| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/managed_mode/chromeos/manager_password_service.h" | |
| 6 | |
| 7 #include "base/bind.h" | |
| 8 #include "base/logging.h" | |
| 9 #include "base/metrics/histogram.h" | |
| 10 #include "base/values.h" | |
| 11 #include "chrome/browser/chromeos/login/auth/key.h" | |
| 12 #include "chrome/browser/chromeos/login/auth/user_context.h" | |
| 13 #include "chrome/browser/chromeos/login/managed/locally_managed_user_constants.h
" | |
| 14 #include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h
" | |
| 15 #include "chrome/browser/chromeos/login/users/supervised_user_manager.h" | |
| 16 #include "chrome/browser/chromeos/login/users/user.h" | |
| 17 #include "chrome/browser/chromeos/login/users/user_manager.h" | |
| 18 #include "chrome/browser/managed_mode/managed_user_constants.h" | |
| 19 #include "chrome/browser/managed_mode/managed_user_sync_service.h" | |
| 20 | |
| 21 namespace chromeos { | |
| 22 | |
| 23 ManagerPasswordService::ManagerPasswordService() : weak_ptr_factory_(this) {} | |
| 24 | |
| 25 ManagerPasswordService::~ManagerPasswordService() {} | |
| 26 | |
| 27 void ManagerPasswordService::Init( | |
| 28 const std::string& user_id, | |
| 29 ManagedUserSyncService* user_service, | |
| 30 ManagedUserSharedSettingsService* shared_settings_service) { | |
| 31 user_id_ = user_id; | |
| 32 user_service_ = user_service; | |
| 33 settings_service_ = shared_settings_service; | |
| 34 settings_service_subscription_ = settings_service_->Subscribe( | |
| 35 base::Bind(&ManagerPasswordService::OnSharedSettingsChange, | |
| 36 weak_ptr_factory_.GetWeakPtr())); | |
| 37 | |
| 38 authenticator_ = new ExtendedAuthenticator(this); | |
| 39 | |
| 40 UserManager* user_manager = UserManager::Get(); | |
| 41 | |
| 42 SupervisedUserManager* supervised_user_manager = | |
| 43 user_manager->GetSupervisedUserManager(); | |
| 44 | |
| 45 const UserList& users = user_manager->GetUsers(); | |
| 46 | |
| 47 for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) { | |
| 48 if ((*it)->GetType() != User::USER_TYPE_LOCALLY_MANAGED) | |
| 49 continue; | |
| 50 if (user_id != supervised_user_manager->GetManagerUserId((*it)->email())) | |
| 51 continue; | |
| 52 OnSharedSettingsChange( | |
| 53 supervised_user_manager->GetUserSyncId((*it)->email()), | |
| 54 managed_users::kChromeOSPasswordData); | |
| 55 } | |
| 56 } | |
| 57 | |
| 58 void ManagerPasswordService::OnSharedSettingsChange( | |
| 59 const std::string& mu_id, | |
| 60 const std::string& key) { | |
| 61 if (key != managed_users::kChromeOSPasswordData) | |
| 62 return; | |
| 63 | |
| 64 SupervisedUserManager* supervised_user_manager = | |
| 65 UserManager::Get()->GetSupervisedUserManager(); | |
| 66 const User* user = supervised_user_manager->FindBySyncId(mu_id); | |
| 67 // No user on device. | |
| 68 if (user == NULL) | |
| 69 return; | |
| 70 | |
| 71 const base::Value* value = settings_service_->GetValue(mu_id, key); | |
| 72 | |
| 73 if (value == NULL) { | |
| 74 LOG(WARNING) << "Got empty value from sync."; | |
| 75 return; | |
| 76 } | |
| 77 const base::DictionaryValue* dict; | |
| 78 if (!value->GetAsDictionary(&dict)) { | |
| 79 LOG(WARNING) << "Got non-dictionary value from sync."; | |
| 80 return; | |
| 81 } | |
| 82 | |
| 83 SupervisedUserAuthentication* auth = | |
| 84 supervised_user_manager->GetAuthentication(); | |
| 85 | |
| 86 if (!auth->NeedPasswordChange(user->email(), dict) && | |
| 87 !auth->HasIncompleteKey(user->email())) { | |
| 88 return; | |
| 89 } | |
| 90 scoped_ptr<base::DictionaryValue> wrapper(dict->DeepCopy()); | |
| 91 user_service_->GetManagedUsersAsync( | |
| 92 base::Bind(&ManagerPasswordService::GetManagedUsersCallback, | |
| 93 weak_ptr_factory_.GetWeakPtr(), | |
| 94 mu_id, | |
| 95 user->email(), | |
| 96 Passed(&wrapper))); | |
| 97 } | |
| 98 | |
| 99 void ManagerPasswordService::GetManagedUsersCallback( | |
| 100 const std::string& sync_mu_id, | |
| 101 const std::string& user_id, | |
| 102 scoped_ptr<base::DictionaryValue> password_data, | |
| 103 const base::DictionaryValue* managed_users) { | |
| 104 const base::DictionaryValue* managed_user = NULL; | |
| 105 if (!managed_users->GetDictionary(sync_mu_id, &managed_user)) | |
| 106 return; | |
| 107 std::string master_key; | |
| 108 std::string encryption_key; | |
| 109 std::string signature_key; | |
| 110 if (!managed_user->GetString(ManagedUserSyncService::kMasterKey, | |
| 111 &master_key)) { | |
| 112 LOG(WARNING) << "Can not apply password change to " << user_id | |
| 113 << ": no master key found"; | |
| 114 UMA_HISTOGRAM_ENUMERATION( | |
| 115 "ManagedUsers.ChromeOS.PasswordChange", | |
| 116 SupervisedUserAuthentication::PASSWORD_CHANGE_FAILED_NO_MASTER_KEY, | |
| 117 SupervisedUserAuthentication::PASSWORD_CHANGE_RESULT_MAX_VALUE); | |
| 118 return; | |
| 119 } | |
| 120 | |
| 121 if (!managed_user->GetString(ManagedUserSyncService::kPasswordSignatureKey, | |
| 122 &signature_key) || | |
| 123 !managed_user->GetString(ManagedUserSyncService::kPasswordEncryptionKey, | |
| 124 &encryption_key)) { | |
| 125 LOG(WARNING) << "Can not apply password change to " << user_id | |
| 126 << ": no signature / encryption keys."; | |
| 127 UMA_HISTOGRAM_ENUMERATION( | |
| 128 "ManagedUsers.ChromeOS.PasswordChange", | |
| 129 SupervisedUserAuthentication::PASSWORD_CHANGE_FAILED_NO_SIGNATURE_KEY, | |
| 130 SupervisedUserAuthentication::PASSWORD_CHANGE_RESULT_MAX_VALUE); | |
| 131 return; | |
| 132 } | |
| 133 | |
| 134 UserContext manager_key(user_id); | |
| 135 manager_key.SetKey(Key(master_key)); | |
| 136 manager_key.SetIsUsingOAuth(false); | |
| 137 | |
| 138 // As master key can have old label, leave label field empty - it will work | |
| 139 // as wildcard. | |
| 140 | |
| 141 std::string new_key; | |
| 142 int revision; | |
| 143 | |
| 144 bool has_data = password_data->GetStringWithoutPathExpansion( | |
| 145 kEncryptedPassword, &new_key); | |
| 146 has_data &= password_data->GetIntegerWithoutPathExpansion(kPasswordRevision, | |
| 147 &revision); | |
| 148 if (!has_data) { | |
| 149 LOG(WARNING) << "Can not apply password change to " << user_id | |
| 150 << ": incomplete password data."; | |
| 151 UMA_HISTOGRAM_ENUMERATION( | |
| 152 "ManagedUsers.ChromeOS.PasswordChange", | |
| 153 SupervisedUserAuthentication::PASSWORD_CHANGE_FAILED_NO_PASSWORD_DATA, | |
| 154 SupervisedUserAuthentication::PASSWORD_CHANGE_RESULT_MAX_VALUE); | |
| 155 return; | |
| 156 } | |
| 157 | |
| 158 cryptohome::KeyDefinition new_key_definition( | |
| 159 new_key, | |
| 160 kCryptohomeManagedUserKeyLabel, | |
| 161 cryptohome::PRIV_AUTHORIZED_UPDATE || cryptohome::PRIV_MOUNT); | |
| 162 new_key_definition.revision = revision; | |
| 163 | |
| 164 new_key_definition.encryption_key = encryption_key; | |
| 165 new_key_definition.signature_key = signature_key; | |
| 166 | |
| 167 authenticator_->AddKey(manager_key, | |
| 168 new_key_definition, | |
| 169 true /* replace existing */, | |
| 170 base::Bind(&ManagerPasswordService::OnAddKeySuccess, | |
| 171 weak_ptr_factory_.GetWeakPtr(), | |
| 172 manager_key, | |
| 173 user_id, | |
| 174 Passed(&password_data))); | |
| 175 } | |
| 176 | |
| 177 void ManagerPasswordService::OnAuthenticationFailure( | |
| 178 ExtendedAuthenticator::AuthState state) { | |
| 179 UMA_HISTOGRAM_ENUMERATION( | |
| 180 "ManagedUsers.ChromeOS.PasswordChange", | |
| 181 SupervisedUserAuthentication::PASSWORD_CHANGE_FAILED_MASTER_KEY_FAILURE, | |
| 182 SupervisedUserAuthentication::PASSWORD_CHANGE_RESULT_MAX_VALUE); | |
| 183 LOG(ERROR) << "Can not apply password change, master key failure"; | |
| 184 } | |
| 185 | |
| 186 void ManagerPasswordService::OnAddKeySuccess( | |
| 187 const UserContext& master_key_context, | |
| 188 const std::string& user_id, | |
| 189 scoped_ptr<base::DictionaryValue> password_data) { | |
| 190 VLOG(0) << "Password changed for " << user_id; | |
| 191 UMA_HISTOGRAM_ENUMERATION( | |
| 192 "ManagedUsers.ChromeOS.PasswordChange", | |
| 193 SupervisedUserAuthentication::PASSWORD_CHANGED_IN_MANAGER_SESSION, | |
| 194 SupervisedUserAuthentication::PASSWORD_CHANGE_RESULT_MAX_VALUE); | |
| 195 | |
| 196 SupervisedUserAuthentication* auth = | |
| 197 UserManager::Get()->GetSupervisedUserManager()->GetAuthentication(); | |
| 198 int old_schema = auth->GetPasswordSchema(user_id); | |
| 199 auth->StorePasswordData(user_id, *password_data.get()); | |
| 200 | |
| 201 if (auth->HasIncompleteKey(user_id)) | |
| 202 auth->MarkKeyIncomplete(user_id, false /* key is complete now */); | |
| 203 | |
| 204 // Check if we have legacy labels for keys. | |
| 205 // TODO(antrim): Migrate it to GetLabels call once wad@ implement it. | |
| 206 if (old_schema == SupervisedUserAuthentication::SCHEMA_PLAIN) { | |
| 207 // 1) Add new manager key (using old key). | |
| 208 // 2) Remove old supervised user key. | |
| 209 // 3) Remove old manager key. | |
| 210 authenticator_->TransformKeyIfNeeded( | |
| 211 master_key_context, | |
| 212 base::Bind(&ManagerPasswordService::OnKeyTransformedIfNeeded, | |
| 213 weak_ptr_factory_.GetWeakPtr())); | |
| 214 } | |
| 215 } | |
| 216 | |
| 217 void ManagerPasswordService::OnKeyTransformedIfNeeded( | |
| 218 const UserContext& master_key_context) { | |
| 219 const Key* const key = master_key_context.GetKey(); | |
| 220 DCHECK_NE(Key::KEY_TYPE_PASSWORD_PLAIN, key->GetKeyType()); | |
| 221 cryptohome::KeyDefinition new_master_key(key->GetSecret(), | |
| 222 kCryptohomeMasterKeyLabel, | |
| 223 cryptohome::PRIV_DEFAULT); | |
| 224 // Use new master key for further actions. | |
| 225 UserContext new_master_key_context = master_key_context; | |
| 226 new_master_key_context.GetKey()->SetLabel(kCryptohomeMasterKeyLabel); | |
| 227 authenticator_->AddKey( | |
| 228 master_key_context, | |
| 229 new_master_key, | |
| 230 true /* replace existing */, | |
| 231 base::Bind(&ManagerPasswordService::OnNewManagerKeySuccess, | |
| 232 weak_ptr_factory_.GetWeakPtr(), | |
| 233 new_master_key_context)); | |
| 234 } | |
| 235 | |
| 236 void ManagerPasswordService::OnNewManagerKeySuccess( | |
| 237 const UserContext& master_key_context) { | |
| 238 VLOG(1) << "Added new master key for " << master_key_context.GetUserID(); | |
| 239 authenticator_->RemoveKey( | |
| 240 master_key_context, | |
| 241 kLegacyCryptohomeManagedUserKeyLabel, | |
| 242 base::Bind(&ManagerPasswordService::OnOldManagedUserKeyDeleted, | |
| 243 weak_ptr_factory_.GetWeakPtr(), | |
| 244 master_key_context)); | |
| 245 } | |
| 246 | |
| 247 void ManagerPasswordService::OnOldManagedUserKeyDeleted( | |
| 248 const UserContext& master_key_context) { | |
| 249 VLOG(1) << "Removed old managed user key for " | |
| 250 << master_key_context.GetUserID(); | |
| 251 authenticator_->RemoveKey( | |
| 252 master_key_context, | |
| 253 kLegacyCryptohomeMasterKeyLabel, | |
| 254 base::Bind(&ManagerPasswordService::OnOldManagerKeyDeleted, | |
| 255 weak_ptr_factory_.GetWeakPtr(), | |
| 256 master_key_context)); | |
| 257 } | |
| 258 | |
| 259 void ManagerPasswordService::OnOldManagerKeyDeleted( | |
| 260 const UserContext& master_key_context) { | |
| 261 VLOG(1) << "Removed old master key for " << master_key_context.GetUserID(); | |
| 262 } | |
| 263 | |
| 264 void ManagerPasswordService::Shutdown() { | |
| 265 settings_service_subscription_.reset(); | |
| 266 } | |
| 267 | |
| 268 } // namespace chromeos | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 335833003:
Rename "managed (mode|user)" to "supervised user" (part 2) (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src