1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/login/auth/login_performer.h"
8 #include "base/logging.h"
9 #include "base/message_loop/message_loop.h"
10 #include "base/metrics/histogram.h"
11 #include "base/prefs/pref_service.h"
12 #include "base/strings/utf_string_conversions.h"
13 #include "base/threading/thread_restrictions.h"
14 #include "chrome/browser/browser_process.h"
15 #include "chrome/browser/chrome_notification_types.h"
16 #include "chrome/browser/chromeos/boot_times_loader.h"
17 #include "chrome/browser/chromeos/login/login_utils.h"
18 #include "chrome/browser/chromeos/login/supervised/supervised_user_authentication.h"
19 #include "chrome/browser/chromeos/login/supervised/supervised_user_constants.h"
20 #include "chrome/browser/chromeos/login/supervised/supervised_user_login_flow.h"
21 #include "chrome/browser/chromeos/login/users/chrome_user_manager.h"
22 #include "chrome/browser/chromeos/login/users/supervised_user_manager.h"
23 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
24 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
25 #include "chrome/browser/chromeos/profiles/profile_helper.h"
26 #include "chrome/browser/chromeos/settings/cros_settings.h"
27 #include "chrome/common/pref_names.h"
28 #include "chromeos/dbus/dbus_thread_manager.h"
29 #include "chromeos/dbus/session_manager_client.h"
30 #include "chromeos/login/user_names.h"
31 #include "chromeos/settings/cros_settings_names.h"
32 #include "components/user_manager/user_manager.h"
33 #include "content/public/browser/browser_thread.h"
34 #include "content/public/browser/notification_service.h"
35 #include "content/public/browser/notification_types.h"
36 #include "content/public/browser/user_metrics.h"
37 #include "google_apis/gaia/gaia_auth_util.h"
38 #include "net/cookies/cookie_monster.h"
39 #include "net/cookies/cookie_store.h"
40 #include "net/url_request/url_request_context.h"
41 #include "net/url_request/url_request_context_getter.h"
43 using base::UserMetricsAction
;
44 using content::BrowserThread
;
48 LoginPerformer::LoginPerformer(Delegate
* delegate
)
49 : online_attempt_host_(this),
50 last_login_failure_(AuthFailure::AuthFailureNone()),
52 password_changed_(false),
53 password_changed_callback_count_(0),
54 auth_mode_(AUTH_MODE_INTERNAL
),
58 LoginPerformer::~LoginPerformer() {
59 DVLOG(1) << "Deleting LoginPerformer";
60 if (authenticator_
.get())
61 authenticator_
->SetConsumer(NULL
);
62 if (extended_authenticator_
.get())
63 extended_authenticator_
->SetConsumer(NULL
);
66 ////////////////////////////////////////////////////////////////////////////////
67 // LoginPerformer, AuthStatusConsumer implementation:
69 void LoginPerformer::OnAuthFailure(const AuthFailure
& failure
) {
70 content::RecordAction(UserMetricsAction("Login_Failure"));
71 UMA_HISTOGRAM_ENUMERATION("Login.FailureReason",
73 AuthFailure::NUM_FAILURE_REASONS
);
75 DVLOG(1) << "failure.reason " << failure
.reason();
76 DVLOG(1) << "failure.error.state " << failure
.error().state();
78 last_login_failure_
= failure
;
80 delegate_
->OnAuthFailure(failure
);
83 // COULD_NOT_MOUNT_CRYPTOHOME, COULD_NOT_MOUNT_TMPFS:
84 // happens during offline auth only.
89 void LoginPerformer::OnRetailModeAuthSuccess(const UserContext
& user_context
) {
90 content::RecordAction(
91 UserMetricsAction("Login_DemoUserLoginSuccess"));
92 AuthStatusConsumer::OnRetailModeAuthSuccess(user_context
);
95 void LoginPerformer::OnAuthSuccess(const UserContext
& user_context
) {
96 content::RecordAction(UserMetricsAction("Login_Success"));
97 VLOG(1) << "LoginSuccess hash: " << user_context
.GetUserIDHash();
99 // After delegate_->OnAuthSuccess(...) is called, delegate_ releases
100 // LoginPerformer ownership. LP now manages it's lifetime on its own.
101 base::MessageLoop::current()->DeleteSoon(FROM_HERE
, this);
102 delegate_
->OnAuthSuccess(user_context
);
105 void LoginPerformer::OnOffTheRecordAuthSuccess() {
106 content::RecordAction(
107 UserMetricsAction("Login_GuestLoginSuccess"));
110 delegate_
->OnOffTheRecordAuthSuccess();
115 void LoginPerformer::OnPasswordChangeDetected() {
116 password_changed_
= true;
117 password_changed_callback_count_
++;
119 delegate_
->OnPasswordChangeDetected();
125 void LoginPerformer::OnChecked(const std::string
& username
, bool success
) {
127 // Delegate is reset in case of successful offline login.
128 // See ExistingUserConstoller::OnAuthSuccess().
129 // Case when user has changed password and enters old password
130 // does not block user from sign in yet.
133 delegate_
->OnOnlineChecked(username
, success
);
136 ////////////////////////////////////////////////////////////////////////////////
137 // LoginPerformer, public:
139 void LoginPerformer::PerformLogin(const UserContext
& user_context
,
140 AuthorizationMode auth_mode
) {
141 auth_mode_
= auth_mode
;
142 user_context_
= user_context
;
144 CrosSettings
* cros_settings
= CrosSettings::Get();
146 // Whitelist check is always performed during initial login.
147 CrosSettingsProvider::TrustedStatus status
=
148 cros_settings
->PrepareTrustedValues(
149 base::Bind(&LoginPerformer::PerformLogin
,
150 weak_factory_
.GetWeakPtr(),
151 user_context_
, auth_mode
));
152 // Must not proceed without signature verification.
153 if (status
== CrosSettingsProvider::PERMANENTLY_UNTRUSTED
) {
155 delegate_
->PolicyLoadFailed();
159 } else if (status
!= CrosSettingsProvider::TRUSTED
) {
160 // Value of AllowNewUser setting is still not verified.
161 // Another attempt will be invoked after verification completion.
165 bool wildcard_match
= false;
166 std::string email
= gaia::CanonicalizeEmail(user_context
.GetUserID());
167 bool is_whitelisted
= LoginUtils::IsWhitelisted(email
, &wildcard_match
);
168 if (is_whitelisted
) {
169 switch (auth_mode_
) {
170 case AUTH_MODE_EXTENSION
: {
171 // On enterprise devices, reconfirm login permission with the server.
172 policy::BrowserPolicyConnectorChromeOS
* connector
=
173 g_browser_process
->platform_part()
174 ->browser_policy_connector_chromeos();
175 if (connector
->IsEnterpriseManaged() && wildcard_match
&&
176 !connector
->IsNonEnterpriseUser(email
)) {
177 wildcard_login_checker_
.reset(new policy::WildcardLoginChecker());
178 wildcard_login_checker_
->Start(
179 ProfileHelper::GetSigninProfile()->GetRequestContext(),
180 base::Bind(&LoginPerformer::OnlineWildcardLoginCheckCompleted
,
181 weak_factory_
.GetWeakPtr()));
183 StartLoginCompletion();
187 case AUTH_MODE_INTERNAL
:
188 StartAuthentication();
193 delegate_
->WhiteListCheckFailed(user_context
.GetUserID());
199 void LoginPerformer::LoginAsSupervisedUser(
200 const UserContext
& user_context
) {
201 DCHECK_EQ(chromeos::login::kSupervisedUserDomain
,
202 gaia::ExtractDomainName(user_context
.GetUserID()));
204 CrosSettings
* cros_settings
= CrosSettings::Get();
205 CrosSettingsProvider::TrustedStatus status
=
206 cros_settings
->PrepareTrustedValues(
207 base::Bind(&LoginPerformer::LoginAsSupervisedUser
,
208 weak_factory_
.GetWeakPtr(),
210 // Must not proceed without signature verification.
211 if (status
== CrosSettingsProvider::PERMANENTLY_UNTRUSTED
) {
213 delegate_
->PolicyLoadFailed();
217 } else if (status
!= CrosSettingsProvider::TRUSTED
) {
218 // Value of kAccountsPrefSupervisedUsersEnabled setting is still not
219 // verified. Another attempt will be invoked after verification completion.
223 if (!user_manager::UserManager::Get()->AreSupervisedUsersAllowed()) {
224 LOG(ERROR
) << "Login attempt of supervised user detected.";
225 delegate_
->WhiteListCheckFailed(user_context
.GetUserID());
229 SupervisedUserLoginFlow
* new_flow
=
230 new SupervisedUserLoginFlow(user_context
.GetUserID());
232 ChromeUserManager::Get()->GetUserFlow(user_context
.GetUserID())->host());
233 ChromeUserManager::Get()->SetUserFlow(user_context
.GetUserID(), new_flow
);
235 SupervisedUserAuthentication
* authentication
=
236 ChromeUserManager::Get()->GetSupervisedUserManager()->GetAuthentication();
238 UserContext user_context_copy
= authentication
->TransformKey(user_context
);
240 if (authentication
->GetPasswordSchema(user_context
.GetUserID()) ==
241 SupervisedUserAuthentication::SCHEMA_SALT_HASHED
) {
242 if (extended_authenticator_
.get()) {
243 extended_authenticator_
->SetConsumer(NULL
);
245 extended_authenticator_
= ExtendedAuthenticator::Create(this);
246 // TODO(antrim) : Replace empty callback with explicit method.
247 // http://crbug.com/351268
248 BrowserThread::PostTask(
251 base::Bind(&ExtendedAuthenticator::AuthenticateToMount
,
252 extended_authenticator_
.get(),
254 ExtendedAuthenticator::ResultCallback()));
257 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
258 BrowserThread::PostTask(
261 base::Bind(&Authenticator::LoginAsSupervisedUser
,
262 authenticator_
.get(),
267 void LoginPerformer::LoginRetailMode() {
268 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
269 BrowserThread::PostTask(
270 BrowserThread::UI
, FROM_HERE
,
271 base::Bind(&Authenticator::LoginRetailMode
, authenticator_
.get()));
274 void LoginPerformer::LoginOffTheRecord() {
275 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
276 BrowserThread::PostTask(
277 BrowserThread::UI
, FROM_HERE
,
278 base::Bind(&Authenticator::LoginOffTheRecord
, authenticator_
.get()));
281 void LoginPerformer::LoginAsPublicSession(const UserContext
& user_context
) {
282 // Login is not allowed if policy could not be loaded for the account.
283 policy::BrowserPolicyConnectorChromeOS
* connector
=
284 g_browser_process
->platform_part()->browser_policy_connector_chromeos();
285 policy::DeviceLocalAccountPolicyService
* policy_service
=
286 connector
->GetDeviceLocalAccountPolicyService();
287 if (!policy_service
||
288 !policy_service
->IsPolicyAvailableForUser(user_context
.GetUserID())) {
291 delegate_
->PolicyLoadFailed();
295 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
296 BrowserThread::PostTask(
297 BrowserThread::UI
, FROM_HERE
,
298 base::Bind(&Authenticator::LoginAsPublicSession
,
299 authenticator_
.get(),
303 void LoginPerformer::LoginAsKioskAccount(const std::string
& app_user_id
,
304 bool use_guest_mount
) {
305 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
306 BrowserThread::PostTask(
307 BrowserThread::UI
, FROM_HERE
,
308 base::Bind(&Authenticator::LoginAsKioskAccount
, authenticator_
.get(),
309 app_user_id
, use_guest_mount
));
312 void LoginPerformer::RecoverEncryptedData(const std::string
& old_password
) {
313 BrowserThread::PostTask(
314 BrowserThread::UI
, FROM_HERE
,
315 base::Bind(&Authenticator::RecoverEncryptedData
, authenticator_
.get(),
319 void LoginPerformer::ResyncEncryptedData() {
320 BrowserThread::PostTask(
321 BrowserThread::UI
, FROM_HERE
,
322 base::Bind(&Authenticator::ResyncEncryptedData
, authenticator_
.get()));
325 ////////////////////////////////////////////////////////////////////////////////
326 // LoginPerformer, private:
328 void LoginPerformer::StartLoginCompletion() {
329 DVLOG(1) << "Login completion started";
330 BootTimesLoader::Get()->AddLoginTimeMarker("AuthStarted", false);
331 Profile
* profile
= ProfileHelper::GetSigninProfile();
333 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
334 BrowserThread::PostTask(
335 BrowserThread::UI
, FROM_HERE
,
336 base::Bind(&Authenticator::CompleteLogin
, authenticator_
.get(),
339 user_context_
.ClearSecrets();
342 void LoginPerformer::StartAuthentication() {
343 DVLOG(1) << "Auth started";
344 BootTimesLoader::Get()->AddLoginTimeMarker("AuthStarted", false);
345 Profile
* profile
= ProfileHelper::GetSigninProfile();
347 authenticator_
= LoginUtils::Get()->CreateAuthenticator(this);
348 BrowserThread::PostTask(
349 BrowserThread::UI
, FROM_HERE
,
350 base::Bind(&Authenticator::AuthenticateToLogin
, authenticator_
.get(),
353 // Make unobtrusive online check. It helps to determine password change
354 // state in the case when offline login fails.
355 online_attempt_host_
.Check(profile
->GetRequestContext(), user_context_
);
359 user_context_
.ClearSecrets();
362 void LoginPerformer::OnlineWildcardLoginCheckCompleted(
363 policy::WildcardLoginChecker::Result result
) {
364 if (result
== policy::WildcardLoginChecker::RESULT_ALLOWED
) {
365 StartLoginCompletion();
368 delegate_
->WhiteListCheckFailed(user_context_
.GetUserID());
372 } // namespace chromeos