OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ |
6 #define CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ | 6 #define CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
11 #include "base/callback.h" | 11 #include "base/callback.h" |
12 #include "base/compiler_specific.h" | 12 #include "base/compiler_specific.h" |
13 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
15 #include "chromeos/cryptohome/cryptohome_parameters.h" | 15 #include "chromeos/cryptohome/cryptohome_parameters.h" |
16 #include "third_party/cros_system_api/dbus/service_constants.h" | 16 #include "third_party/cros_system_api/dbus/service_constants.h" |
17 | 17 |
18 namespace chromeos { | 18 namespace chromeos { |
19 | 19 |
20 class LoginStatusConsumer; | 20 class LoginStatusConsumer; |
21 class UserContext; | 21 class UserContext; |
22 | 22 |
23 // Interaction with cryptohome : mounting home dirs, create new home dirs, | 23 // Interaction with cryptohomed: mount home dirs, create new home dirs, update |
24 // udpate passwords. | 24 // passwords. |
25 // | 25 // |
26 // Typical flow: | 26 // Typical flow: |
27 // AuthenticateToMount() calls a Cryptohome to perform offline login, | 27 // AuthenticateToMount() calls cryptohomed to perform offline login, |
28 // AuthenticateToCreate() calls a Cryptohome to create new cryptohome. | 28 // AuthenticateToCreate() calls cryptohomed to create new cryptohome. |
29 class ExtendedAuthenticator | 29 class ExtendedAuthenticator |
30 : public base::RefCountedThreadSafe<ExtendedAuthenticator> { | 30 : public base::RefCountedThreadSafe<ExtendedAuthenticator> { |
31 public: | 31 public: |
32 enum AuthState { | 32 enum AuthState { |
33 SUCCESS, // Login succeeded. | 33 SUCCESS, // Login succeeded. |
34 NO_MOUNT, // No cryptohome exist for user. | 34 NO_MOUNT, // No cryptohome exist for user. |
35 FAILED_MOUNT, // Failed to mount existing cryptohome - login failed. | 35 FAILED_MOUNT, // Failed to mount existing cryptohome - login failed. |
36 FAILED_TPM, // Failed to mount/create cryptohome because of TPM error. | 36 FAILED_TPM, // Failed to mount/create cryptohome because of TPM error. |
37 }; | 37 }; |
38 | 38 |
39 typedef base::Callback<void(const std::string& hash)> HashSuccessCallback; | 39 typedef base::Callback<void(const std::string& result)> ResultCallback; |
40 typedef base::Callback<void(const UserContext& context)> ContextCallback; | 40 typedef base::Callback<void(const UserContext& context)> ContextCallback; |
41 | 41 |
42 class AuthStatusConsumer { | 42 class AuthStatusConsumer { |
43 public: | 43 public: |
44 virtual ~AuthStatusConsumer() {} | 44 virtual ~AuthStatusConsumer() {} |
45 // The current login attempt has ended in failure, with error. | 45 // The current login attempt has ended in failure, with error. |
46 virtual void OnAuthenticationFailure(AuthState state) = 0; | 46 virtual void OnAuthenticationFailure(AuthState state) = 0; |
47 }; | 47 }; |
48 | 48 |
49 explicit ExtendedAuthenticator(AuthStatusConsumer* consumer); | 49 explicit ExtendedAuthenticator(AuthStatusConsumer* consumer); |
50 explicit ExtendedAuthenticator(LoginStatusConsumer* consumer); | 50 explicit ExtendedAuthenticator(LoginStatusConsumer* consumer); |
51 | 51 |
52 // Updates consumer of the class. | 52 // Updates consumer of the class. |
53 void SetConsumer(LoginStatusConsumer* consumer); | 53 void SetConsumer(LoginStatusConsumer* consumer); |
54 | 54 |
55 // This call will attempt to mount home dir for user, key (and key label) | 55 // This call will attempt to mount the home dir for the user, key (and key |
56 // specified in |context|. If |context.need_password_hashing| is true, the key | 56 // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will |
57 // will be hashed with password salt before passing it to cryptohome. This | 57 // be hashed with the system salt before being passed to cryptohomed. This |
58 // call assumes that homedir already exist for user, otherwise call will | 58 // call assumes that the home dir already exist for the user and will return |
59 // result in error. On success username hash (used as mount point) will be | 59 // an error otherwise. On success, the user ID hash (used as the mount point) |
60 // passed to |success_callback|. | 60 // will be passed to |success_callback|. |
61 void AuthenticateToMount(const UserContext& context, | 61 void AuthenticateToMount(const UserContext& context, |
62 const HashSuccessCallback& success_callback); | 62 const ResultCallback& success_callback); |
63 | 63 |
64 // This call will attempt to authenticate |user| with key (and key label) | 64 // This call will attempt to authenticate the user with the key (and key |
65 // specified in |context|. No actions are taken upon authentication. | 65 // label) in |context|. No further actions are taken after authentication. |
66 void AuthenticateToCheck(const UserContext& context, | 66 void AuthenticateToCheck(const UserContext& context, |
67 const base::Closure& success_callback); | 67 const base::Closure& success_callback); |
68 | 68 |
69 // This call will create and mount home dir for |user_id| with supplied | 69 // This call will create and mount the home dir for |user_id| with the given |
70 // |keys| if home dir is missing. If homedir already exist, the mount attempt | 70 // |keys| if the home dir is missing. If the home dir exists already, a mount |
71 // will be performed using first key for |auth|. | 71 // attempt will be performed using the first key in |keys| for authentication. |
72 // Note, that all keys in |keys| should be already hashed with system salt if | 72 // Note that all |keys| should have been transformed from plain text already. |
73 // it is necessary, this method does not alter them. | 73 // This method does not alter them. |
74 void CreateMount(const std::string& user_id, | 74 void CreateMount(const std::string& user_id, |
75 const std::vector<cryptohome::KeyDefinition>& keys, | 75 const std::vector<cryptohome::KeyDefinition>& keys, |
76 const HashSuccessCallback& success_callback); | 76 const ResultCallback& success_callback); |
77 | 77 |
78 // Hashes |password| with system salt. Result will be passed to | 78 // Attempts to add a new |key| for the user identified/authorized by |
79 // |success_callback|. | 79 // |context|. If a key with the same label already exists, the behavior |
80 void HashPasswordWithSalt(const std::string& password, | 80 // depends on the |replace_existing| flag. If the flag is set, the old key is |
81 const HashSuccessCallback& success_callback); | 81 // replaced. If the flag is not set, an error occurs. It is not allowed to |
82 | 82 // replace the key used for authorization. |
83 // Attempts to add new |key| for user identified/authorized by |context|. | |
84 // If if key with same label already exist, behavior depends on | |
85 // |replace_existing| flag. If flag is set, old key will be replaced. If it | |
86 // is not set, attempt will lead to error. | |
87 // It is prohibited to use same key label both in |auth| and |key|. | |
88 void AddKey(const UserContext& context, | 83 void AddKey(const UserContext& context, |
89 const cryptohome::KeyDefinition& key, | 84 const cryptohome::KeyDefinition& key, |
90 bool replace_existing, | 85 bool replace_existing, |
91 const base::Closure& success_callback); | 86 const base::Closure& success_callback); |
92 | 87 |
93 // Attempts to perform an authorized update of the key specified in |context| | 88 // Attempts to perform an authorized update of the key in |context| with the |
94 // with new |key|. Update is authorized by providing |signature| of the key. | 89 // new |key|. The update is authorized by providing the |signature| of the |
95 // Original key should have |PRIV_AUTHORIZED_UPDATE| privilege to perform this | 90 // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to |
96 // operation. Key label in |context| and in |key| should be the same. | 91 // perform this operation. The key labels in |context| and in |key| should be |
| 92 // the same. |
97 void UpdateKeyAuthorized(const UserContext& context, | 93 void UpdateKeyAuthorized(const UserContext& context, |
98 const cryptohome::KeyDefinition& key, | 94 const cryptohome::KeyDefinition& key, |
99 const std::string& signature, | 95 const std::string& signature, |
100 const base::Closure& success_callback); | 96 const base::Closure& success_callback); |
101 | 97 |
102 // Attempts to remove |key_to_remove|-labelled key for user | 98 // Attempts to remove the key labeled |key_to_remove| for the user identified/ |
103 // identified/authorized by |context|. It is possible to remove the key used | 99 // authorized by |context|. It is possible to remove the key used for |
104 // for authorization, although it should be done with extreme care. | 100 // authorization, although it should be done with extreme care. |
105 void RemoveKey(const UserContext& context, | 101 void RemoveKey(const UserContext& context, |
106 const std::string& key_to_remove, | 102 const std::string& key_to_remove, |
107 const base::Closure& success_callback); | 103 const base::Closure& success_callback); |
108 | 104 |
109 // Transforms |user_context| so that it can be used by DoNNN methods. | 105 // Hashes the key in |user_context| with the system salt it its type is |
110 // Currently it consists of hashing password with system salt if needed. | 106 // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the |
111 void TransformContext(const UserContext& user_context, | 107 // |callback|. |
112 const ContextCallback& callback); | 108 void TransformKeyIfNeeded(const UserContext& user_context, |
| 109 const ContextCallback& callback); |
113 | 110 |
114 private: | 111 private: |
115 friend class base::RefCountedThreadSafe<ExtendedAuthenticator>; | 112 friend class base::RefCountedThreadSafe<ExtendedAuthenticator>; |
116 | 113 |
117 ~ExtendedAuthenticator(); | 114 ~ExtendedAuthenticator(); |
118 | 115 |
119 typedef base::Callback<void(const std::string& system_salt)> | |
120 PendingHashCallback; | |
121 | |
122 // Callback for system salt getter. | 116 // Callback for system salt getter. |
123 void OnSaltObtained(const std::string& system_salt); | 117 void OnSaltObtained(const std::string& system_salt); |
124 | 118 |
125 // Updates UserContext (salts given key with system salt) if necessary. | |
126 void UpdateContextToMount(const UserContext& context, | |
127 const std::string& hashed_password); | |
128 void UpdateContextAndCheckKey(const UserContext& context, | |
129 const std::string& hashed_password); | |
130 | |
131 // Performs actual operation with fully configured |context|. | 119 // Performs actual operation with fully configured |context|. |
132 void DoAuthenticateToMount(const HashSuccessCallback& success_callback, | 120 void DoAuthenticateToMount(const ResultCallback& success_callback, |
133 const UserContext& context); | 121 const UserContext& context); |
134 void DoAuthenticateToCheck(const base::Closure& success_callback, | 122 void DoAuthenticateToCheck(const base::Closure& success_callback, |
135 const UserContext& context); | 123 const UserContext& context); |
136 void DoAddKey(const cryptohome::KeyDefinition& key, | 124 void DoAddKey(const cryptohome::KeyDefinition& key, |
137 bool replace_existing, | 125 bool replace_existing, |
138 const base::Closure& success_callback, | 126 const base::Closure& success_callback, |
139 const UserContext& context); | 127 const UserContext& context); |
140 void DoUpdateKeyAuthorized(const cryptohome::KeyDefinition& key, | 128 void DoUpdateKeyAuthorized(const cryptohome::KeyDefinition& key, |
141 const std::string& signature, | 129 const std::string& signature, |
142 const base::Closure& success_callback, | 130 const base::Closure& success_callback, |
143 const UserContext& context); | 131 const UserContext& context); |
144 void DoRemoveKey(const std::string& key_to_remove, | 132 void DoRemoveKey(const std::string& key_to_remove, |
145 const base::Closure& success_callback, | 133 const base::Closure& success_callback, |
146 const UserContext& context); | 134 const UserContext& context); |
147 | 135 |
148 // Inner operation callbacks. | 136 // Inner operation callbacks. |
149 void OnMountComplete(const std::string& time_marker, | 137 void OnMountComplete(const std::string& time_marker, |
150 const UserContext& context, | 138 const UserContext& context, |
151 const HashSuccessCallback& success_callback, | 139 const ResultCallback& success_callback, |
152 bool success, | 140 bool success, |
153 cryptohome::MountError return_code, | 141 cryptohome::MountError return_code, |
154 const std::string& mount_hash); | 142 const std::string& mount_hash); |
155 void OnOperationComplete(const std::string& time_marker, | 143 void OnOperationComplete(const std::string& time_marker, |
156 const UserContext& context, | 144 const UserContext& context, |
157 const base::Closure& success_callback, | 145 const base::Closure& success_callback, |
158 bool success, | 146 bool success, |
159 cryptohome::MountError return_code); | 147 cryptohome::MountError return_code); |
160 | 148 |
161 // Inner implementation for hashing |password| with system salt. Will queue | |
162 // requests if |system_salt| is not known yet. | |
163 // Invokes |callback| with result. | |
164 void DoHashWithSalt(const std::string& password, | |
165 const HashSuccessCallback& callback, | |
166 const std::string& system_salt); | |
167 | |
168 // Callback from previous method. | |
169 void DidTransformContext(const UserContext& user_context, | |
170 const ContextCallback& callback, | |
171 const std::string& hashed_password); | |
172 | |
173 bool salt_obtained_; | 149 bool salt_obtained_; |
174 std::string system_salt_; | 150 std::string system_salt_; |
175 std::vector<PendingHashCallback> hashing_queue_; | 151 std::vector<base::Closure> system_salt_callbacks_; |
176 | 152 |
177 AuthStatusConsumer* consumer_; | 153 AuthStatusConsumer* consumer_; |
178 LoginStatusConsumer* old_consumer_; | 154 LoginStatusConsumer* old_consumer_; |
179 | 155 |
180 DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator); | 156 DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator); |
181 }; | 157 }; |
182 | 158 |
183 } // namespace chromeos | 159 } // namespace chromeos |
184 | 160 |
185 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ | 161 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ |
OLD | NEW |