1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // The signin manager encapsulates some functionality tracking
6 // which user is signed in. See SigninManagerBase for full description of
7 // responsibilities. The class defined in this file provides functionality
8 // required by all platforms except Chrome OS.
10 // When a user is signed in, a ClientLogin request is run on their behalf.
11 // Auth tokens are fetched from Google and the results are stored in the
13 // TODO(tim): Bug 92948, 226464. ClientLogin is all but gone from use.
15 #ifndef COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
16 #define COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
18 #if defined(OS_CHROMEOS)
19 // On Chrome OS, SigninManagerBase is all that exists.
20 #include "components/signin/core/browser/signin_manager_base.h"
27 #include "base/compiler_specific.h"
28 #include "base/gtest_prod_util.h"
29 #include "base/logging.h"
30 #include "base/memory/scoped_ptr.h"
31 #include "base/observer_list.h"
32 #include "base/prefs/pref_change_registrar.h"
33 #include "base/prefs/pref_member.h"
34 #include "components/keyed_service/core/keyed_service.h"
35 #include "components/signin/core/browser/account_tracker_service.h"
36 #include "components/signin/core/browser/signin_internals_util.h"
37 #include "components/signin/core/browser/signin_manager_base.h"
38 #include "components/signin/core/browser/signin_metrics.h"
39 #include "net/cookies/canonical_cookie.h"
41 class GaiaCookieManagerService
;
42 class GoogleServiceAuthError
;
44 class ProfileOAuth2TokenService
;
45 class SigninAccountIdHelper
;
48 class SigninManager
: public SigninManagerBase
,
49 public AccountTrackerService::Observer
{
51 // The callback invoked once the OAuth token has been fetched during signin,
52 // but before the profile transitions to the "signed-in" state. This allows
53 // callers to load policy and prompt the user appropriately before completing
54 // signin. The callback is passed the just-fetched OAuth login refresh token.
55 typedef base::Callback
<void(const std::string
&)> OAuthTokenFetchedCallback
;
57 // This is used to distinguish URLs belonging to the special web signin flow
58 // running in the special signin process from other URLs on the same domain.
59 // We do not grant WebUI privilieges / bindings to this process or to URLs of
60 // this scheme; enforcement of privileges is handled separately by
61 // OneClickSigninHelper.
62 static const char kChromeSigninEffectiveSite
[];
64 SigninManager(SigninClient
* client
,
65 ProfileOAuth2TokenService
* token_service
,
66 AccountTrackerService
* account_tracker_service
,
67 GaiaCookieManagerService
* cookie_manager_service
);
68 ~SigninManager() override
;
70 // Returns true if the username is allowed based on the policy string.
71 static bool IsUsernameAllowedByPolicy(const std::string
& username
,
72 const std::string
& policy
);
74 // Attempt to sign in this user with a refresh token.
75 // If non-null, the passed |oauth_fetched_callback| callback is invoked once
76 // signin has been completed.
77 // The callback should invoke SignOut() or CompletePendingSignin() to either
78 // continue or cancel the in-process signin.
79 virtual void StartSignInWithRefreshToken(
80 const std::string
& refresh_token
,
81 const std::string
& username
,
82 const std::string
& password
,
83 const OAuthTokenFetchedCallback
& oauth_fetched_callback
);
85 // Copies auth credentials from one SigninManager to this one. This is used
86 // when creating a new profile during the signin process to transfer the
87 // in-progress credentials to the new profile.
88 virtual void CopyCredentialsFrom(const SigninManager
& source
);
90 // Sign a user out, removing the preference, erasing all keys
91 // associated with the user, and canceling all auth in progress.
92 virtual void SignOut(signin_metrics::ProfileSignout signout_source_metric
);
94 // On platforms where SigninManager is responsible for dealing with
95 // invalid username policy updates, we need to check this during
96 // initialization and sign the user out.
97 void Initialize(PrefService
* local_state
) override
;
98 void Shutdown() override
;
100 // If applicable, merge the signed in account into the cookie jar.
101 void MergeSigninCredentialIntoCookieJar();
103 // Invoked from an OAuthTokenFetchedCallback to complete user signin.
104 virtual void CompletePendingSignin();
106 // Invoked from SigninManagerAndroid to indicate that the sign-in process
107 // has completed for |username|.
108 void OnExternalSigninCompleted(const std::string
& username
);
110 // Returns true if there's a signin in progress.
111 bool AuthInProgress() const override
;
113 bool IsSigninAllowed() const override
;
115 // Returns true if the passed username is allowed by policy. Virtual for
117 virtual bool IsAllowedUsername(const std::string
& username
) const;
119 // If an authentication is in progress, return the username being
120 // authenticated. Returns an empty string if no auth is in progress.
121 const std::string
& GetUsernameForAuthInProgress() const;
123 // Set the preference to turn off one-click sign-in so that it won't ever
124 // show it again for the user associated with |prefs| (even if the user tries
126 static void DisableOneClickSignIn(PrefService
* prefs
);
128 // Tells the SigninManager whether to prohibit signout for this profile.
129 // If |prohibit_signout| is true, then signout will be prohibited.
130 void ProhibitSignout(bool prohibit_signout
);
132 // If true, signout is prohibited for this profile (calls to SignOut() are
134 bool IsSignoutProhibited() const;
137 // Flag saying whether signing out is allowed.
138 bool prohibit_signout_
;
141 enum SigninType
{ SIGNIN_TYPE_NONE
, SIGNIN_TYPE_WITH_REFRESH_TOKEN
};
143 std::string
SigninTypeToString(SigninType type
);
144 friend class FakeSigninManager
;
145 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest
, ClearTransientSigninData
);
146 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest
, ProvideSecondFactorSuccess
);
147 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest
, ProvideSecondFactorFailure
);
149 // If user was signed in, load tokens from DB if available.
150 void InitTokenService();
152 // Called to setup the transient signin data during one of the
153 // StartSigninXXX methods. |type| indicates which of the methods is being
154 // used to perform the signin while |username| and |password| identify the
155 // account to be signed in. Returns false and generates an auth error if the
156 // passed |username| is not allowed by policy.
157 bool PrepareForSignin(SigninType type
,
158 const std::string
& username
,
159 const std::string
& password
);
161 // Persists |username| as the currently signed-in account, and triggers
162 // a sign-in success notification.
163 void OnSignedIn(const std::string
& username
);
165 // Waits for the AccountTrackerService, then sends GoogleSigninSucceeded to
166 // the client and clears the local password.
169 // AccountTrackerService::Observer implementation.
170 void OnAccountUpdated(const AccountTrackerService::AccountInfo
& info
)
172 void OnAccountUpdateFailed(const std::string
& account_id
) override
;
174 // Called when a new request to re-authenticate a user is in progress.
175 // Will clear in memory data but leaves the db as such so when the browser
176 // restarts we can use the old token(which might throw a password error).
177 void ClearTransientSigninData();
179 // Called to handle an error from a GAIA auth fetch. Sets the last error
180 // to |error|, sends out a notification of login failure and clears the
181 // transient signin data.
182 void HandleAuthError(const GoogleServiceAuthError
& error
);
184 void OnSigninAllowedPrefChanged();
185 void OnGoogleServicesUsernamePatternChanged();
187 // ClientLogin identity.
188 std::string possibly_invalid_username_
;
189 std::string password_
; // This is kept empty whenever possible.
191 // Fetcher for the obfuscated user id.
192 scoped_ptr
<SigninAccountIdHelper
> account_id_helper_
;
194 // The type of sign being performed. This value is valid only between a call
195 // to one of the StartSigninXXX methods and when the sign in is either
196 // successful or not.
199 // Temporarily saves the oauth2 refresh token. It will be passed to the
200 // token service so that it does not need to mint new ones.
201 std::string temp_refresh_token_
;
203 // The SigninClient object associated with this object. Must outlive this
205 SigninClient
* client_
;
207 // The ProfileOAuth2TokenService instance associated with this object. Must
208 // outlive this object.
209 ProfileOAuth2TokenService
* token_service_
;
211 // The AccountTrackerService instance associated with this object. Must
212 // outlive this object.
213 AccountTrackerService
* account_tracker_service_
;
215 // Object used to use the token to push a GAIA cookie into the cookie jar.
216 GaiaCookieManagerService
* cookie_manager_service_
;
218 // Helper object to listen for changes to signin preferences stored in non-
219 // profile-specific local prefs (like kGoogleServicesUsernamePattern).
220 PrefChangeRegistrar local_state_pref_registrar_
;
222 // Helper object to listen for changes to the signin allowed preference.
223 BooleanPrefMember signin_allowed_
;
225 // Two gate conditions for when PostSignedIn should be called. Verify
226 // that the SigninManager has reached OnSignedIn() and the AccountTracker
227 // has completed calling GetUserInfo.
228 bool signin_manager_signed_in_
;
229 bool user_info_fetched_by_account_tracker_
;
231 base::WeakPtrFactory
<SigninManager
> weak_pointer_factory_
;
233 DISALLOW_COPY_AND_ASSIGN(SigninManager
);
236 #endif // !defined(OS_CHROMEOS)
238 #endif // COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_