1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/login/existing_user_controller.h"
10 #include "base/bind_helpers.h"
11 #include "base/callback.h"
12 #include "base/command_line.h"
13 #include "base/logging.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/message_loop/message_loop.h"
16 #include "base/metrics/histogram.h"
17 #include "base/prefs/pref_service.h"
18 #include "base/strings/string_util.h"
19 #include "base/strings/utf_string_conversions.h"
20 #include "base/values.h"
21 #include "base/version.h"
22 #include "chrome/browser/browser_process.h"
23 #include "chrome/browser/browser_process_platform_part.h"
24 #include "chrome/browser/chrome_notification_types.h"
25 #include "chrome/browser/chromeos/boot_times_recorder.h"
26 #include "chrome/browser/chromeos/customization/customization_document.h"
27 #include "chrome/browser/chromeos/login/auth/chrome_login_performer.h"
28 #include "chrome/browser/chromeos/login/easy_unlock/bootstrap_user_context_initializer.h"
29 #include "chrome/browser/chromeos/login/easy_unlock/bootstrap_user_flow.h"
30 #include "chrome/browser/chromeos/login/helper.h"
31 #include "chrome/browser/chromeos/login/session/user_session_manager.h"
32 #include "chrome/browser/chromeos/login/signin/oauth2_token_initializer.h"
33 #include "chrome/browser/chromeos/login/signin_specifics.h"
34 #include "chrome/browser/chromeos/login/startup_utils.h"
35 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
36 #include "chrome/browser/chromeos/login/ui/user_adding_screen.h"
37 #include "chrome/browser/chromeos/login/user_flow.h"
38 #include "chrome/browser/chromeos/login/users/chrome_user_manager.h"
39 #include "chrome/browser/chromeos/login/wizard_controller.h"
40 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
41 #include "chrome/browser/chromeos/policy/device_local_account.h"
42 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
43 #include "chrome/browser/chromeos/profiles/profile_helper.h"
44 #include "chrome/browser/chromeos/settings/cros_settings.h"
45 #include "chrome/browser/chromeos/system/device_disabling_manager.h"
46 #include "chrome/browser/signin/easy_unlock_service.h"
47 #include "chrome/browser/ui/aura/accessibility/automation_manager_aura.h"
48 #include "chrome/browser/ui/webui/chromeos/login/l10n_util.h"
49 #include "chrome/common/chrome_switches.h"
50 #include "chrome/common/url_constants.h"
51 #include "chrome/grit/generated_resources.h"
52 #include "chromeos/chromeos_switches.h"
53 #include "chromeos/dbus/dbus_thread_manager.h"
54 #include "chromeos/dbus/power_manager_client.h"
55 #include "chromeos/dbus/session_manager_client.h"
56 #include "chromeos/login/user_names.h"
57 #include "chromeos/settings/cros_settings_names.h"
58 #include "components/google/core/browser/google_util.h"
59 #include "components/policy/core/common/cloud/cloud_policy_core.h"
60 #include "components/policy/core/common/cloud/cloud_policy_store.h"
61 #include "components/policy/core/common/policy_map.h"
62 #include "components/policy/core/common/policy_service.h"
63 #include "components/policy/core/common/policy_types.h"
64 #include "components/signin/core/browser/signin_client.h"
65 #include "components/user_manager/user_manager.h"
66 #include "components/user_manager/user_type.h"
67 #include "content/public/browser/browser_thread.h"
68 #include "content/public/browser/notification_service.h"
69 #include "content/public/browser/notification_types.h"
70 #include "content/public/browser/user_metrics.h"
71 #include "google_apis/gaia/gaia_auth_util.h"
72 #include "google_apis/gaia/google_service_auth_error.h"
73 #include "net/http/http_auth_cache.h"
74 #include "net/http/http_network_session.h"
75 #include "net/http/http_transaction_factory.h"
76 #include "net/url_request/url_request_context.h"
77 #include "net/url_request/url_request_context_getter.h"
78 #include "policy/policy_constants.h"
79 #include "ui/accessibility/ax_enums.h"
80 #include "ui/base/l10n/l10n_util.h"
81 #include "ui/views/widget/widget.h"
87 // URL for account creation.
88 const char kCreateAccountURL
[] =
89 "https://accounts.google.com/NewAccount?service=mail";
91 // Delay for transferring the auth cache to the system profile.
92 const long int kAuthCacheTransferDelayMs
= 2000;
94 // Delay for restarting the ui if safe-mode login has failed.
95 const long int kSafeModeRestartUiDelayMs
= 30000;
97 // Makes a call to the policy subsystem to reload the policy when we detect
98 // authentication change.
99 void RefreshPoliciesOnUIThread() {
100 if (g_browser_process
->policy_service())
101 g_browser_process
->policy_service()->RefreshPolicies(base::Closure());
104 // Copies any authentication details that were entered in the login profile in
105 // the mail profile to make sure all subsystems of Chrome can access the network
106 // with the provided authentication which are possibly for a proxy server.
107 void TransferContextAuthenticationsOnIOThread(
108 net::URLRequestContextGetter
* default_profile_context_getter
,
109 net::URLRequestContextGetter
* browser_process_context_getter
) {
110 net::HttpAuthCache
* new_cache
=
111 browser_process_context_getter
->GetURLRequestContext()->
112 http_transaction_factory()->GetSession()->http_auth_cache();
113 net::HttpAuthCache
* old_cache
=
114 default_profile_context_getter
->GetURLRequestContext()->
115 http_transaction_factory()->GetSession()->http_auth_cache();
116 new_cache
->UpdateAllFrom(*old_cache
);
117 VLOG(1) << "Main request context populated with authentication data.";
118 // Last but not least tell the policy subsystem to refresh now as it might
119 // have been stuck until now too.
120 content::BrowserThread::PostTask(content::BrowserThread::UI
, FROM_HERE
,
121 base::Bind(&RefreshPoliciesOnUIThread
));
124 // Record UMA for password login of regular user when Easy sign-in is enabled.
125 void RecordPasswordLoginEvent(const UserContext
& user_context
) {
126 EasyUnlockService
* easy_unlock_service
=
127 EasyUnlockService::Get(ProfileHelper::GetSigninProfile());
128 if (user_context
.GetUserType() == user_manager::USER_TYPE_REGULAR
&&
129 user_context
.GetAuthFlow() == UserContext::AUTH_FLOW_OFFLINE
&&
130 easy_unlock_service
) {
131 easy_unlock_service
->RecordPasswordLoginEvent(user_context
.GetUserID());
135 bool CanShowDebuggingFeatures() {
136 // We need to be on the login screen and in dev mode to show this menu item.
137 return base::CommandLine::ForCurrentProcess()->HasSwitch(
138 chromeos::switches::kSystemDevMode
) &&
139 base::CommandLine::ForCurrentProcess()->HasSwitch(
140 chromeos::switches::kLoginManager
) &&
141 !user_manager::UserManager::Get()->IsSessionStarted();
147 ExistingUserController
* ExistingUserController::current_controller_
= NULL
;
149 ////////////////////////////////////////////////////////////////////////////////
150 // ExistingUserController, public:
152 ExistingUserController::ExistingUserController(LoginDisplayHost
* host
)
153 : auth_status_consumer_(NULL
),
155 login_display_(host_
->CreateLoginDisplay(this)),
156 num_login_attempts_(0),
157 cros_settings_(CrosSettings::Get()),
158 is_login_in_progress_(false),
159 password_changed_(false),
160 auth_mode_(LoginPerformer::AUTH_MODE_EXTENSION
),
161 signin_screen_ready_(false),
162 network_state_helper_(new login::NetworkStateHelper
),
163 weak_factory_(this) {
164 DCHECK(current_controller_
== NULL
);
165 current_controller_
= this;
168 chrome::NOTIFICATION_USER_LIST_CHANGED
,
169 content::NotificationService::AllSources());
171 chrome::NOTIFICATION_AUTH_SUPPLIED
,
172 content::NotificationService::AllSources());
174 chrome::NOTIFICATION_SESSION_STARTED
,
175 content::NotificationService::AllSources());
176 show_user_names_subscription_
= cros_settings_
->AddSettingsObserver(
177 kAccountsPrefShowUserNamesOnSignIn
,
178 base::Bind(&ExistingUserController::DeviceSettingsChanged
,
179 base::Unretained(this)));
180 allow_new_user_subscription_
= cros_settings_
->AddSettingsObserver(
181 kAccountsPrefAllowNewUser
,
182 base::Bind(&ExistingUserController::DeviceSettingsChanged
,
183 base::Unretained(this)));
184 allow_guest_subscription_
= cros_settings_
->AddSettingsObserver(
185 kAccountsPrefAllowGuest
,
186 base::Bind(&ExistingUserController::DeviceSettingsChanged
,
187 base::Unretained(this)));
188 allow_supervised_user_subscription_
= cros_settings_
->AddSettingsObserver(
189 kAccountsPrefSupervisedUsersEnabled
,
190 base::Bind(&ExistingUserController::DeviceSettingsChanged
,
191 base::Unretained(this)));
192 users_subscription_
= cros_settings_
->AddSettingsObserver(
194 base::Bind(&ExistingUserController::DeviceSettingsChanged
,
195 base::Unretained(this)));
196 local_account_auto_login_id_subscription_
=
197 cros_settings_
->AddSettingsObserver(
198 kAccountsPrefDeviceLocalAccountAutoLoginId
,
199 base::Bind(&ExistingUserController::ConfigurePublicSessionAutoLogin
,
200 base::Unretained(this)));
201 local_account_auto_login_delay_subscription_
=
202 cros_settings_
->AddSettingsObserver(
203 kAccountsPrefDeviceLocalAccountAutoLoginDelay
,
204 base::Bind(&ExistingUserController::ConfigurePublicSessionAutoLogin
,
205 base::Unretained(this)));
208 void ExistingUserController::Init(const user_manager::UserList
& users
) {
209 time_init_
= base::Time::Now();
210 UpdateLoginDisplay(users
);
211 ConfigurePublicSessionAutoLogin();
214 void ExistingUserController::UpdateLoginDisplay(
215 const user_manager::UserList
& users
) {
216 bool show_users_on_signin
;
217 user_manager::UserList filtered_users
;
219 cros_settings_
->GetBoolean(kAccountsPrefShowUserNamesOnSignIn
,
220 &show_users_on_signin
);
221 for (user_manager::UserList::const_iterator it
= users
.begin();
224 // TODO(xiyuan): Clean user profile whose email is not in whitelist.
225 bool meets_supervised_requirements
=
226 (*it
)->GetType() != user_manager::USER_TYPE_SUPERVISED
||
227 user_manager::UserManager::Get()->AreSupervisedUsersAllowed();
228 bool meets_whitelist_requirements
=
229 CrosSettings::IsWhitelisted((*it
)->email(), NULL
) ||
230 !(*it
)->HasGaiaAccount();
232 // Public session accounts are always shown on login screen.
233 bool meets_show_users_requirements
=
234 show_users_on_signin
||
235 (*it
)->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT
;
236 if (meets_supervised_requirements
&&
237 meets_whitelist_requirements
&&
238 meets_show_users_requirements
) {
239 filtered_users
.push_back(*it
);
243 // If no user pods are visible, fallback to single new user pod which will
244 // have guest session link.
246 cros_settings_
->GetBoolean(kAccountsPrefAllowGuest
, &show_guest
);
247 show_users_on_signin
|= !filtered_users
.empty();
248 show_guest
&= !filtered_users
.empty();
249 bool show_new_user
= true;
250 login_display_
->set_parent_window(GetNativeWindow());
251 login_display_
->Init(
252 filtered_users
, show_guest
, show_users_on_signin
, show_new_user
);
253 host_
->OnPreferencesChanged();
256 ////////////////////////////////////////////////////////////////////////////////
257 // ExistingUserController, content::NotificationObserver implementation:
260 void ExistingUserController::Observe(
262 const content::NotificationSource
& source
,
263 const content::NotificationDetails
& details
) {
264 if (type
== chrome::NOTIFICATION_SESSION_STARTED
) {
265 // Stop listening to any notification once session has started.
266 // Sign in screen objects are marked for deletion with DeleteSoon so
267 // make sure no object would be used after session has started.
268 // http://crbug.com/125276
269 registrar_
.RemoveAll();
272 if (type
== chrome::NOTIFICATION_USER_LIST_CHANGED
) {
273 DeviceSettingsChanged();
276 if (type
== chrome::NOTIFICATION_AUTH_SUPPLIED
) {
277 // Possibly the user has authenticated against a proxy server and we might
278 // need the credentials for enrollment and other system requests from the
279 // main |g_browser_process| request context (see bug
280 // http://crosbug.com/24861). So we transfer any credentials to the global
281 // request context here.
282 // The issue we have here is that the NOTIFICATION_AUTH_SUPPLIED is sent
283 // just after the UI is closed but before the new credentials were stored
284 // in the profile. Therefore we have to give it some time to make sure it
285 // has been updated before we copy it.
286 VLOG(1) << "Authentication was entered manually, possibly for proxyauth.";
287 scoped_refptr
<net::URLRequestContextGetter
> browser_process_context_getter
=
288 g_browser_process
->system_request_context();
289 Profile
* signin_profile
= ProfileHelper::GetSigninProfile();
290 scoped_refptr
<net::URLRequestContextGetter
> signin_profile_context_getter
=
291 signin_profile
->GetRequestContext();
292 DCHECK(browser_process_context_getter
.get());
293 DCHECK(signin_profile_context_getter
.get());
294 content::BrowserThread::PostDelayedTask(
295 content::BrowserThread::IO
, FROM_HERE
,
296 base::Bind(&TransferContextAuthenticationsOnIOThread
,
297 signin_profile_context_getter
,
298 browser_process_context_getter
),
299 base::TimeDelta::FromMilliseconds(kAuthCacheTransferDelayMs
));
303 ////////////////////////////////////////////////////////////////////////////////
304 // ExistingUserController, private:
306 ExistingUserController::~ExistingUserController() {
307 UserSessionManager::GetInstance()->DelegateDeleted(this);
309 if (current_controller_
== this) {
310 current_controller_
= NULL
;
312 NOTREACHED() << "More than one controller are alive.";
314 DCHECK(login_display_
.get());
317 ////////////////////////////////////////////////////////////////////////////////
318 // ExistingUserController, LoginDisplay::Delegate implementation:
321 void ExistingUserController::CancelPasswordChangedFlow() {
322 login_performer_
.reset(NULL
);
323 PerformLoginFinishedActions(true /* start public session timer */);
326 void ExistingUserController::CreateAccount() {
327 content::RecordAction(base::UserMetricsAction("Login.CreateAccount"));
328 guest_mode_url_
= google_util::AppendGoogleLocaleParam(
329 GURL(kCreateAccountURL
), g_browser_process
->GetApplicationLocale());
330 Login(UserContext(user_manager::USER_TYPE_GUEST
, std::string()),
334 void ExistingUserController::CompleteLogin(const UserContext
& user_context
) {
335 login_display_
->set_signin_completed(true);
337 // Complete login event was generated already from UI. Ignore notification.
341 ContinueLoginIfDeviceNotDisabled(base::Bind(
342 &ExistingUserController::DoCompleteLogin
,
343 weak_factory_
.GetWeakPtr(),
347 base::string16
ExistingUserController::GetConnectedNetworkName() {
348 return network_state_helper_
->GetCurrentNetworkName();
351 bool ExistingUserController::IsSigninInProgress() const {
352 return is_login_in_progress_
;
355 void ExistingUserController::Login(const UserContext
& user_context
,
356 const SigninSpecifics
& specifics
) {
357 ContinueLoginIfDeviceNotDisabled(base::Bind(
358 &ExistingUserController::DoLogin
,
359 weak_factory_
.GetWeakPtr(),
364 void ExistingUserController::PerformLogin(
365 const UserContext
& user_context
,
366 LoginPerformer::AuthorizationMode auth_mode
) {
367 VLOG(1) << "Setting flow from PerformLogin";
368 ChromeUserManager::Get()
369 ->GetUserFlow(user_context
.GetUserID())
372 BootTimesRecorder::Get()->RecordLoginAttempted();
374 // Use the same LoginPerformer for subsequent login as it has state
375 // such as Authenticator instance.
376 if (!login_performer_
.get() || num_login_attempts_
<= 1) {
377 // Only one instance of LoginPerformer should exist at a time.
378 login_performer_
.reset(NULL
);
379 login_performer_
.reset(new ChromeLoginPerformer(this));
382 if (gaia::ExtractDomainName(user_context
.GetUserID()) ==
383 chromeos::login::kSupervisedUserDomain
) {
384 login_performer_
->LoginAsSupervisedUser(user_context
);
386 login_performer_
->PerformLogin(user_context
, auth_mode
);
387 RecordPasswordLoginEvent(user_context
);
389 SendAccessibilityAlert(
390 l10n_util::GetStringUTF8(IDS_CHROMEOS_ACC_LOGIN_SIGNING_IN
));
393 void ExistingUserController::MigrateUserData(const std::string
& old_password
) {
394 // LoginPerformer instance has state of the user so it should exist.
395 if (login_performer_
.get())
396 login_performer_
->RecoverEncryptedData(old_password
);
400 void ExistingUserController::OnSigninScreenReady() {
401 signin_screen_ready_
= true;
402 StartPublicSessionAutoLoginTimer();
405 void ExistingUserController::OnStartEnterpriseEnrollment() {
406 if (KioskAppManager::Get()->IsConsumerKioskDeviceWithAutoLaunch()) {
407 LOG(WARNING
) << "Enterprise enrollment is not available after kiosk auto "
412 DeviceSettingsService::Get()->GetOwnershipStatusAsync(
413 base::Bind(&ExistingUserController::OnEnrollmentOwnershipCheckCompleted
,
414 weak_factory_
.GetWeakPtr()));
417 void ExistingUserController::OnStartEnableDebuggingScreen() {
418 if (CanShowDebuggingFeatures())
419 ShowEnableDebuggingScreen();
422 void ExistingUserController::OnStartKioskEnableScreen() {
423 KioskAppManager::Get()->GetConsumerKioskAutoLaunchStatus(
425 &ExistingUserController::OnConsumerKioskAutoLaunchCheckCompleted
,
426 weak_factory_
.GetWeakPtr()));
429 void ExistingUserController::OnStartKioskAutolaunchScreen() {
430 ShowKioskAutolaunchScreen();
433 void ExistingUserController::ResyncUserData() {
434 // LoginPerformer instance has state of the user so it should exist.
435 if (login_performer_
.get())
436 login_performer_
->ResyncEncryptedData();
439 void ExistingUserController::SetDisplayEmail(const std::string
& email
) {
440 display_email_
= email
;
443 void ExistingUserController::ShowWrongHWIDScreen() {
444 host_
->StartWizard(WizardController::kWrongHWIDScreenName
);
447 void ExistingUserController::Signout() {
451 bool ExistingUserController::IsUserWhitelisted(const std::string
& user_id
) {
452 bool wildcard_match
= false;
453 if (login_performer_
.get())
454 return login_performer_
->IsUserWhitelisted(user_id
, &wildcard_match
);
456 return chromeos::CrosSettings::IsWhitelisted(user_id
, &wildcard_match
);
459 void ExistingUserController::OnConsumerKioskAutoLaunchCheckCompleted(
460 KioskAppManager::ConsumerKioskAutoLaunchStatus status
) {
461 if (status
== KioskAppManager::CONSUMER_KIOSK_AUTO_LAUNCH_CONFIGURABLE
)
462 ShowKioskEnableScreen();
465 void ExistingUserController::OnEnrollmentOwnershipCheckCompleted(
466 DeviceSettingsService::OwnershipStatus status
) {
467 if (status
== DeviceSettingsService::OWNERSHIP_NONE
) {
468 ShowEnrollmentScreen();
469 } else if (status
== DeviceSettingsService::OWNERSHIP_TAKEN
) {
470 // On a device that is already owned we might want to allow users to
471 // re-enroll if the policy information is invalid.
472 CrosSettingsProvider::TrustedStatus trusted_status
=
473 CrosSettings::Get()->PrepareTrustedValues(
475 &ExistingUserController::OnEnrollmentOwnershipCheckCompleted
,
476 weak_factory_
.GetWeakPtr(), status
));
477 if (trusted_status
== CrosSettingsProvider::PERMANENTLY_UNTRUSTED
) {
478 ShowEnrollmentScreen();
481 // OwnershipService::GetStatusAsync is supposed to return either
482 // OWNERSHIP_NONE or OWNERSHIP_TAKEN.
487 void ExistingUserController::ShowEnrollmentScreen() {
488 host_
->StartWizard(WizardController::kEnrollmentScreenName
);
491 void ExistingUserController::ShowResetScreen() {
492 host_
->StartWizard(WizardController::kResetScreenName
);
495 void ExistingUserController::ShowEnableDebuggingScreen() {
496 host_
->StartWizard(WizardController::kEnableDebuggingScreenName
);
499 void ExistingUserController::ShowKioskEnableScreen() {
500 host_
->StartWizard(WizardController::kKioskEnableScreenName
);
503 void ExistingUserController::ShowKioskAutolaunchScreen() {
504 host_
->StartWizard(WizardController::kKioskAutolaunchScreenName
);
507 void ExistingUserController::ShowTPMError() {
508 login_display_
->SetUIEnabled(false);
509 login_display_
->ShowErrorScreen(LoginDisplay::TPM_ERROR
);
512 ////////////////////////////////////////////////////////////////////////////////
513 // ExistingUserController, LoginPerformer::Delegate implementation:
516 void ExistingUserController::OnAuthFailure(const AuthFailure
& failure
) {
517 guest_mode_url_
= GURL::EmptyGURL();
518 std::string error
= failure
.GetErrorString();
520 PerformLoginFinishedActions(false /* don't start public session timer */);
522 if (ChromeUserManager::Get()
523 ->GetUserFlow(last_login_attempt_username_
)
524 ->HandleLoginFailure(failure
)) {
528 if (failure
.reason() == AuthFailure::OWNER_REQUIRED
) {
529 ShowError(IDS_LOGIN_ERROR_OWNER_REQUIRED
, error
);
530 content::BrowserThread::PostDelayedTask(
531 content::BrowserThread::UI
, FROM_HERE
,
532 base::Bind(&SessionManagerClient::StopSession
,
533 base::Unretained(DBusThreadManager::Get()->
534 GetSessionManagerClient())),
535 base::TimeDelta::FromMilliseconds(kSafeModeRestartUiDelayMs
));
536 } else if (failure
.reason() == AuthFailure::TPM_ERROR
) {
538 } else if (last_login_attempt_username_
== chromeos::login::kGuestUserName
) {
539 // Show no errors, just re-enable input.
540 login_display_
->ClearAndEnablePassword();
541 StartPublicSessionAutoLoginTimer();
543 // Check networking after trying to login in case user is
544 // cached locally or the local admin account.
545 bool is_known_user
= user_manager::UserManager::Get()->IsKnownUser(
546 last_login_attempt_username_
);
547 if (!network_state_helper_
->IsConnected()) {
549 ShowError(IDS_LOGIN_ERROR_AUTHENTICATING
, error
);
551 ShowError(IDS_LOGIN_ERROR_OFFLINE_FAILED_NETWORK_NOT_CONNECTED
, error
);
553 // TODO(nkostylev): Cleanup rest of ClientLogin related code.
554 if (failure
.reason() == AuthFailure::NETWORK_AUTH_FAILED
&&
555 failure
.error().state() ==
556 GoogleServiceAuthError::HOSTED_NOT_ALLOWED
) {
557 ShowError(IDS_LOGIN_ERROR_AUTHENTICATING_HOSTED
, error
);
560 ShowError(IDS_LOGIN_ERROR_AUTHENTICATING_NEW
, error
);
562 ShowError(IDS_LOGIN_ERROR_AUTHENTICATING
, error
);
565 login_display_
->ClearAndEnablePassword();
566 StartPublicSessionAutoLoginTimer();
569 // Reset user flow to default, so that special flow will not affect next
571 ChromeUserManager::Get()->ResetUserFlow(last_login_attempt_username_
);
573 if (auth_status_consumer_
)
574 auth_status_consumer_
->OnAuthFailure(failure
);
576 // Clear the recorded displayed email so it won't affect any future attempts.
577 display_email_
.clear();
579 // TODO(ginkage): Fix this case once crbug.com/469990 is ready.
581 if (failure.reason() == AuthFailure::COULD_NOT_MOUNT_CRYPTOHOME) {
582 RecordReauthReason(last_login_attempt_username_,
583 ReauthReason::MISSING_CRYPTOHOME);
588 void ExistingUserController::OnAuthSuccess(const UserContext
& user_context
) {
589 is_login_in_progress_
= false;
590 login_display_
->set_signin_completed(true);
592 // Login performer will be gone so cache this value to use
593 // once profile is loaded.
594 password_changed_
= login_performer_
->password_changed();
595 auth_mode_
= login_performer_
->auth_mode();
597 ChromeUserManager::Get()
598 ->GetUserFlow(user_context
.GetUserID())
599 ->HandleLoginSuccess(user_context
);
601 StopPublicSessionAutoLoginTimer();
603 // Truth table of |has_auth_cookies|:
606 // /ChromeOsEmbeddedSetup F T
607 // Bootstrap experiment F N/A
608 const bool has_auth_cookies
=
609 login_performer_
->auth_mode() == LoginPerformer::AUTH_MODE_EXTENSION
&&
610 (user_context
.GetAccessToken().empty() ||
611 user_context
.GetAuthFlow() == UserContext::AUTH_FLOW_GAIA_WITH_SAML
) &&
612 user_context
.GetAuthFlow() != UserContext::AUTH_FLOW_EASY_BOOTSTRAP
;
614 // LoginPerformer instance will delete itself in case of successful auth.
615 login_performer_
->set_delegate(NULL
);
616 ignore_result(login_performer_
.release());
618 UserSessionManager::StartSessionType start_session_type
=
619 UserAddingScreen::Get()->IsRunning()
620 ? UserSessionManager::SECONDARY_USER_SESSION
621 : UserSessionManager::PRIMARY_USER_SESSION
;
622 UserSessionManager::GetInstance()->StartSession(
623 user_context
, start_session_type
, has_auth_cookies
,
624 false, // Start session for user.
627 // Update user's displayed email.
628 if (!display_email_
.empty()) {
629 user_manager::UserManager::Get()->SaveUserDisplayEmail(
630 user_context
.GetUserID(), display_email_
);
631 display_email_
.clear();
635 void ExistingUserController::OnProfilePrepared(Profile
* profile
,
636 bool browser_launched
) {
637 // Reenable clicking on other windows and status area.
638 login_display_
->SetUIEnabled(true);
640 if (browser_launched
)
643 // Inform |auth_status_consumer_| about successful login.
644 // TODO(nkostylev): Pass UserContext back crbug.com/424550
645 if (auth_status_consumer_
) {
646 auth_status_consumer_
->
647 OnAuthSuccess(UserContext(last_login_attempt_username_
));
651 void ExistingUserController::OnOffTheRecordAuthSuccess() {
652 is_login_in_progress_
= false;
654 // Mark the device as registered., i.e. the second part of OOBE as completed.
655 if (!StartupUtils::IsDeviceRegistered())
656 StartupUtils::MarkDeviceRegistered(base::Closure());
658 UserSessionManager::GetInstance()->CompleteGuestSessionLogin(guest_mode_url_
);
660 if (auth_status_consumer_
)
661 auth_status_consumer_
->OnOffTheRecordAuthSuccess();
664 void ExistingUserController::OnPasswordChangeDetected() {
665 is_login_in_progress_
= false;
667 // Must not proceed without signature verification.
668 if (CrosSettingsProvider::TRUSTED
!= cros_settings_
->PrepareTrustedValues(
669 base::Bind(&ExistingUserController::OnPasswordChangeDetected
,
670 weak_factory_
.GetWeakPtr()))) {
671 // Value of owner email is still not verified.
672 // Another attempt will be invoked after verification completion.
676 if (ChromeUserManager::Get()
677 ->GetUserFlow(last_login_attempt_username_
)
678 ->HandlePasswordChangeDetected()) {
682 // True if user has already made an attempt to enter old password and failed.
683 bool show_invalid_old_password_error
=
684 login_performer_
->password_changed_callback_count() > 1;
686 // Note: We allow owner using "full sync" mode which will recreate
687 // cryptohome and deal with owner private key being lost. This also allows
688 // us to recover from a lost owner password/homedir.
689 // TODO(gspencer): We shouldn't have to erase stateful data when
690 // doing this. See http://crosbug.com/9115 http://crosbug.com/7792
691 login_display_
->ShowPasswordChangedDialog(show_invalid_old_password_error
,
694 if (auth_status_consumer_
)
695 auth_status_consumer_
->OnPasswordChangeDetected();
697 display_email_
.clear();
700 void ExistingUserController::WhiteListCheckFailed(const std::string
& email
) {
701 PerformLoginFinishedActions(true /* start public session timer */);
703 login_display_
->ShowWhitelistCheckFailedError();
705 if (auth_status_consumer_
) {
706 auth_status_consumer_
->OnAuthFailure(
707 AuthFailure(AuthFailure::WHITELIST_CHECK_FAILED
));
710 display_email_
.clear();
713 void ExistingUserController::PolicyLoadFailed() {
714 ShowError(IDS_LOGIN_ERROR_OWNER_KEY_LOST
, "");
716 PerformLoginFinishedActions(false /* don't start public session timer */);
717 display_email_
.clear();
720 ////////////////////////////////////////////////////////////////////////////////
721 // ExistingUserController, private:
723 void ExistingUserController::DeviceSettingsChanged() {
724 // If login was already completed, we should avoid any signin screen
725 // transitions, see http://crbug.com/461604 for example.
726 if (host_
!= NULL
&& !login_display_
->is_signin_completed()) {
727 // Signed settings or user list changed. Notify views and update them.
728 UpdateLoginDisplay(user_manager::UserManager::Get()->GetUsers());
729 ConfigurePublicSessionAutoLogin();
733 LoginPerformer::AuthorizationMode
ExistingUserController::auth_mode() const {
734 if (login_performer_
)
735 return login_performer_
->auth_mode();
740 bool ExistingUserController::password_changed() const {
741 if (login_performer_
)
742 return login_performer_
->password_changed();
744 return password_changed_
;
747 void ExistingUserController::LoginAsGuest() {
748 PerformPreLoginActions(UserContext(user_manager::USER_TYPE_GUEST
,
749 chromeos::login::kGuestUserName
));
752 cros_settings_
->GetBoolean(kAccountsPrefAllowGuest
, &allow_guest
);
754 // Disallowed. The UI should normally not show the guest session button.
755 LOG(ERROR
) << "Guest login attempt when guest mode is disallowed.";
756 PerformLoginFinishedActions(true /* start public session timer */);
757 display_email_
.clear();
761 // Only one instance of LoginPerformer should exist at a time.
762 login_performer_
.reset(NULL
);
763 login_performer_
.reset(new ChromeLoginPerformer(this));
764 login_performer_
->LoginOffTheRecord();
765 SendAccessibilityAlert(
766 l10n_util::GetStringUTF8(IDS_CHROMEOS_ACC_LOGIN_SIGNIN_OFFRECORD
));
769 void ExistingUserController::LoginAsPublicSession(
770 const UserContext
& user_context
) {
771 PerformPreLoginActions(user_context
);
773 // If there is no public account with the given user ID, logging in is not
775 const user_manager::User
* user
=
776 user_manager::UserManager::Get()->FindUser(user_context
.GetUserID());
777 if (!user
|| user
->GetType() != user_manager::USER_TYPE_PUBLIC_ACCOUNT
) {
778 PerformLoginFinishedActions(true /* start public session timer */);
782 UserContext new_user_context
= user_context
;
783 std::string locale
= user_context
.GetPublicSessionLocale();
784 if (locale
.empty()) {
785 // When performing auto-login, no locale is chosen by the user. Check
786 // whether a list of recommended locales was set by policy. If so, use its
787 // first entry. Otherwise, |locale| will remain blank, indicating that the
788 // public session should use the current UI locale.
789 const policy::PolicyMap::Entry
* entry
= g_browser_process
->platform_part()->
790 browser_policy_connector_chromeos()->
791 GetDeviceLocalAccountPolicyService()->
792 GetBrokerForUser(user_context
.GetUserID())->core()->store()->
793 policy_map().Get(policy::key::kSessionLocales
);
794 base::ListValue
const* list
= NULL
;
796 entry
->level
== policy::POLICY_LEVEL_RECOMMENDED
&&
798 entry
->value
->GetAsList(&list
)) {
799 if (list
->GetString(0, &locale
))
800 new_user_context
.SetPublicSessionLocale(locale
);
804 if (!locale
.empty() &&
805 new_user_context
.GetPublicSessionInputMethod().empty()) {
806 // When |locale| is set, a suitable keyboard layout should be chosen. In
807 // most cases, this will already be the case because the UI shows a list of
808 // keyboard layouts suitable for the |locale| and ensures that one of them
809 // us selected. However, it is still possible that |locale| is set but no
810 // keyboard layout was chosen:
811 // * The list of keyboard layouts is updated asynchronously. If the user
812 // enters the public session before the list of keyboard layouts for the
813 // |locale| has been retrieved, the UI will indicate that no keyboard
814 // layout was chosen.
815 // * During auto-login, the |locale| is set in this method and a suitable
816 // keyboard layout must be chosen next.
818 // The list of suitable keyboard layouts is constructed asynchronously. Once
819 // it has been retrieved, |SetPublicSessionKeyboardLayoutAndLogin| will
820 // select the first layout from the list and continue login.
821 GetKeyboardLayoutsForLocale(
823 &ExistingUserController::SetPublicSessionKeyboardLayoutAndLogin
,
824 weak_factory_
.GetWeakPtr(),
830 // The user chose a locale and a suitable keyboard layout or left both unset.
831 // Login can continue immediately.
832 LoginAsPublicSessionInternal(new_user_context
);
835 void ExistingUserController::LoginAsKioskApp(const std::string
& app_id
,
836 bool diagnostic_mode
) {
837 const bool auto_start
= false;
838 host_
->StartAppLaunch(app_id
, diagnostic_mode
, auto_start
);
841 void ExistingUserController::ConfigurePublicSessionAutoLogin() {
842 std::string auto_login_account_id
;
843 cros_settings_
->GetString(kAccountsPrefDeviceLocalAccountAutoLoginId
,
844 &auto_login_account_id
);
845 const std::vector
<policy::DeviceLocalAccount
> device_local_accounts
=
846 policy::GetDeviceLocalAccounts(cros_settings_
);
848 public_session_auto_login_username_
.clear();
849 for (std::vector
<policy::DeviceLocalAccount
>::const_iterator
850 it
= device_local_accounts
.begin();
851 it
!= device_local_accounts
.end(); ++it
) {
852 if (it
->account_id
== auto_login_account_id
) {
853 public_session_auto_login_username_
= it
->user_id
;
858 const user_manager::User
* user
= user_manager::UserManager::Get()->FindUser(
859 public_session_auto_login_username_
);
860 if (!user
|| user
->GetType() != user_manager::USER_TYPE_PUBLIC_ACCOUNT
)
861 public_session_auto_login_username_
.clear();
863 if (!cros_settings_
->GetInteger(
864 kAccountsPrefDeviceLocalAccountAutoLoginDelay
,
865 &public_session_auto_login_delay_
)) {
866 public_session_auto_login_delay_
= 0;
869 if (!public_session_auto_login_username_
.empty())
870 StartPublicSessionAutoLoginTimer();
872 StopPublicSessionAutoLoginTimer();
875 void ExistingUserController::ResetPublicSessionAutoLoginTimer() {
876 // Only restart the auto-login timer if it's already running.
877 if (auto_login_timer_
&& auto_login_timer_
->IsRunning()) {
878 StopPublicSessionAutoLoginTimer();
879 StartPublicSessionAutoLoginTimer();
883 void ExistingUserController::OnPublicSessionAutoLoginTimerFire() {
884 CHECK(signin_screen_ready_
&& !public_session_auto_login_username_
.empty());
885 Login(UserContext(user_manager::USER_TYPE_PUBLIC_ACCOUNT
,
886 public_session_auto_login_username_
),
890 void ExistingUserController::StopPublicSessionAutoLoginTimer() {
891 if (auto_login_timer_
)
892 auto_login_timer_
->Stop();
895 void ExistingUserController::StartPublicSessionAutoLoginTimer() {
896 if (!signin_screen_ready_
||
897 is_login_in_progress_
||
898 public_session_auto_login_username_
.empty()) {
902 // Start the auto-login timer.
903 if (!auto_login_timer_
)
904 auto_login_timer_
.reset(new base::OneShotTimer
<ExistingUserController
>);
906 auto_login_timer_
->Start(
908 base::TimeDelta::FromMilliseconds(
909 public_session_auto_login_delay_
),
911 &ExistingUserController::OnPublicSessionAutoLoginTimerFire
,
912 weak_factory_
.GetWeakPtr()));
915 gfx::NativeWindow
ExistingUserController::GetNativeWindow() const {
916 return host_
->GetNativeWindow();
919 void ExistingUserController::ShowError(int error_id
,
920 const std::string
& details
) {
922 HelpAppLauncher::HelpTopic help_topic_id
;
923 if (login_performer_
) {
924 switch (login_performer_
->error().state()) {
925 case GoogleServiceAuthError::ACCOUNT_DISABLED
:
926 help_topic_id
= HelpAppLauncher::HELP_ACCOUNT_DISABLED
;
928 case GoogleServiceAuthError::HOSTED_NOT_ALLOWED
:
929 help_topic_id
= HelpAppLauncher::HELP_HOSTED_ACCOUNT
;
932 help_topic_id
= HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT
;
936 // login_performer_ will be null if an error occurred during OAuth2 token
937 // fetch. In this case, show a generic error.
938 help_topic_id
= HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT
;
941 if (error_id
== IDS_LOGIN_ERROR_AUTHENTICATING
) {
942 if (num_login_attempts_
> 1) {
943 const user_manager::User
* user
=
944 user_manager::UserManager::Get()->FindUser(
945 last_login_attempt_username_
);
946 if (user
&& (user
->GetType() == user_manager::USER_TYPE_SUPERVISED
))
947 error_id
= IDS_LOGIN_ERROR_AUTHENTICATING_2ND_TIME_SUPERVISED
;
951 login_display_
->ShowError(error_id
, num_login_attempts_
, help_topic_id
);
954 void ExistingUserController::SendAccessibilityAlert(
955 const std::string
& alert_text
) {
956 AutomationManagerAura::GetInstance()->HandleAlert(
957 ProfileHelper::GetSigninProfile(), alert_text
);
960 void ExistingUserController::SetPublicSessionKeyboardLayoutAndLogin(
961 const UserContext
& user_context
,
962 scoped_ptr
<base::ListValue
> keyboard_layouts
) {
963 UserContext new_user_context
= user_context
;
964 std::string keyboard_layout
;
965 for (size_t i
= 0; i
< keyboard_layouts
->GetSize(); ++i
) {
966 base::DictionaryValue
* entry
= NULL
;
967 keyboard_layouts
->GetDictionary(i
, &entry
);
968 bool selected
= false;
969 entry
->GetBoolean("selected", &selected
);
971 entry
->GetString("value", &keyboard_layout
);
975 DCHECK(!keyboard_layout
.empty());
976 new_user_context
.SetPublicSessionInputMethod(keyboard_layout
);
978 LoginAsPublicSessionInternal(new_user_context
);
981 void ExistingUserController::LoginAsPublicSessionInternal(
982 const UserContext
& user_context
) {
983 // Only one instance of LoginPerformer should exist at a time.
984 login_performer_
.reset(NULL
);
985 login_performer_
.reset(new ChromeLoginPerformer(this));
986 login_performer_
->LoginAsPublicSession(user_context
);
987 SendAccessibilityAlert(
988 l10n_util::GetStringUTF8(IDS_CHROMEOS_ACC_LOGIN_SIGNIN_PUBLIC_ACCOUNT
));
991 void ExistingUserController::PerformPreLoginActions(
992 const UserContext
& user_context
) {
993 // Disable clicking on other windows and status tray.
994 login_display_
->SetUIEnabled(false);
996 if (last_login_attempt_username_
!= user_context
.GetUserID()) {
997 last_login_attempt_username_
= user_context
.GetUserID();
998 num_login_attempts_
= 0;
1001 // Guard in cases when we're called twice but login process is still active.
1002 // This might happen when login process is paused till signed settings status
1003 // is verified which results in Login* method called again as a callback.
1004 if (!is_login_in_progress_
)
1005 num_login_attempts_
++;
1007 is_login_in_progress_
= true;
1009 // Stop the auto-login timer when attempting login.
1010 StopPublicSessionAutoLoginTimer();
1013 void ExistingUserController::PerformLoginFinishedActions(
1014 bool start_public_session_timer
) {
1015 is_login_in_progress_
= false;
1017 // Reenable clicking on other windows and status area.
1018 login_display_
->SetUIEnabled(true);
1020 if (start_public_session_timer
)
1021 StartPublicSessionAutoLoginTimer();
1024 void ExistingUserController::ContinueLoginIfDeviceNotDisabled(
1025 const base::Closure
& continuation
) {
1026 // Disable clicking on other windows and status tray.
1027 login_display_
->SetUIEnabled(false);
1029 // Stop the auto-login timer.
1030 StopPublicSessionAutoLoginTimer();
1032 // Wait for the |cros_settings_| to become either trusted or permanently
1034 const CrosSettingsProvider::TrustedStatus status
=
1035 cros_settings_
->PrepareTrustedValues(base::Bind(
1036 &ExistingUserController::ContinueLoginIfDeviceNotDisabled
,
1037 weak_factory_
.GetWeakPtr(),
1039 if (status
== CrosSettingsProvider::TEMPORARILY_UNTRUSTED
)
1042 if (status
== CrosSettingsProvider::PERMANENTLY_UNTRUSTED
) {
1043 // If the |cros_settings_| are permanently untrusted, show an error message
1044 // and refuse to log in.
1045 login_display_
->ShowError(IDS_LOGIN_ERROR_OWNER_KEY_LOST
,
1047 HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT
);
1049 // Re-enable clicking on other windows and the status area. Do not start the
1050 // auto-login timer though. Without trusted |cros_settings_|, no auto-login
1052 login_display_
->SetUIEnabled(true);
1056 bool device_disabled
= false;
1057 cros_settings_
->GetBoolean(kDeviceDisabled
, &device_disabled
);
1058 if (device_disabled
&& system::DeviceDisablingManager::
1059 HonorDeviceDisablingDuringNormalOperation()) {
1060 // If the device is disabled, bail out. A device disabled screen will be
1061 // shown by the DeviceDisablingManager.
1063 // Re-enable clicking on other windows and the status area. Do not start the
1064 // auto-login timer though. On a disabled device, no auto-login can succeed.
1065 login_display_
->SetUIEnabled(true);
1072 void ExistingUserController::DoCompleteLogin(
1073 const UserContext
& user_context_wo_device_id
) {
1074 UserContext user_context
= user_context_wo_device_id
;
1075 std::string device_id
=
1076 user_manager::UserManager::Get()->GetKnownUserDeviceId(
1077 user_context
.GetUserID());
1078 if (device_id
.empty()) {
1080 ChromeUserManager::Get()->AreEphemeralUsersEnabled() &&
1081 user_context
.GetUserID() != ChromeUserManager::Get()->GetOwnerEmail();
1082 device_id
= SigninClient::GenerateSigninScopedDeviceID(is_ephemeral
);
1084 user_context
.SetDeviceId(device_id
);
1086 const std::string
& gaps_cookie
= user_context
.GetGAPSCookie();
1087 if (!gaps_cookie
.empty()) {
1088 user_manager::UserManager::Get()->SetKnownUserGAPSCookie(
1089 user_context
.GetUserID(), gaps_cookie
);
1092 PerformPreLoginActions(user_context
);
1094 if (!time_init_
.is_null()) {
1095 base::TimeDelta delta
= base::Time::Now() - time_init_
;
1096 UMA_HISTOGRAM_MEDIUM_TIMES("Login.PromptToCompleteLoginTime", delta
);
1097 time_init_
= base::Time(); // Reset to null.
1100 host_
->OnCompleteLogin();
1102 if (user_context
.GetAuthFlow() == UserContext::AUTH_FLOW_EASY_BOOTSTRAP
) {
1103 bootstrap_user_context_initializer_
.reset(
1104 new BootstrapUserContextInitializer());
1105 bootstrap_user_context_initializer_
->Start(
1106 user_context
.GetAuthCode(),
1107 base::Bind(&ExistingUserController::OnBootstrapUserContextInitialized
,
1108 weak_factory_
.GetWeakPtr()));
1112 // Fetch OAuth2 tokens if we have an auth code and are not using SAML.
1113 // SAML uses cookies to get tokens.
1114 if (user_context
.GetAuthFlow() == UserContext::AUTH_FLOW_GAIA_WITHOUT_SAML
&&
1115 !user_context
.GetAuthCode().empty()) {
1116 oauth2_token_initializer_
.reset(new OAuth2TokenInitializer
);
1117 oauth2_token_initializer_
->Start(
1118 user_context
, base::Bind(&ExistingUserController::OnOAuth2TokensFetched
,
1119 weak_factory_
.GetWeakPtr()));
1123 PerformLogin(user_context
, LoginPerformer::AUTH_MODE_EXTENSION
);
1126 void ExistingUserController::DoLogin(const UserContext
& user_context
,
1127 const SigninSpecifics
& specifics
) {
1128 if (is_login_in_progress_
) {
1129 // If there is another login in progress, bail out. Do not re-enable
1130 // clicking on other windows and the status area. Do not start the
1131 // auto-login timer.
1135 if (user_context
.GetUserType() != user_manager::USER_TYPE_REGULAR
&&
1136 user_manager::UserManager::Get()->IsUserLoggedIn()) {
1137 // Multi-login is only allowed for regular users. If we are attempting to
1138 // do multi-login as another type of user somehow, bail out. Do not
1139 // re-enable clicking on other windows and the status area. Do not start the
1140 // auto-login timer.
1144 if (user_context
.GetUserType() == user_manager::USER_TYPE_GUEST
) {
1145 if (!specifics
.guest_mode_url
.empty()) {
1146 guest_mode_url_
= GURL(specifics
.guest_mode_url
);
1147 if (specifics
.guest_mode_url_append_locale
)
1148 guest_mode_url_
= google_util::AppendGoogleLocaleParam(
1149 guest_mode_url_
, g_browser_process
->GetApplicationLocale());
1155 if (user_context
.GetUserType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT
) {
1156 LoginAsPublicSession(user_context
);
1160 if (user_context
.GetUserType() == user_manager::USER_TYPE_KIOSK_APP
) {
1161 LoginAsKioskApp(user_context
.GetUserID(), specifics
.kiosk_diagnostic_mode
);
1165 // Regular user or supervised user login.
1167 if (!user_context
.HasCredentials()) {
1168 // If credentials are missing, refuse to log in.
1170 // Reenable clicking on other windows and status area.
1171 login_display_
->SetUIEnabled(true);
1172 // Restart the auto-login timer.
1173 StartPublicSessionAutoLoginTimer();
1176 PerformPreLoginActions(user_context
);
1177 PerformLogin(user_context
, LoginPerformer::AUTH_MODE_INTERNAL
);
1180 void ExistingUserController::OnBootstrapUserContextInitialized(
1182 const UserContext
& user_context
) {
1184 LOG(ERROR
) << "Easy bootstrap failed.";
1185 OnAuthFailure(AuthFailure(AuthFailure::NETWORK_AUTH_FAILED
));
1189 // Setting a customized login user flow to perform additional initializations
1190 // for bootstrap after the user session is started.
1191 ChromeUserManager::Get()->SetUserFlow(
1192 user_context
.GetUserID(),
1193 new BootstrapUserFlow(
1195 bootstrap_user_context_initializer_
->random_key_used()));
1197 PerformLogin(user_context
, LoginPerformer::AUTH_MODE_EXTENSION
);
1200 void ExistingUserController::OnOAuth2TokensFetched(
1202 const UserContext
& user_context
) {
1204 LOG(ERROR
) << "OAuth2 token fetch failed.";
1205 OnAuthFailure(AuthFailure(AuthFailure::FAILED_TO_INITIALIZE_TOKEN
));
1208 UserSessionManager::GetInstance()->OnOAuth2TokensFetched(user_context
);
1209 PerformLogin(user_context
, LoginPerformer::AUTH_MODE_EXTENSION
);
1212 } // namespace chromeos