| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/proximity_auth/proximity_auth_system.h" | 5 #include "components/proximity_auth/proximity_auth_system.h" |
| 6 | 6 |
| 7 #include "base/sys_info.h" |
| 7 #include "base/threading/thread_task_runner_handle.h" | 8 #include "base/threading/thread_task_runner_handle.h" |
| 8 #include "components/proximity_auth/logging/logging.h" | 9 #include "components/proximity_auth/logging/logging.h" |
| 9 #include "components/proximity_auth/proximity_auth_client.h" | 10 #include "components/proximity_auth/proximity_auth_client.h" |
| 11 #include "components/proximity_auth/proximity_auth_pref_manager.h" |
| 10 #include "components/proximity_auth/remote_device_life_cycle_impl.h" | 12 #include "components/proximity_auth/remote_device_life_cycle_impl.h" |
| 11 #include "components/proximity_auth/unlock_manager_impl.h" | 13 #include "components/proximity_auth/unlock_manager_impl.h" |
| 12 | 14 |
| 13 namespace proximity_auth { | 15 namespace proximity_auth { |
| 14 | 16 |
| 17 namespace { |
| 18 |
| 19 // The maximum number of hours permitted before the user is forced is use their |
| 20 // password to authenticate. |
| 21 const int64_t kPasswordReauthPeriodHours = 20; |
| 22 |
| 23 } // namespace |
| 24 |
| 15 ProximityAuthSystem::ProximityAuthSystem( | 25 ProximityAuthSystem::ProximityAuthSystem( |
| 16 ScreenlockType screenlock_type, | 26 ScreenlockType screenlock_type, |
| 17 ProximityAuthClient* proximity_auth_client) | 27 ProximityAuthClient* proximity_auth_client) |
| 18 : proximity_auth_client_(proximity_auth_client), | 28 : proximity_auth_client_(proximity_auth_client), |
| 19 unlock_manager_( | 29 unlock_manager_( |
| 20 new UnlockManagerImpl(screenlock_type, proximity_auth_client)), | 30 new UnlockManagerImpl(screenlock_type, proximity_auth_client)), |
| 21 suspended_(false), | 31 suspended_(false), |
| 22 started_(false), | 32 started_(false), |
| 23 weak_ptr_factory_(this) {} | 33 weak_ptr_factory_(this) {} |
| 24 | 34 |
| (...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 141 } | 151 } |
| 142 } | 152 } |
| 143 | 153 |
| 144 if (remote_devices_map_.find(account_id) == remote_devices_map_.end() || | 154 if (remote_devices_map_.find(account_id) == remote_devices_map_.end() || |
| 145 remote_devices_map_[account_id].size() == 0) { | 155 remote_devices_map_[account_id].size() == 0) { |
| 146 PA_LOG(INFO) << "User " << account_id.Serialize() | 156 PA_LOG(INFO) << "User " << account_id.Serialize() |
| 147 << " does not have a RemoteDevice."; | 157 << " does not have a RemoteDevice."; |
| 148 return; | 158 return; |
| 149 } | 159 } |
| 150 | 160 |
| 161 if (ShouldForcePassword()) { |
| 162 PA_LOG(INFO) << "Forcing password reauth."; |
| 163 proximity_auth_client_->UpdateScreenlockState( |
| 164 ScreenlockState::PASSWORD_REAUTH); |
| 165 return; |
| 166 } |
| 167 |
| 151 // TODO(tengs): We currently assume each user has only one RemoteDevice, so we | 168 // TODO(tengs): We currently assume each user has only one RemoteDevice, so we |
| 152 // can simply take the first item in the list. | 169 // can simply take the first item in the list. |
| 153 cryptauth::RemoteDevice remote_device = remote_devices_map_[account_id][0]; | 170 cryptauth::RemoteDevice remote_device = remote_devices_map_[account_id][0]; |
| 154 if (!suspended_) { | 171 if (!suspended_) { |
| 155 PA_LOG(INFO) << "Creating RemoteDeviceLifeCycle for focused user: " | 172 PA_LOG(INFO) << "Creating RemoteDeviceLifeCycle for focused user: " |
| 156 << account_id.Serialize(); | 173 << account_id.Serialize(); |
| 157 remote_device_life_cycle_ = CreateRemoteDeviceLifeCycle(remote_device); | 174 remote_device_life_cycle_ = CreateRemoteDeviceLifeCycle(remote_device); |
| 158 unlock_manager_->SetRemoteDeviceLifeCycle(remote_device_life_cycle_.get()); | 175 unlock_manager_->SetRemoteDeviceLifeCycle(remote_device_life_cycle_.get()); |
| 159 remote_device_life_cycle_->AddObserver(this); | 176 remote_device_life_cycle_->AddObserver(this); |
| 160 remote_device_life_cycle_->Start(); | 177 remote_device_life_cycle_->Start(); |
| 161 } | 178 } |
| 162 } | 179 } |
| 163 | 180 |
| 181 bool ProximityAuthSystem::ShouldForcePassword() { |
| 182 // TODO(tengs): Revisit this when adding tests. |
| 183 if (!base::SysInfo::IsRunningOnChromeOS()) |
| 184 return false; |
| 185 |
| 186 // TODO(tengs): Put this force password reauth logic behind an enterprise |
| 187 // policy. See crbug.com/724717. |
| 188 ProximityAuthPrefManager pref_manager( |
| 189 proximity_auth_client_->GetPrefService()); |
| 190 int64_t now_ms = base::Time::Now().ToJavaTime(); |
| 191 int64_t last_password_ms = pref_manager.GetLastPasswordEntryTimestampMs(); |
| 192 |
| 193 if (now_ms < last_password_ms) { |
| 194 PA_LOG(ERROR) << "Invalid last password timestamp: now=" << now_ms |
| 195 << ", last_password=" << last_password_ms; |
| 196 return true; |
| 197 } |
| 198 |
| 199 return base::TimeDelta::FromMilliseconds(now_ms - last_password_ms) > |
| 200 base::TimeDelta::FromHours(kPasswordReauthPeriodHours); |
| 201 } |
| 202 |
| 164 } // proximity_auth | 203 } // proximity_auth |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2902093002:
[EasyUnlock] Force user to enter their password after 20 hours. (Closed)
