1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
6 #define CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
10 #include "base/basictypes.h"
11 #include "base/callback.h"
12 #include "base/compiler_specific.h"
13 #include "base/memory/ref_counted.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "chromeos/chromeos_export.h"
16 #include "chromeos/cryptohome/cryptohome_parameters.h"
17 #include "third_party/cros_system_api/dbus/service_constants.h"
21 class AuthStatusConsumer
;
24 // Interaction with cryptohomed: mount home dirs, create new home dirs, update
28 // AuthenticateToMount() calls cryptohomed to perform offline login,
29 // AuthenticateToCreate() calls cryptohomed to create new cryptohome.
30 class CHROMEOS_EXPORT ExtendedAuthenticator
31 : public base::RefCountedThreadSafe
<ExtendedAuthenticator
> {
34 SUCCESS
, // Login succeeded.
35 NO_MOUNT
, // No cryptohome exist for user.
36 FAILED_MOUNT
, // Failed to mount existing cryptohome - login failed.
37 FAILED_TPM
, // Failed to mount/create cryptohome because of TPM error.
40 typedef base::Callback
<void(const std::string
& result
)> ResultCallback
;
41 typedef base::Callback
<void(const UserContext
& context
)> ContextCallback
;
43 class NewAuthStatusConsumer
{
45 virtual ~NewAuthStatusConsumer() {}
46 // The current login attempt has ended in failure, with error.
47 virtual void OnAuthenticationFailure(AuthState state
) = 0;
50 explicit ExtendedAuthenticator(NewAuthStatusConsumer
* consumer
);
51 explicit ExtendedAuthenticator(AuthStatusConsumer
* consumer
);
53 // Updates consumer of the class.
54 void SetConsumer(AuthStatusConsumer
* consumer
);
56 // This call will attempt to mount the home dir for the user, key (and key
57 // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will
58 // be hashed with the system salt before being passed to cryptohomed. This
59 // call assumes that the home dir already exist for the user and will return
60 // an error otherwise. On success, the user ID hash (used as the mount point)
61 // will be passed to |success_callback|.
62 void AuthenticateToMount(const UserContext
& context
,
63 const ResultCallback
& success_callback
);
65 // This call will attempt to authenticate the user with the key (and key
66 // label) in |context|. No further actions are taken after authentication.
67 void AuthenticateToCheck(const UserContext
& context
,
68 const base::Closure
& success_callback
);
70 // This call will create and mount the home dir for |user_id| with the given
71 // |keys| if the home dir is missing. If the home dir exists already, a mount
72 // attempt will be performed using the first key in |keys| for authentication.
73 // Note that all |keys| should have been transformed from plain text already.
74 // This method does not alter them.
75 void CreateMount(const std::string
& user_id
,
76 const std::vector
<cryptohome::KeyDefinition
>& keys
,
77 const ResultCallback
& success_callback
);
79 // Attempts to add a new |key| for the user identified/authorized by
80 // |context|. If a key with the same label already exists, the behavior
81 // depends on the |replace_existing| flag. If the flag is set, the old key is
82 // replaced. If the flag is not set, an error occurs. It is not allowed to
83 // replace the key used for authorization.
84 void AddKey(const UserContext
& context
,
85 const cryptohome::KeyDefinition
& key
,
86 bool replace_existing
,
87 const base::Closure
& success_callback
);
89 // Attempts to perform an authorized update of the key in |context| with the
90 // new |key|. The update is authorized by providing the |signature| of the
91 // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to
92 // perform this operation. The key labels in |context| and in |key| should be
94 void UpdateKeyAuthorized(const UserContext
& context
,
95 const cryptohome::KeyDefinition
& key
,
96 const std::string
& signature
,
97 const base::Closure
& success_callback
);
99 // Attempts to remove the key labeled |key_to_remove| for the user identified/
100 // authorized by |context|. It is possible to remove the key used for
101 // authorization, although it should be done with extreme care.
102 void RemoveKey(const UserContext
& context
,
103 const std::string
& key_to_remove
,
104 const base::Closure
& success_callback
);
106 // Hashes the key in |user_context| with the system salt it its type is
107 // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the
109 void TransformKeyIfNeeded(const UserContext
& user_context
,
110 const ContextCallback
& callback
);
113 friend class base::RefCountedThreadSafe
<ExtendedAuthenticator
>;
115 ~ExtendedAuthenticator();
117 // Callback for system salt getter.
118 void OnSaltObtained(const std::string
& system_salt
);
120 // Performs actual operation with fully configured |context|.
121 void DoAuthenticateToMount(const ResultCallback
& success_callback
,
122 const UserContext
& context
);
123 void DoAuthenticateToCheck(const base::Closure
& success_callback
,
124 const UserContext
& context
);
125 void DoAddKey(const cryptohome::KeyDefinition
& key
,
126 bool replace_existing
,
127 const base::Closure
& success_callback
,
128 const UserContext
& context
);
129 void DoUpdateKeyAuthorized(const cryptohome::KeyDefinition
& key
,
130 const std::string
& signature
,
131 const base::Closure
& success_callback
,
132 const UserContext
& context
);
133 void DoRemoveKey(const std::string
& key_to_remove
,
134 const base::Closure
& success_callback
,
135 const UserContext
& context
);
137 // Inner operation callbacks.
138 void OnMountComplete(const std::string
& time_marker
,
139 const UserContext
& context
,
140 const ResultCallback
& success_callback
,
142 cryptohome::MountError return_code
,
143 const std::string
& mount_hash
);
144 void OnOperationComplete(const std::string
& time_marker
,
145 const UserContext
& context
,
146 const base::Closure
& success_callback
,
148 cryptohome::MountError return_code
);
151 std::string system_salt_
;
152 std::vector
<base::Closure
> system_salt_callbacks_
;
154 NewAuthStatusConsumer
* consumer_
;
155 AuthStatusConsumer
* old_consumer_
;
157 DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator
);
160 } // namespace chromeos
162 #endif // CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_