Chromad: Create AuthPolicyCredentialsManager

chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.cc

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/authpolicy/auth_policy_credentials_manager.h"
+
+#include "base/location.h"
+#include "base/memory/singleton.h"
+#include "base/strings/utf_string_conversions.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/lifetime/application_lifetime.h"
+#include "chrome/browser/notifications/notification.h"
+#include "chrome/browser/notifications/notification_delegate.h"
+#include "chrome/browser/notifications/notification_ui_manager.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/grit/chromium_strings.h"
+#include "chrome/grit/generated_resources.h"
+#include "chrome/grit/theme_resources.h"
+#include "chromeos/dbus/auth_policy_client.h"
+#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/network/network_handler.h"
+#include "chromeos/network/network_state.h"
+#include "chromeos/network/network_state_handler.h"
+#include "components/keyed_service/content/browser_context_dependency_manager.h"
+#include "content/public/browser/browser_thread.h"
+#include "ui/base/l10n/l10n_util.h"
+#include "ui/base/resource/resource_bundle.h"
+
+namespace {
+
+const base::TimeDelta kGetUserStatusCallsInterval =
+    base::TimeDelta::FromHours(1);
+const char kProfileSigninNotificationId[] = "chrome://settings/signin/";
+
+// A notification delegate for the sign-out button.
+class SigninNotificationDelegate : public NotificationDelegate {
+ public:
+  explicit SigninNotificationDelegate(const std::string& id);
+
+  // NotificationDelegate:
+  void Click() override;
+  void ButtonClick(int button_index) override;
+  std::string id() const override;
+
+ protected:
+  ~SigninNotificationDelegate() override;
+
+ private:
+  void FixSignIn();

[ljusten (tachyonic), 2017/05/03 10:12:17]

Comment? From the class definition, shouldn't it be called TryLogOut or
something like that?

[Roman Sorokin (ftl), 2017/05/19 12:13:47]

Done.

[ljusten (tachyonic), 2017/05/19 16:06:13]

β

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

wat?

[ljusten (tachyonic), 2017/05/22 14:27:49]

beta = better (at least if you pronounce it like a German)

+
+  // Unique id of the notification.
+  const std::string id_;
+
+  DISALLOW_COPY_AND_ASSIGN(SigninNotificationDelegate);
+};
+
+SigninNotificationDelegate::SigninNotificationDelegate(const std::string& id)
+    : id_(id) {}
+
+SigninNotificationDelegate::~SigninNotificationDelegate() {}
+
+void SigninNotificationDelegate::Click() {
+  FixSignIn();
+}
+
+void SigninNotificationDelegate::ButtonClick(int button_index) {
+  FixSignIn();
+}
+
+std::string SigninNotificationDelegate::id() const {
+  return id_;
+}
+
+void SigninNotificationDelegate::FixSignIn() {
+  chrome::AttemptUserExit();
+}
+}  // namespace
+
+AuthPolicyCredentialsManager::AuthPolicyCredentialsManager(Profile* profile)
+    : profile_(profile), weak_factory_(this) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  StartObserveNetwork();
+  const user_manager::User* user =
+      chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
+  CHECK(user && user->IsActiveDirectoryUser());
+  account_id_ = user->GetAccountId();
+  GetUserStatus();
+}
+
+AuthPolicyCredentialsManager::~AuthPolicyCredentialsManager() {}
+
+void AuthPolicyCredentialsManager::Shutdown() {
+  StopObserveNetwork();

[ljusten (tachyonic), 2017/05/03 10:12:17]

Cancel scheduled_get_user_status_call_? Note that it keeps a plain pointer to
AuthPolicyCredentialsManager and the destructor doesn't cancel it afaik.

[Roman Sorokin (ftl), 2017/05/19 12:13:48]

It does.

[ljusten (tachyonic), 2017/05/19 16:06:13]

Nm, it actually is cancelled.

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

Acknowledged.

+}
+
+void AuthPolicyCredentialsManager::DefaultNetworkChanged(
+    const chromeos::NetworkState* network) {
+  CallGetStatusIfConnected(network);
+}
+
+void AuthPolicyCredentialsManager::NetworkConnectionStateChanged(
+    const chromeos::NetworkState* network) {
+  CallGetStatusIfConnected(network);
+}
+
+void AuthPolicyCredentialsManager::OnShuttingDown() {
+  StopObserveNetwork();
+}
+
+void AuthPolicyCredentialsManager::GetUserStatus() {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  should_call_get_status_again_ = false;
+  chromeos::DBusThreadManager::Get()->GetAuthPolicyClient()->GetUserStatus(
+      account_id_.GetObjGuid(),
+      base::BindOnce(&AuthPolicyCredentialsManager::OnGetUserStatusCallback,
+                     weak_factory_.GetWeakPtr()));
+}
+
+void AuthPolicyCredentialsManager::OnGetUserStatusCallback(
+    authpolicy::ErrorType error,
+    const authpolicy::ActiveDirectoryUserStatus& user_status) {
+  last_error_ = error;
+  if (error != authpolicy::ERROR_NONE) {
+    DCHECK(error == authpolicy::ERROR_CONTACTING_KDC_FAILED);

[ljusten (tachyonic), 2017/05/03 10:12:16]

Suggest remove. This is dangerous. Even though ERROR_CONTACTING_KDC_FAILED is
most likely, there could be other errors, too, e.g. when the machine gets
removed from the server, you'll probably get ERROR_BAD_MACHINE_NAME.

[Roman Sorokin (ftl), 2017/05/19 12:13:48]

Done.

+    DLOG(ERROR) << "GetUserStatus failed with " << error;
+    return;
+  }
+  CHECK(user_status.account_info().account_id() == account_id_.GetObjGuid());
+  if (user_status.has_account_info())
+    UpdateDisplayAndGivenName(user_status.account_info());
+
+  if (should_call_get_status_again_) {
+    GetUserStatus();

[ljusten (tachyonic), 2017/05/03 10:12:16]

Why do you update names if should_call_get_status_again_, but not notifications?

[Roman Sorokin (ftl), 2017/05/19 12:13:47]

We don't want to spam notifications. Updating names is non-disruptive for the
user. Also could be the case when we won't get names on the next call because of
some error.

[ljusten (tachyonic), 2017/05/19 16:06:13]

But then the next call could fail and the user would never be notified. How
about you only ever show the notification once per session?

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

Yeah, it's a good idea

+    return;
+  }
+
+  ScheduleGetUserStatus();
+
+  if (user_status.has_password_status()) {

[ljusten (tachyonic), 2017/05/19 16:06:13]

DCHECK instead. It should always be present.

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

Done.

+    switch (user_status.password_status()) {
+      case authpolicy::ActiveDirectoryUserStatus::PASSWORD_VALID:
+        // do nothing
+        break;
+      case authpolicy::ActiveDirectoryUserStatus::PASSWORD_EXPIRED:
+        ShowNotification(IDS_ACTIVE_DIRECTORY_PASSWORD_EXPIRED);
+        return;
+      case authpolicy::ActiveDirectoryUserStatus::PASSWORD_CHANGED:
+        ShowNotification(IDS_ACTIVE_DIRECTORY_PASSWORD_CHANGED);
+        return;
+    }
+  }
+
+  if (user_status.has_tgt_status()) {

[ljusten (tachyonic), 2017/05/19 16:06:13]

DCHECK instead. It should always be present.

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

Done.

+    switch (user_status.tgt_status()) {
+      case authpolicy::ActiveDirectoryUserStatus::TGT_VALID:
+        // do nothing
+        break;
+      case authpolicy::ActiveDirectoryUserStatus::TGT_EXPIRED:
+      case authpolicy::ActiveDirectoryUserStatus::TGT_NOT_FOUND:
+        ShowNotification(IDS_ACTIVE_DIRECTORY_REFRESH_AUTH_TOKEN);
+        return;
+    }
+  }
+  // Everything is ok.
+  user_manager::UserManager::Get()->SaveForceOnlineSignin(account_id_, false);
+}
+
+void AuthPolicyCredentialsManager::ScheduleGetUserStatus() {
+  scheduled_get_user_status_call_.Reset(base::Bind(
+      &AuthPolicyCredentialsManager::GetUserStatus, base::Unretained(this)));
+  base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
+      FROM_HERE, scheduled_get_user_status_call_.callback(),
+      kGetUserStatusCallsInterval);
+}
+
+void AuthPolicyCredentialsManager::StartObserveNetwork() {
+  if (chromeos::NetworkHandler::IsInitialized())

[ljusten (tachyonic), 2017/05/03 10:12:16]

Since this can fail, return bool? Or DCHECK?

[Roman Sorokin (ftl), 2017/05/19 12:13:46]

Done.

+    chromeos::NetworkHandler::Get()->network_state_handler()->AddObserver(
+        this, FROM_HERE);
+}
+
+void AuthPolicyCredentialsManager::StopObserveNetwork() {
+  if (chromeos::NetworkHandler::IsInitialized())

[ljusten (tachyonic), 2017/05/03 10:12:16]

Since this can fail, return bool? Or DCHECK?

[Roman Sorokin (ftl), 2017/05/19 12:13:46]

Done.

+    chromeos::NetworkHandler::Get()->network_state_handler()->RemoveObserver(
+        this, FROM_HERE);
+}
+
+void AuthPolicyCredentialsManager::UpdateDisplayAndGivenName(
+    const authpolicy::ActiveDirectoryAccountInfo& account_info) {
+  if (display_name_ == account_info.display_name() &&
+      given_name_ == account_info.given_name()) {
+    return;
+  }
+  display_name_ = account_info.display_name();
+  given_name_ = account_info.given_name();
+  user_manager::UserManager::Get()->UpdateUserAccountData(
+      account_id_,
+      user_manager::UserManager::UserAccountData(
+          base::UTF8ToUTF16(display_name_), base::UTF8ToUTF16(given_name_),
+          std::string() /* locale */));
+}
+
+void AuthPolicyCredentialsManager::ShowNotification(int message_id) const {
+  user_manager::UserManager::Get()->SaveForceOnlineSignin(account_id_, true);
+
+  message_center::RichNotificationData data;
+  data.buttons.push_back(message_center::ButtonInfo(
+      l10n_util::GetStringUTF16(IDS_SYNC_RELOGIN_LINK_LABEL)));
+
+  std::string notification_id =

[ljusten (tachyonic), 2017/05/03 10:12:17]

const

[Roman Sorokin (ftl), 2017/05/19 12:13:48]

Done.

+      kProfileSigninNotificationId + profile_->GetProfileUserName();
+  // Set the delegate for the notification's sign-out button.
+  SigninNotificationDelegate* delegate =
+      new SigninNotificationDelegate(notification_id);
+
+  message_center::NotifierId notifier_id(

[ljusten (tachyonic), 2017/05/03 10:12:16]

const

[Roman Sorokin (ftl), 2017/05/19 12:13:47]

Nope

[ljusten (tachyonic), 2017/05/19 16:06:13]

Acknowledged.

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

Acknowledged.

+      message_center::NotifierId::SYSTEM_COMPONENT,
+      kProfileSigninNotificationId);
+
+  // Set |profile_id| for multi-user notification blocker.
+  notifier_id.profile_id = profile_->GetProfileUserName();
+
+  Notification notification(
+      message_center::NOTIFICATION_TYPE_SIMPLE,
+      l10n_util::GetStringUTF16(IDS_SIGNIN_ERROR_BUBBLE_VIEW_TITLE),
+      l10n_util::GetStringUTF16(message_id),
+      ui::ResourceBundle::GetSharedInstance().GetImageNamed(
+          IDR_NOTIFICATION_ALERT),
+      notifier_id,
+      base::string16(),  // display_source
+      GURL(notification_id), notification_id, data, delegate);
+  notification.SetSystemPriority();
+
+  NotificationUIManager* notification_ui_manager =
+      g_browser_process->notification_ui_manager();
+  // Update or add the notification.
+  if (notification_ui_manager->FindById(
+          notification_id, NotificationUIManager::GetProfileID(profile_)))
+    notification_ui_manager->Update(notification, profile_);
+  else
+    notification_ui_manager->Add(notification, profile_);
+}
+
+void AuthPolicyCredentialsManager::CallGetStatusIfConnected(
+    const chromeos::NetworkState* network) {
+  if (last_error_ != authpolicy::ERROR_NONE)

[ljusten (tachyonic), 2017/05/19 16:06:13]

Modify as discussed offline to handle the following race condition:
1) last_error is none, GetUserStatus() is run
2) Network disconnects
3) Network reconnects (since error is none, should_call_get_status_again_ is set
to false)
4) GetUserStatus() call returns, failed because of network outage
--> No new GetUserStatus() call is scheduled even though network came back
online.

[Roman Sorokin (ftl), 2017/05/22 12:35:27]

Done.

+    return;
+  if (!network || !network->IsConnectedState())
+    return;
+  if (weak_factory_.HasWeakPtrs()) {
+    // Another call is in progress.
+    should_call_get_status_again_ = true;
+    return;
+  }
+  GetUserStatus();
+}
+
+// static
+AuthPolicyCredentialsManagerFactory*
+AuthPolicyCredentialsManagerFactory::GetInstance() {
+  return base::Singleton<AuthPolicyCredentialsManagerFactory>::get();
+}
+
+// static
+void AuthPolicyCredentialsManagerFactory::BuildForProfileIfActiveDirectory(
+    Profile* profile) {
+  const user_manager::User* user =
+      chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
+  if (!user || !user->IsActiveDirectoryUser())
+    return;
+  GetInstance()->GetServiceForBrowserContext(profile, true /* create */);
+}
+
+AuthPolicyCredentialsManagerFactory::AuthPolicyCredentialsManagerFactory()
+    : BrowserContextKeyedServiceFactory(
+          "AuthPolicyCredentialsManager",
+          BrowserContextDependencyManager::GetInstance()) {}
+
+AuthPolicyCredentialsManagerFactory::~AuthPolicyCredentialsManagerFactory() {}
+
+KeyedService* AuthPolicyCredentialsManagerFactory::BuildServiceInstanceFor(

[ljusten (tachyonic), 2017/05/03 10:12:16]

Unused?

[Roman Sorokin (ftl), 2017/05/19 12:13:46]

This is the factory method.

+    content::BrowserContext* context) const {
+  Profile* profile = Profile::FromBrowserContext(context);
+  return new AuthPolicyCredentialsManager(profile);
+}