Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(364)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/proximity_auth/proximity_auth_system.cc

Issue 2902093002: [EasyUnlock] Force user to enter their password after 20 hours. (Closed)
Patch Set: add metric Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/signin/easy_unlock_service_regular.cc ('K') | « components/proximity_auth/proximity_auth_system.h ('k') | components/proximity_auth/screenlock_state.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/proximity_auth/proximity_auth_system.cc
diff --git a/components/proximity_auth/proximity_auth_system.cc b/components/proximity_auth/proximity_auth_system.cc
index 3386f14e5123ae06d6bf70001cf14e969924316d..b6ab307888d529c9bca37a1e7c645e570e62fb8a 100644
--- a/components/proximity_auth/proximity_auth_system.cc
+++ b/components/proximity_auth/proximity_auth_system.cc
@@ -4,14 +4,24 @@
#include "components/proximity_auth/proximity_auth_system.h"
+#include "base/sys_info.h"
#include "base/threading/thread_task_runner_handle.h"
#include "components/proximity_auth/logging/logging.h"
#include "components/proximity_auth/proximity_auth_client.h"
+#include "components/proximity_auth/proximity_auth_pref_manager.h"
#include "components/proximity_auth/remote_device_life_cycle_impl.h"
#include "components/proximity_auth/unlock_manager_impl.h"
namespace proximity_auth {
+namespace {
+
+// The maximum number of hours permitted before the user is forced is use their
+// password to authenticate.
+const int64_t kPasswordReauthPeriodHours = 20;
+
+} // namespace
+
ProximityAuthSystem::ProximityAuthSystem(
ScreenlockType screenlock_type,
ProximityAuthClient* proximity_auth_client)
@@ -148,6 +158,13 @@ void ProximityAuthSystem::OnFocusedUserChanged(const AccountId& account_id) {
return;
}
+ if (ShouldForcePassword()) {
+ PA_LOG(INFO) << "Forcing password reauth.";
+ proximity_auth_client_->UpdateScreenlockState(
+ ScreenlockState::PASSWORD_REAUTH);
+ return;
+ }
+
// TODO(tengs): We currently assume each user has only one RemoteDevice, so we
// can simply take the first item in the list.
cryptauth::RemoteDevice remote_device = remote_devices_map_[account_id][0];
@@ -161,4 +178,26 @@ void ProximityAuthSystem::OnFocusedUserChanged(const AccountId& account_id) {
}
}
+bool ProximityAuthSystem::ShouldForcePassword() {
+ // TODO(tengs): Revisit this when adding tests.
+ if (!base::SysInfo::IsRunningOnChromeOS())
+ return false;
+
+ // TODO(tengs): Put this force password reauth logic behind an enterprise
+ // policy. See crbug.com/724717.
+ ProximityAuthPrefManager pref_manager(
+ proximity_auth_client_->GetPrefService());
+ int64_t now_ms = base::Time::Now().ToJavaTime();
+ int64_t last_password_ms = pref_manager.GetLastPasswordEntryTimestampMs();
+
+ if (now_ms < last_password_ms) {
+ PA_LOG(ERROR) << "Invalid last password timestamp: now=" << now_ms
+ << ", last_password=" << last_password_ms;
+ return true;
+ }
+
+ return base::TimeDelta::FromMilliseconds(now_ms - last_password_ms) >
+ base::TimeDelta::FromHours(kPasswordReauthPeriodHours);
+}
+
} // proximity_auth
« chrome/browser/signin/easy_unlock_service_regular.cc ('K') | « components/proximity_auth/proximity_auth_system.h ('k') | components/proximity_auth/screenlock_state.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698