• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
6 #define CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
7 
8 #include <string>
9 
10 #include "base/basictypes.h"
11 #include "base/callback.h"
12 #include "base/compiler_specific.h"
13 #include "base/memory/ref_counted.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "chromeos/cryptohome/cryptohome_parameters.h"
16 #include "third_party/cros_system_api/dbus/service_constants.h"
17 
18 namespace chromeos {
19 
20 class LoginStatusConsumer;
21 class UserContext;
22 
23 // Interaction with cryptohomed: mount home dirs, create new home dirs, update
24 // passwords.
25 //
26 // Typical flow:
27 // AuthenticateToMount() calls cryptohomed to perform offline login,
28 // AuthenticateToCreate() calls cryptohomed to create new cryptohome.
29 class ExtendedAuthenticator
30     : public base::RefCountedThreadSafe<ExtendedAuthenticator> {
31  public:
32   enum AuthState {
33     SUCCESS,       // Login succeeded.
34     NO_MOUNT,      // No cryptohome exist for user.
35     FAILED_MOUNT,  // Failed to mount existing cryptohome - login failed.
36     FAILED_TPM,    // Failed to mount/create cryptohome because of TPM error.
37   };
38 
39   typedef base::Callback<void(const std::string& result)> ResultCallback;
40   typedef base::Callback<void(const UserContext& context)> ContextCallback;
41 
42   class AuthStatusConsumer {
43    public:
~AuthStatusConsumer()44     virtual ~AuthStatusConsumer() {}
45     // The current login attempt has ended in failure, with error.
46     virtual void OnAuthenticationFailure(AuthState state) = 0;
47   };
48 
49   explicit ExtendedAuthenticator(AuthStatusConsumer* consumer);
50   explicit ExtendedAuthenticator(LoginStatusConsumer* consumer);
51 
52   // Updates consumer of the class.
53   void SetConsumer(LoginStatusConsumer* consumer);
54 
55   // This call will attempt to mount the home dir for the user, key (and key
56   // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will
57   // be hashed with the system salt before being passed to cryptohomed. This
58   // call assumes that the home dir already exist for the user and will return
59   // an error otherwise. On success, the user ID hash (used as the mount point)
60   // will be passed to |success_callback|.
61   void AuthenticateToMount(const UserContext& context,
62                            const ResultCallback& success_callback);
63 
64   // This call will attempt to authenticate the user with the key (and key
65   // label) in |context|. No further actions are taken after authentication.
66   void AuthenticateToCheck(const UserContext& context,
67                            const base::Closure& success_callback);
68 
69   // This call will create and mount the home dir for |user_id| with the given
70   // |keys| if the home dir is missing. If the home dir exists already, a mount
71   // attempt will be performed using the first key in |keys| for authentication.
72   // Note that all |keys| should have been transformed from plain text already.
73   // This method does not alter them.
74   void CreateMount(const std::string& user_id,
75                    const std::vector<cryptohome::KeyDefinition>& keys,
76                    const ResultCallback& success_callback);
77 
78   // Attempts to add a new |key| for the user identified/authorized by
79   // |context|. If a key with the same label already exists, the behavior
80   // depends on the |replace_existing| flag. If the flag is set, the old key is
81   // replaced. If the flag is not set, an error occurs. It is not allowed to
82   // replace the key used for authorization.
83   void AddKey(const UserContext& context,
84               const cryptohome::KeyDefinition& key,
85               bool replace_existing,
86               const base::Closure& success_callback);
87 
88   // Attempts to perform an authorized update of the key in |context| with the
89   // new |key|. The update is authorized by providing the |signature| of the
90   // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to
91   // perform this operation. The key labels in |context| and in |key| should be
92   // the same.
93   void UpdateKeyAuthorized(const UserContext& context,
94                            const cryptohome::KeyDefinition& key,
95                            const std::string& signature,
96                            const base::Closure& success_callback);
97 
98   // Attempts to remove the key labeled |key_to_remove| for the user identified/
99   // authorized by |context|. It is possible to remove the key used for
100   // authorization, although it should be done with extreme care.
101   void RemoveKey(const UserContext& context,
102                  const std::string& key_to_remove,
103                  const base::Closure& success_callback);
104 
105   // Hashes the key in |user_context| with the system salt it its type is
106   // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the
107   // |callback|.
108   void TransformKeyIfNeeded(const UserContext& user_context,
109                             const ContextCallback& callback);
110 
111  private:
112   friend class base::RefCountedThreadSafe<ExtendedAuthenticator>;
113 
114   ~ExtendedAuthenticator();
115 
116   // Callback for system salt getter.
117   void OnSaltObtained(const std::string& system_salt);
118 
119   // Performs actual operation with fully configured |context|.
120   void DoAuthenticateToMount(const ResultCallback& success_callback,
121                              const UserContext& context);
122   void DoAuthenticateToCheck(const base::Closure& success_callback,
123                              const UserContext& context);
124   void DoAddKey(const cryptohome::KeyDefinition& key,
125                 bool replace_existing,
126                 const base::Closure& success_callback,
127                 const UserContext& context);
128   void DoUpdateKeyAuthorized(const cryptohome::KeyDefinition& key,
129                              const std::string& signature,
130                              const base::Closure& success_callback,
131                              const UserContext& context);
132   void DoRemoveKey(const std::string& key_to_remove,
133                    const base::Closure& success_callback,
134                    const UserContext& context);
135 
136   // Inner operation callbacks.
137   void OnMountComplete(const std::string& time_marker,
138                        const UserContext& context,
139                        const ResultCallback& success_callback,
140                        bool success,
141                        cryptohome::MountError return_code,
142                        const std::string& mount_hash);
143   void OnOperationComplete(const std::string& time_marker,
144                            const UserContext& context,
145                            const base::Closure& success_callback,
146                            bool success,
147                            cryptohome::MountError return_code);
148 
149   bool salt_obtained_;
150   std::string system_salt_;
151   std::vector<base::Closure> system_salt_callbacks_;
152 
153   AuthStatusConsumer* consumer_;
154   LoginStatusConsumer* old_consumer_;
155 
156   DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator);
157 };
158 
159 }  // namespace chromeos
160 
161 #endif  // CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
162