chromeos/login/auth/login_performer.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROMEOS_LOGIN_AUTH_LOGIN_PERFORMER_H_
   6 #define CHROMEOS_LOGIN_AUTH_LOGIN_PERFORMER_H_
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/callback.h"
  12 #include "base/memory/scoped_ptr.h"
  13 #include "base/memory/weak_ptr.h"
  14 #include "chromeos/chromeos_export.h"
  15 #include "chromeos/login/auth/auth_status_consumer.h"
  16 #include "chromeos/login/auth/authenticator.h"
  17 #include "chromeos/login/auth/extended_authenticator.h"
  18 #include "chromeos/login/auth/online_attempt_host.h"
  19 #include "chromeos/login/auth/user_context.h"
  20 #include "google_apis/gaia/google_service_auth_error.h"
  21
  22 namespace net {
  23 class URLRequestContextGetter;
  24 }
  25
  26 namespace policy {
  27 class WildcardLoginChecker;
  28 }
  29
  30 namespace content {
  31 class BrowserContext;
  32 }
  33
  34 namespace chromeos {
  35
  36 // This class encapsulates sign in operations.
  37 // Sign in is performed in a way that offline auth is executed first.
  38 // Once offline auth is OK - user homedir is mounted, UI is launched.
  39 // At this point LoginPerformer |delegate_| is destroyed and it releases
  40 // LP instance ownership. LP waits for online login result.
  41 // If auth is succeeded, cookie fetcher is executed, LP instance deletes itself.
  42 //
  43 // If |delegate_| is not NULL it will handle error messages, password input.
  44 class CHROMEOS_EXPORT LoginPerformer : public AuthStatusConsumer,
  45                                        public OnlineAttemptHost::Delegate {
  46  public:
  47   typedef enum AuthorizationMode {
  48     // Authorization performed internally by Chrome.
  49     AUTH_MODE_INTERNAL,
  50     // Authorization performed by an extension.
  51     AUTH_MODE_EXTENSION
  52   } AuthorizationMode;
  53
  54   // Delegate class to get notifications from the LoginPerformer.
  55   class Delegate : public AuthStatusConsumer {
  56    public:
  57     ~Delegate() override {}
  58     virtual void WhiteListCheckFailed(const std::string& email) = 0;
  59     virtual void PolicyLoadFailed() = 0;
  60     virtual void OnOnlineChecked(const std::string& email, bool success) = 0;
  61   };
  62
  63   LoginPerformer(scoped_refptr<base::TaskRunner> task_runner,
  64                  Delegate* delegate,
  65                  bool disable_client_login);
  66   ~LoginPerformer() override;
  67
  68   // Performs a login for |user_context|.
  69   // If auth_mode is AUTH_MODE_EXTENSION, there are no further auth checks,
  70   // AUTH_MODE_INTERNAL will perform auth checks.
  71   void PerformLogin(const UserContext& user_context,
  72                     AuthorizationMode auth_mode);
  73
  74   // Performs supervised user login with a given |user_context|.
  75   void LoginAsSupervisedUser(const UserContext& user_context);
  76
  77   // Performs actions to prepare guest mode login.
  78   void LoginOffTheRecord();
  79
  80   // Performs public session login with a given |user_context|.
  81   void LoginAsPublicSession(const UserContext& user_context);
  82
  83   // Performs a login into the kiosk mode account with |app_user_id|.
  84   void LoginAsKioskAccount(const std::string& app_user_id,
  85                            bool use_guest_mount);
  86
  87   // AuthStatusConsumer implementation:
  88   void OnAuthFailure(const AuthFailure& error) override;
  89   void OnAuthSuccess(const UserContext& user_context) override;
  90   void OnOffTheRecordAuthSuccess() override;
  91   void OnPasswordChangeDetected() override;
  92
  93   // Migrates cryptohome using |old_password| specified.
  94   void RecoverEncryptedData(const std::string& old_password);
  95
  96   // Reinitializes cryptohome with the new password.
  97   void ResyncEncryptedData();
  98
  99   // Returns latest auth error.
 100   const GoogleServiceAuthError& error() const {
 101     return last_login_failure_.error();
 102   }
 103
 104   // True if password change has been detected.
 105   bool password_changed() { return password_changed_; }
 106
 107   // Number of times we've been called with OnPasswordChangeDetected().
 108   // If user enters incorrect old password, same LoginPerformer instance will
 109   // be called so callback count makes it possible to distinguish initial
 110   // "password changed detected" event from further attempts to enter old
 111   // password for cryptohome migration (when > 1).
 112   int password_changed_callback_count() {
 113     return password_changed_callback_count_;
 114   }
 115
 116   void set_delegate(Delegate* delegate) { delegate_ = delegate; }
 117
 118   AuthorizationMode auth_mode() const { return auth_mode_; }
 119
 120  protected:
 121   // Implements OnlineAttemptHost::Delegate.
 122   void OnChecked(const std::string& user_id, bool success) override;
 123
 124   // Platform-dependant methods to be implemented by concrete class.
 125
 126   // Run trusted check for a platform. If trusted check have to be performed
 127   // asynchronously, |false| will be returned, and either delegate's
 128   // PolicyLoadFailed() or |callback| will be called upon actual check.
 129   virtual bool RunTrustedCheck(const base::Closure& callback) = 0;
 130
 131   // Check if user is allowed to sign in on device. |wildcard_match| will
 132   // contain additional information whether this user is explicitly listed or
 133   // not (may be relevant for extension-based sign-in).
 134   virtual bool IsUserWhitelisted(const std::string& user_id,
 135                                  bool* wildcard_match) = 0;
 136
 137   // This method should run addional online check if user can sign in on device.
 138   // Either |success_callback| or |failure_callback| should be called upon this
 139   // check.
 140   virtual void RunOnlineWhitelistCheck(
 141       const std::string& user_id,
 142       bool wildcard_match,
 143       const std::string& refresh_token,
 144       const base::Closure& success_callback,
 145       const base::Closure& failure_callback) = 0;
 146
 147   // Supervised users-related methods.
 148
 149   // Check if supervised users are allowed on this device.
 150   virtual bool AreSupervisedUsersAllowed() = 0;
 151
 152   // Check which authenticator should be used for supervised user.
 153   virtual bool UseExtendedAuthenticatorForSupervisedUser(
 154       const UserContext& user_context) = 0;
 155
 156   // Probably transform supervised user's authentication key.
 157   virtual UserContext TransformSupervisedKey(const UserContext& context) = 0;
 158
 159   // Set up sign-in flow for supervised user.
 160   virtual void SetupSupervisedUserFlow(const std::string& user_id) = 0;
 161
 162   // Set up sign-in flow for Easy Unlock.
 163   virtual void SetupEasyUnlockUserFlow(const std::string& user_id) = 0;
 164
 165   // Run policy check for |user_id|. If something is wrong, delegate's
 166   // PolicyLoadFailed is called.
 167   virtual bool CheckPolicyForUser(const std::string& user_id) = 0;
 168
 169   // Look up browser context to use during signin.
 170   virtual content::BrowserContext* GetSigninContext() = 0;
 171
 172   // Get RequestContext used for sign in.
 173   virtual net::URLRequestContextGetter* GetSigninRequestContext() = 0;
 174
 175   // Create authenticator implementation.
 176   virtual scoped_refptr<Authenticator> CreateAuthenticator() = 0;
 177
 178   void set_authenticator(scoped_refptr<Authenticator> authenticator);
 179
 180   // Notifications receiver.
 181   Delegate* delegate_;
 182
 183  private:
 184   // Starts login completion of externally authenticated user.
 185   void StartLoginCompletion();
 186
 187   // Starts authentication.
 188   void StartAuthentication();
 189   void NotifyWhitelistCheckFailure();
 190
 191   // Makes sure that authenticator is created.
 192   void EnsureAuthenticator();
 193   void EnsureExtendedAuthenticator();
 194
 195   // Actual implementation of LoginAsSupervisedUser that is run after trusted
 196   // values check.
 197   void TrustedLoginAsSupervisedUser(const UserContext& user_context);
 198
 199   // Actual implementantion of PeformLogin that is run after trusted values
 200   // check.
 201   void DoPerformLogin(const UserContext& user_context,
 202                       AuthorizationMode auth_mode);
 203
 204   scoped_refptr<base::TaskRunner> task_runner_;
 205
 206   // Used for logging in.
 207   scoped_refptr<Authenticator> authenticator_;
 208
 209   // Used for logging in.
 210   scoped_refptr<ExtendedAuthenticator> extended_authenticator_;
 211
 212   // Used to make auxiliary online check.
 213   OnlineAttemptHost online_attempt_host_;
 214
 215   // Represents last login failure that was encountered when communicating to
 216   // sign-in server. AuthFailure.LoginFailureNone() by default.
 217   AuthFailure last_login_failure_;
 218
 219   // User credentials for the current login attempt.
 220   UserContext user_context_;
 221
 222   // True if password change has been detected.
 223   // Once correct password is entered homedir migration is executed.
 224   bool password_changed_;
 225   int password_changed_callback_count_;
 226
 227   // Authorization mode type.
 228   AuthorizationMode auth_mode_;
 229
 230   // TODO(antrim): remove once we got rid of /ClientLogin.
 231   bool disable_client_login_;
 232
 233   base::WeakPtrFactory<LoginPerformer> weak_factory_;
 234   DISALLOW_COPY_AND_ASSIGN(LoginPerformer);
 235 };
 236
 237 }  // namespace chromeos
 238
 239 #endif  // CHROMEOS_LOGIN_AUTH_LOGIN_PERFORMER_H_