| // mount the cryptohome with a plain text password. |
| @@ -174,6 +175,7 @@ void DoMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| kCryptohomeGAIAKeyLabel, |
| cryptohome::PRIV_DEFAULT)); |
| } |
| + mount.force_dircrypto_if_available = force_dircrypto_if_available; |
| cryptohome::HomedirMethods::GetInstance()->MountEx( |
| cryptohome::Identification(attempt->user_context.GetAccountId()), |
| @@ -186,6 +188,7 @@ void OnCryptohomeRenamed(const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| bool ephemeral, |
| bool create_if_nonexistent, |
| + bool force_dircrypto_if_available, |
| bool success, |
| cryptohome::MountError return_code) { |
| chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker( |
| @@ -202,7 +205,8 @@ void OnCryptohomeRenamed(const base::WeakPtr<AuthAttemptState>& attempt, |
| // Proceed to DoMount. |
| UMACryptohomeMigrationToGaiaId(CryptohomeMigrationToGaiaId::FAILURE); |
| } |
| - DoMount(attempt, resolver, ephemeral, create_if_nonexistent); |
| + DoMount(attempt, resolver, ephemeral, create_if_nonexistent, |
| + force_dircrypto_if_available); |
| } |
| // This method migrates cryptohome identifier to gaia id (if needed), |
| @@ -211,7 +215,8 @@ void EnsureCryptohomeMigratedToGaiaId( |
| const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| bool ephemeral, |
| - bool create_if_nonexistent) { |
| + bool create_if_nonexistent, |
| + bool force_dircrypto_if_available) { |
| if (attempt->user_context.GetAccountId().GetAccountType() == |
| AccountType::ACTIVE_DIRECTORY) { |
| cryptohome::SetGaiaIdMigrationStatusDone( |
| @@ -220,7 +225,8 @@ void EnsureCryptohomeMigratedToGaiaId( |
| const bool is_gaiaid_migration_started = switches::IsGaiaIdMigrationStarted(); |
| if (!is_gaiaid_migration_started) { |
| UMACryptohomeMigrationToGaiaId(CryptohomeMigrationToGaiaId::NOT_STARTED); |
| - DoMount(attempt, resolver, ephemeral, create_if_nonexistent); |
| + DoMount(attempt, resolver, ephemeral, create_if_nonexistent, |
| + force_dircrypto_if_available); |
| return; |
| } |
| const bool already_migrated = cryptohome::GetGaiaIdMigrationStatus( |
| @@ -250,7 +256,7 @@ void EnsureCryptohomeMigratedToGaiaId( |
| cryptohome::Identification::FromString(cryptohome_id_from), |
| cryptohome::Identification::FromString(cryptohome_id_to), |
| base::Bind(&OnCryptohomeRenamed, attempt, resolver, ephemeral, |
| - create_if_nonexistent)); |
| + create_if_nonexistent, force_dircrypto_if_available)); |
| return; |
| } |
| if (!already_migrated && has_account_key) { |
| @@ -263,7 +269,8 @@ void EnsureCryptohomeMigratedToGaiaId( |
| CryptohomeMigrationToGaiaId::ALREADY_MIGRATED); |
| } |
| - DoMount(attempt, resolver, ephemeral, create_if_nonexistent); |
| + DoMount(attempt, resolver, ephemeral, create_if_nonexistent, |
| + force_dircrypto_if_available); |
| } |
| // Callback invoked when the system salt has been retrieved. Transforms the key |
| @@ -273,6 +280,7 @@ void OnGetSystemSalt(const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| bool ephemeral, |
| bool create_if_nonexistent, |
| + bool force_dircrypto_if_available, |
| const std::string& system_salt) { |
| DCHECK_EQ(Key::KEY_TYPE_PASSWORD_PLAIN, |
| attempt->user_context.GetKey()->GetKeyType()); |
| @@ -282,7 +290,8 @@ void OnGetSystemSalt(const base::WeakPtr<AuthAttemptState>& attempt, |
| system_salt); |
| EnsureCryptohomeMigratedToGaiaId(attempt, resolver, ephemeral, |
| - create_if_nonexistent); |
| + create_if_nonexistent, |
| + force_dircrypto_if_available); |
| } |
| // Callback invoked when cryptohome's GetKeyDataEx() method has finished. |
| @@ -298,6 +307,7 @@ void OnGetKeyDataEx( |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| bool ephemeral, |
| bool create_if_nonexistent, |
| + bool force_dircrypto_if_available, |
| bool success, |
| cryptohome::MountError return_code, |
| const std::vector<cryptohome::KeyDefinition>& key_definitions) { |
| @@ -342,7 +352,8 @@ void OnGetKeyDataEx( |
| static_cast<Key::KeyType>(*type), |
| *salt); |
| EnsureCryptohomeMigratedToGaiaId(attempt, resolver, ephemeral, |
| - create_if_nonexistent); |
| + create_if_nonexistent, |
| + force_dircrypto_if_available); |
| return; |
| } |
| } else { |
| @@ -351,11 +362,9 @@ void OnGetKeyDataEx( |
| } |
| } |
| - SystemSaltGetter::Get()->GetSystemSalt(base::Bind(&OnGetSystemSalt, |
| - attempt, |
| - resolver, |
| - ephemeral, |
| - create_if_nonexistent)); |
| + SystemSaltGetter::Get()->GetSystemSalt( |
| + base::Bind(&OnGetSystemSalt, attempt, resolver, ephemeral, |
| + create_if_nonexistent, force_dircrypto_if_available)); |
| } |
| // Starts the process that will mount a user's cryptohome. |
| @@ -369,21 +378,24 @@ void OnGetKeyDataEx( |
| void StartMount(const base::WeakPtr<AuthAttemptState>& attempt, |
| scoped_refptr<CryptohomeAuthenticator> resolver, |
| bool ephemeral, |
| - bool create_if_nonexistent) { |
| + bool create_if_nonexistent, |
| + bool force_dircrypto_if_available) { |
| chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker( |
| "CryptohomeMount-Start", false); |
| if (attempt->user_context.GetKey()->GetKeyType() != |
| Key::KEY_TYPE_PASSWORD_PLAIN) { |
| EnsureCryptohomeMigratedToGaiaId(attempt, resolver, ephemeral, |
| - create_if_nonexistent); |
| + create_if_nonexistent, |
| + force_dircrypto_if_available); |
| return; |
| } |
| cryptohome::HomedirMethods::GetInstance()->GetKeyDataEx( |
| cryptohome::Identification(attempt->user_context.GetAccountId()), |
| - kCryptohomeGAIAKeyLabel, base::Bind(&OnGetKeyDataEx, attempt, resolver, |
| - ephemeral, create_if_nonexistent)); |
| + kCryptohomeGAIAKeyLabel, |
| + base::Bind(&OnGetKeyDataEx, attempt, resolver, ephemeral, |
| + create_if_nonexistent, force_dircrypto_if_available)); |
| } |
| // Calls cryptohome's mount method for guest and also get the user hash from |
| @@ -501,7 +513,8 @@ void CryptohomeAuthenticator::AuthenticateToLogin( |
| StartMount(current_state_->AsWeakPtr(), |
| scoped_refptr<CryptohomeAuthenticator>(this), |
| - false /* ephemeral */, false /* create_if_nonexistent */); |
| + false /* ephemeral */, false /* create_if_nonexistent */, |
| + user_context.IsForcingDircrypto()); |
| } |
| void CryptohomeAuthenticator::CompleteLogin(content::BrowserContext* context, |
| @@ -520,7 +533,8 @@ void CryptohomeAuthenticator::CompleteLogin(content::BrowserContext* context, |
| StartMount(current_state_->AsWeakPtr(), |
| scoped_refptr<CryptohomeAuthenticator>(this), |
| - false /* ephemeral */, false /* create_if_nonexistent */); |
| + false /* ephemeral */, false /* create_if_nonexistent */, |
| + user_context.IsForcingDircrypto()); |
| // For login completion from extension, we just need to resolve the current |
| // auth attempt state, the rest of OAuth related tasks will be done in |
| @@ -557,7 +571,8 @@ void CryptohomeAuthenticator::LoginAsSupervisedUser( |
| remove_user_data_on_failure_ = false; |
| StartMount(current_state_->AsWeakPtr(), |
| scoped_refptr<CryptohomeAuthenticator>(this), |
| - false /* ephemeral */, false /* create_if_nonexistent */); |
| + false /* ephemeral */, false /* create_if_nonexistent */, |
| + user_context.IsForcingDircrypto()); |
| } |
| void CryptohomeAuthenticator::LoginOffTheRecord() { |
| @@ -588,7 +603,8 @@ void CryptohomeAuthenticator::LoginAsPublicSession( |
| ephemeral_mount_attempted_ = true; |
| StartMount(current_state_->AsWeakPtr(), |
| scoped_refptr<CryptohomeAuthenticator>(this), true /* ephemeral */, |
| - true /* create_if_nonexistent */); |
| + true /* create_if_nonexistent */, |
| + user_context.IsForcingDircrypto()); |
|
fukino
2017/04/05 15:59:56
If the cryptohome is ephemeral, IsForcingDircrypto
xiyuan
2017/04/05 21:15:11
IMHO, not making much sense to force dircrypto for
fukino
2017/04/06 14:22:17
I updated the code to use the UserContext in AuthA
|
| } |
| void CryptohomeAuthenticator::LoginAsKioskAccount( |
| @@ -800,7 +816,8 @@ void CryptohomeAuthenticator::Resolve() { |
| current_state_->ResetCryptohomeStatus(); |
| StartMount(current_state_->AsWeakPtr(), |
| scoped_refptr<CryptohomeAuthenticator>(this), |
| - false /*ephemeral*/, create_if_nonexistent); |
| + false /*ephemeral*/, create_if_nonexistent, |
| + false /*force_dircrypto_if_available*/); |
| break; |
| case NEED_OLD_PW: |
| task_runner_->PostTask( |
