Replace c/b/nss_context by a KeyedService.

components/cert_database/chromeos/cert_database_service_io_part_chromeos.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cert_database/public/chromeos/cert_database_service_io_part_chromeos.h"
+
+#include "base/bind.h"
+#include "base/bind_helpers.h"
+#include "base/callback.h"
+#include "base/location.h"
+#include "base/single_thread_task_runner.h"
+#include "base/thread_task_runner_handle.h"
+#include "chromeos/dbus/cryptohome_client.h"
+#include "crypto/nss_util.h"
+#include "crypto/nss_util_internal.h"
+#include "net/cert/nss_cert_database_chromeos.h"
+
+namespace cert_database {
+
+namespace {
+
+void DidGetTPMInfoOnUICallBackToIO(
+    const chromeos::CryptohomeClient::Pkcs11GetTpmTokenInfoCallback& callback,
+    scoped_refptr<base::SingleThreadTaskRunner> origin_thread,
+    chromeos::DBusMethodCallStatus call_status,
+    const std::string& label,
+    const std::string& user_pin,
+    int slot_id) {
+  DVLOG(1) << "Got TPM info for slot " << slot_id;
+  origin_thread->PostTask(
+      FROM_HERE, base::Bind(callback, call_status, label, user_pin, slot_id));
+}
+
+void GetTPMInfoForUserOnUIThread(
+    const std::string& user_email,
+    const chromeos::CryptohomeClient::Pkcs11GetTpmTokenInfoCallback& callback,
+    scoped_refptr<base::SingleThreadTaskRunner> origin_thread,
+    chromeos::CryptohomeClient* cryptohome_client) {
+  DVLOG(1) << "Getting TPM info from cryptohome for "
+           << " " << user_email;
+  cryptohome_client->Pkcs11GetTpmTokenInfoForUser(
+      user_email,
+      base::Bind(&DidGetTPMInfoOnUICallBackToIO, callback, origin_thread));
+}
+
+void GetTPMInfoForUserOnIOThread(
+    const std::string& user_email,
+    const chromeos::CryptohomeClient::Pkcs11GetTpmTokenInfoCallback& callback,
+    scoped_refptr<base::SequencedTaskRunner> dbus_task_runner,
+    chromeos::CryptohomeClient* cryptohome_client) {
+  dbus_task_runner->PostTask(FROM_HERE,
+                             base::Bind(&GetTPMInfoForUserOnUIThread,
+                                        user_email,
+                                        callback,
+                                        base::ThreadTaskRunnerHandle::Get(),
+                                        cryptohome_client));
+}
+
+}  // namespace
+
+class CertDatabaseServiceIOPartChromeOS::Internal {
+ public:
+  enum SystemTPMTokenStatus {
+    SYSTEM_TPM_TOKEN_STATUS_UNDETERMINED,
+    SYSTEM_TPM_TOKEN_STATUS_ENABLED,
+    SYSTEM_TPM_TOKEN_STATUS_DISABLED
+  };
+
+  enum State {
+    TPM_TOKEN_STATE_UNKNOWN,
+    TPM_TOKEN_ENABLED_AND_READY,
+    INITIALIZED_NSS_FOR_USER,
+    GOT_PRIVATE_SLOT_FOR_USER,
+    WAITING_FOR_SYSTEM_TPM_TOKEN,
+    SYSTEM_TPM_TOKEN_READY,
+    GOT_SYSTEM_SLOT,
+    CREATED_NSS_CERTDB
+  };
+
+  explicit Internal(
+      const std::string& user_email,
+      const std::string& username_hash,
+      bool use_system_key_slot,
+      const base::FilePath& path,
+      const scoped_refptr<base::SequencedTaskRunner>& dbus_task_runner,
+      chromeos::CryptohomeClient* cryptohome_client,
+      CertDatabaseServiceIOPartChromeOS* io_part)
+      : user_email_(user_email),
+        username_hash_(username_hash),
+        use_system_key_slot_(use_system_key_slot),
+        path_(path),
+        dbus_task_runner_(dbus_task_runner),
+        state_(TPM_TOKEN_STATE_UNKNOWN),
+        system_tpm_token_status_(SYSTEM_TPM_TOKEN_STATUS_UNDETERMINED),
+        cryptohome_client_(cryptohome_client),
+        io_part_(io_part),
+        weak_ptr_factory_(this) {
+    CHECK(dbus_task_runner_.get());
+    CHECK(cryptohome_client_);
+    CHECK(io_part_);
+  }
+
+  void Run() {
+    thread_checker_.DetachFromThread();
+    thread_checker_.CalledOnValidThread();
+
+    VLOG(1) << "Initialize NSS for chromeos user " << username_hash_;
+    crypto::InitializeNSSForChromeOSUser(username_hash_, path_);
+    RunNextStep(TPM_TOKEN_STATE_UNKNOWN);
+  }
+
+  void RunNextStep(const State& next_state) {

[mattm, 2014/10/18 00:45:16]

hm, not entirely sure about the state machine, especially the way the system
token ready is handled sort of weirdly by the state machine.

[pneubeck (no reviews), 2014/10/21 09:22:09]

What specific do you mean?
The fact that it's waiting for a call from the outside? That's like a
notification, which should be fine.

The TPMTokenLoader will still have to be updated (independent of / after this
change), as it was meant at some time for the user's token and now is
responsible for the device token.
Alternatively, if nss_util already takes care of global state of TPM
initialization, then we could probably get rid of TPMTokenLoader altogether?
But I'd prefer postponing that to a follow-up CL.

[mattm, 2014/10/30 03:37:48]

I dunno, just feels a little weird to me. But I don't do a lot of state machines
like this, so maybe just that. Feel free to ignore if no one else complains.

+    DCHECK(thread_checker_.CalledOnValidThread());
+
+    VLOG(1) << "State transition " << state_ << " -> " << next_state;
+    state_ = next_state;
+    switch (state_) {
+      case TPM_TOKEN_STATE_UNKNOWN:
+        CheckTPMTokenState();
+        break;
+      case TPM_TOKEN_ENABLED_AND_READY:
+        GetTPMTokenInfo();
+        break;
+      case INITIALIZED_NSS_FOR_USER:
+        GetPrivateSlot();
+        break;
+      case GOT_PRIVATE_SLOT_FOR_USER:
+        if (!use_system_key_slot_) {
+          RunNextStep(GOT_SYSTEM_SLOT);
+        } else if (system_tpm_token_status_ ==
+                   SYSTEM_TPM_TOKEN_STATUS_UNDETERMINED) {
+          state_ = WAITING_FOR_SYSTEM_TPM_TOKEN;
+        } else {
+          RunNextStep(SYSTEM_TPM_TOKEN_READY);
+        }
+        break;
+      case WAITING_FOR_SYSTEM_TPM_TOKEN:
+        // This step is waiting for OnSystemTPMTokenReady to be called.
+        NOTREACHED();
+        break;
+      case SYSTEM_TPM_TOKEN_READY:
+        GetSystemSlot();
+        break;
+      case GOT_SYSTEM_SLOT:
+        CreateCertDatabase();
+        break;
+      case CREATED_NSS_CERTDB:
+        NOTREACHED();
+    }
+  }
+
+  void FinishWithState(const State& state) {
+    VLOG(1) << "FinishWithState " << state;
+    state_ = state;
+  }
+
+  void CheckTPMTokenState() {
+    // Check if it's OK to initialize TPM for the user before continuing. This
+    // may not be the case if the TPM slot initialization was previously
+    // requested for the same user.
+    if (!crypto::ShouldInitializeTPMForChromeOSUser(username_hash_)) {
+      RunNextStep(INITIALIZED_NSS_FOR_USER);
+      return;
+    }
+
+    crypto::WillInitializeTPMForChromeOSUser(username_hash_);
+
+    if (crypto::IsTPMTokenEnabledForNSS()) {
+      base::Closure tpm_token_ready_callback =
+          base::Bind(&Internal::RunNextStep,
+                     weak_ptr_factory_.GetWeakPtr(),
+                     TPM_TOKEN_ENABLED_AND_READY);
+      if (crypto::IsTPMTokenReady(tpm_token_ready_callback))
+        tpm_token_ready_callback.Run();
+      else
+        DVLOG(1) << "Waiting for tpm ready ...";
+    } else {
+      crypto::InitializePrivateSoftwareSlotForChromeOSUser(username_hash_);
+      RunNextStep(INITIALIZED_NSS_FOR_USER);
+    }
+  }
+
+  void GetTPMTokenInfo() {
+    GetTPMInfoForUserOnIOThread(user_email_,
+                                base::Bind(&Internal::GetTPMTokenInfoDONE,
+                                           weak_ptr_factory_.GetWeakPtr()),
+                                dbus_task_runner_,
+                                cryptohome_client_);
+  }
+
+  void GetTPMTokenInfoDONE(chromeos::DBusMethodCallStatus call_status,
+                           const std::string& label,
+                           const std::string& user_pin,
+                           int slot_id) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+
+    if (call_status == chromeos::DBUS_METHOD_CALL_FAILURE) {
+      LOG(ERROR) << "DBus error while getting TPM info for " << username_hash_;
+      crypto::InitializePrivateSoftwareSlotForChromeOSUser(username_hash_);
+    } else {
+      crypto::InitializeTPMForChromeOSUser(username_hash_, slot_id);
+    }
+    RunNextStep(INITIALIZED_NSS_FOR_USER);
+  }
+
+  void GetPrivateSlot() {
+    base::Callback<void(crypto::ScopedPK11Slot)> callback = base::Bind(
+        &Internal::GetPrivateSlotDONE, weak_ptr_factory_.GetWeakPtr());
+
+    crypto::ScopedPK11Slot private_slot(
+        crypto::GetPrivateSlotForChromeOSUser(username_hash_, callback));
+    if (private_slot)
+      callback.Run(private_slot.Pass());
+  }
+
+  void GetPrivateSlotDONE(crypto::ScopedPK11Slot private_slot) {

[mattm, 2014/10/18 00:45:16]

Name style. Maybe GotPrivateSlot or DidGetPrivateSlot. (elsewhere too)

[pneubeck (no reviews), 2014/10/21 09:22:09]

Done.

+    DCHECK(thread_checker_.CalledOnValidThread());
+    DCHECK(private_slot);
+
+    private_slot_ = private_slot.Pass();
+    RunNextStep(GOT_PRIVATE_SLOT_FOR_USER);
+  }
+
+  void OnSystemTPMTokenReady(bool system_tpm_token_enabled) {
+    if (!use_system_key_slot_)
+      return;
+    if (system_tpm_token_enabled)
+      system_tpm_token_status_ = SYSTEM_TPM_TOKEN_STATUS_ENABLED;
+    else
+      system_tpm_token_status_ = SYSTEM_TPM_TOKEN_STATUS_DISABLED;
+    if (state_ == WAITING_FOR_SYSTEM_TPM_TOKEN)
+      RunNextStep(SYSTEM_TPM_TOKEN_READY);
+  }
+
+  void GetSystemSlot() {
+    if (!use_system_key_slot_ ||
+        system_tpm_token_status_ == SYSTEM_TPM_TOKEN_STATUS_DISABLED) {
+      VLOG(2) << "Skip system key slot initialization";
+      RunNextStep(GOT_SYSTEM_SLOT);
+      return;
+    }
+
+    base::Callback<void(crypto::ScopedPK11Slot)> callback = base::Bind(
+        &Internal::GetSystemSlotDONE, weak_ptr_factory_.GetWeakPtr());
+
+    crypto::ScopedPK11Slot system_slot = crypto::GetSystemNSSKeySlot(callback);
+    if (system_slot)
+      callback.Run(system_slot.Pass());
+  }
+
+  void GetSystemSlotDONE(crypto::ScopedPK11Slot system_slot) {
+    if (!system_slot)
+      LOG(ERROR) << "Could not get the system key slot.";
+    system_slot_ = system_slot.Pass();
+    RunNextStep(GOT_SYSTEM_SLOT);
+  }
+
+  void CreateCertDatabase() {
+    crypto::ScopedPK11Slot public_slot =
+        crypto::GetPublicSlotForChromeOSUser(username_hash_);
+
+    scoped_ptr<net::NSSCertDatabaseChromeOS> db(
+        new net::NSSCertDatabaseChromeOS(public_slot.Pass(),
+                                         private_slot_.Pass()));
+    if (system_slot_)
+      db->SetSystemSlot(system_slot_.Pass());
+
+    io_part_->DidCreateNSSCertDatabase(db.PassAs<net::NSSCertDatabase>());

[mattm, 2014/10/18 00:45:16]

can use Pass() now

[pneubeck (no reviews), 2014/10/21 09:22:09]

Done.

+    FinishWithState(CREATED_NSS_CERTDB);
+  }
+
+  const std::string user_email_;
+  const std::string username_hash_;
+  bool use_system_key_slot_;
+  const base::FilePath path_;
+  scoped_refptr<base::SequencedTaskRunner> dbus_task_runner_;
+  State state_;
+  crypto::ScopedPK11Slot private_slot_;
+  SystemTPMTokenStatus system_tpm_token_status_;
+  crypto::ScopedPK11Slot system_slot_;
+  chromeos::CryptohomeClient* cryptohome_client_;
+  CertDatabaseServiceIOPartChromeOS* io_part_;
+  base::ThreadChecker thread_checker_;
+  base::WeakPtrFactory<Internal> weak_ptr_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(Internal);
+};
+
+CertDatabaseServiceIOPartChromeOS::CertDatabaseServiceIOPartChromeOS(
+    const std::string& user_email,
+    const std::string& username_hash,
+    bool use_system_key_slot,
+    const base::FilePath& path,
+    const scoped_refptr<base::SequencedTaskRunner>& dbus_task_runner,
+    chromeos::CryptohomeClient* cryptohome_client)
+    : internal_(new Internal(user_email,
+                             username_hash,
+                             use_system_key_slot,
+                             path,
+                             dbus_task_runner,
+                             cryptohome_client,
+                             this)) {
+}
+
+CertDatabaseServiceIOPartChromeOS::~CertDatabaseServiceIOPartChromeOS() {
+  DCHECK(thread_checker_.CalledOnValidThread());
+}
+
+void CertDatabaseServiceIOPartChromeOS::Init() {
+  CertDatabaseServiceIOPart::Init();
+
+  internal_->Run();
+}
+
+void CertDatabaseServiceIOPartChromeOS::DidCreateNSSCertDatabase(
+    scoped_ptr<net::NSSCertDatabase> db) {
+  internal_.reset();
+  CertDatabaseServiceIOPart::DidCreateNSSCertDatabase(db.Pass());
+}
+
+CertDatabaseServiceIOPartChromeOS::SystemTPMTokenReadyCallback
+CertDatabaseServiceIOPartChromeOS::GetSystemTPMTokenReadyCallback() {
+  return base::Bind(
+      &OnSystemTPMTokenReady, GetWeakPtr(), base::Unretained(this));
+}
+
+// static
+void CertDatabaseServiceIOPartChromeOS::OnSystemTPMTokenReady(
+    const base::WeakPtr<CertDatabaseServiceIOPart>& weak_ptr,
+    CertDatabaseServiceIOPartChromeOS* io_part,
+    bool system_tpm_token_enabled) {
+  if (!weak_ptr)
+    return;
+  CHECK_EQ(io_part, weak_ptr.get());
+
+  io_part->internal_->OnSystemTPMTokenReady(system_tpm_token_enabled);
+}
+
+}  // namespace cert_database