1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/chromeos/login/users/supervised_user_manager_impl.h"
6
7 #include "base/file_util.h"
8 #include "base/files/file_path.h"
9 #include "base/prefs/pref_registry_simple.h"
10 #include "base/prefs/pref_service.h"
11 #include "base/prefs/scoped_user_pref_update.h"
12 #include "base/strings/string_util.h"
13 #include "base/strings/stringprintf.h"
14 #include "base/strings/utf_string_conversions.h"
15 #include "base/threading/sequenced_worker_pool.h"
16 #include "base/values.h"
17 #include "chrome/browser/browser_process.h"
18 #include "chrome/browser/chromeos/login/managed/locally_managed_user_constants.h"
19 #include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h"
20 #include "chrome/browser/chromeos/login/users/user_manager_impl.h"
21 #include "chrome/browser/chromeos/profiles/profile_helper.h"
22 #include "chrome/browser/supervised_user/supervised_user_service.h"
23 #include "chrome/browser/supervised_user/supervised_user_service_factory.h"
24 #include "chromeos/settings/cros_settings_names.h"
25 #include "content/public/browser/browser_thread.h"
26 #include "google_apis/gaia/gaia_auth_util.h"
27
28 using content::BrowserThread;
29
30 namespace {
31
32 // Names for pref keys in Local State.
33 // A map from locally managed user local user id to sync user id.
34 const char kSupervisedUserSyncId[] =
35 "ManagedUserSyncId";
36
37 // A map from locally managed user id to manager user id.
38 const char kSupervisedUserManagers[] =
39 "ManagedUserManagers";
40
41 // A map from locally managed user id to manager display name.
42 const char kSupervisedUserManagerNames[] =
43 "ManagedUserManagerNames";
44
45 // A map from locally managed user id to manager display e-mail.
46 const char kSupervisedUserManagerDisplayEmails[] =
47 "ManagedUserManagerDisplayEmails";
48
49 // A vector pref of the locally managed accounts defined on this device, that
50 // had not logged in yet.
51 const char kLocallyManagedUsersFirstRun[] = "LocallyManagedUsersFirstRun";
52
53 // A pref of the next id for locally managed users generation.
54 const char kLocallyManagedUsersNextId[] =
55 "LocallyManagedUsersNextId";
56
57 // A pref of the next id for locally managed users generation.
58 const char kLocallyManagedUserCreationTransactionDisplayName[] =
59 "LocallyManagedUserCreationTransactionDisplayName";
60
61 // A pref of the next id for locally managed users generation.
62 const char kLocallyManagedUserCreationTransactionUserId[] =
63 "LocallyManagedUserCreationTransactionUserId";
64
65 // A map from user id to password schema id.
66 const char kSupervisedUserPasswordSchema[] =
67 "SupervisedUserPasswordSchema";
68
69 // A map from user id to password salt.
70 const char kSupervisedUserPasswordSalt[] =
71 "SupervisedUserPasswordSalt";
72
73 // A map from user id to password revision.
74 const char kSupervisedUserPasswordRevision[] =
75 "SupervisedUserPasswordRevision";
76
77 // A map from user id to flag indicating if password should be updated upon
78 // signin.
79 const char kSupervisedUserNeedPasswordUpdate[] =
80 "SupervisedUserNeedPasswordUpdate";
81
82 // A map from user id to flag indicating if cryptohome does not have signature
83 // key.
84 const char kSupervisedUserIncompleteKey[] = "SupervisedUserHasIncompleteKey";
85
LoadSyncToken(base::FilePath profile_dir)86 std::string LoadSyncToken(base::FilePath profile_dir) {
87 std::string token;
88 base::FilePath token_file =
89 profile_dir.Append(chromeos::kSupervisedUserTokenFilename);
90 VLOG(1) << "Loading" << token_file.value();
91 if (!base::ReadFileToString(token_file, &token))
92 return std::string();
93 return token;
94 }
95
96 } // namespace
97
98 namespace chromeos {
99
100 const char kSchemaVersion[] = "SchemaVersion";
101 const char kPasswordRevision[] = "PasswordRevision";
102 const char kSalt[] = "PasswordSalt";
103 const char kPasswordSignature[] = "PasswordSignature";
104 const char kEncryptedPassword[] = "EncryptedPassword";
105 const char kRequirePasswordUpdate[] = "RequirePasswordUpdate";
106 const char kHasIncompleteKey[] = "HasIncompleteKey";
107 const char kPasswordEncryptionKey[] = "password.hmac.encryption";
108 const char kPasswordSignatureKey[] = "password.hmac.signature";
109
110 const char kPasswordUpdateFile[] = "password.update";
111 const int kMinPasswordRevision = 1;
112
113 // static
RegisterPrefs(PrefRegistrySimple * registry)114 void SupervisedUserManager::RegisterPrefs(PrefRegistrySimple* registry) {
115 registry->RegisterListPref(kLocallyManagedUsersFirstRun);
116 registry->RegisterIntegerPref(kLocallyManagedUsersNextId, 0);
117 registry->RegisterStringPref(
118 kLocallyManagedUserCreationTransactionDisplayName, "");
119 registry->RegisterStringPref(
120 kLocallyManagedUserCreationTransactionUserId, "");
121 registry->RegisterDictionaryPref(kSupervisedUserSyncId);
122 registry->RegisterDictionaryPref(kSupervisedUserManagers);
123 registry->RegisterDictionaryPref(kSupervisedUserManagerNames);
124 registry->RegisterDictionaryPref(kSupervisedUserManagerDisplayEmails);
125
126 registry->RegisterDictionaryPref(kSupervisedUserPasswordSchema);
127 registry->RegisterDictionaryPref(kSupervisedUserPasswordSalt);
128 registry->RegisterDictionaryPref(kSupervisedUserPasswordRevision);
129
130 registry->RegisterDictionaryPref(kSupervisedUserNeedPasswordUpdate);
131 registry->RegisterDictionaryPref(kSupervisedUserIncompleteKey);
132 }
133
SupervisedUserManagerImpl(UserManagerImpl * owner)134 SupervisedUserManagerImpl::SupervisedUserManagerImpl(UserManagerImpl* owner)
135 : owner_(owner),
136 cros_settings_(CrosSettings::Get()) {
137 // SupervisedUserManager instance should be used only on UI thread.
138 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
139 authentication_.reset(new SupervisedUserAuthentication(this));
140 }
141
~SupervisedUserManagerImpl()142 SupervisedUserManagerImpl::~SupervisedUserManagerImpl() {
143 }
144
GenerateUserId()145 std::string SupervisedUserManagerImpl::GenerateUserId() {
146 int counter = g_browser_process->local_state()->
147 GetInteger(kLocallyManagedUsersNextId);
148 std::string id;
149 bool user_exists;
150 do {
151 id = base::StringPrintf("%d@%s", counter,
152 UserManager::kLocallyManagedUserDomain);
153 counter++;
154 user_exists = (NULL != owner_->FindUser(id));
155 DCHECK(!user_exists);
156 if (user_exists) {
157 LOG(ERROR) << "Supervised user with id " << id << " already exists.";
158 }
159 } while (user_exists);
160
161 g_browser_process->local_state()->
162 SetInteger(kLocallyManagedUsersNextId, counter);
163
164 g_browser_process->local_state()->CommitPendingWrite();
165 return id;
166 }
167
HasSupervisedUsers(const std::string & manager_id) const168 bool SupervisedUserManagerImpl::HasSupervisedUsers(
169 const std::string& manager_id) const {
170 const UserList& users = owner_->GetUsers();
171 for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
172 if ((*it)->GetType() == User::USER_TYPE_LOCALLY_MANAGED) {
173 if (manager_id == GetManagerUserId((*it)->email()))
174 return true;
175 }
176 }
177 return false;
178 }
179
CreateUserRecord(const std::string & manager_id,const std::string & local_user_id,const std::string & sync_user_id,const base::string16 & display_name)180 const User* SupervisedUserManagerImpl::CreateUserRecord(
181 const std::string& manager_id,
182 const std::string& local_user_id,
183 const std::string& sync_user_id,
184 const base::string16& display_name) {
185 const User* user = FindByDisplayName(display_name);
186 DCHECK(!user);
187 if (user)
188 return user;
189 const User* manager = owner_->FindUser(manager_id);
190 CHECK(manager);
191
192 PrefService* local_state = g_browser_process->local_state();
193
194 User* new_user = User::CreateLocallyManagedUser(local_user_id);
195
196 owner_->AddUserRecord(new_user);
197
198 ListPrefUpdate prefs_new_users_update(local_state,
199 kLocallyManagedUsersFirstRun);
200 DictionaryPrefUpdate sync_id_update(local_state, kSupervisedUserSyncId);
201 DictionaryPrefUpdate manager_update(local_state, kSupervisedUserManagers);
202 DictionaryPrefUpdate manager_name_update(local_state,
203 kSupervisedUserManagerNames);
204 DictionaryPrefUpdate manager_email_update(
205 local_state,
206 kSupervisedUserManagerDisplayEmails);
207
208 prefs_new_users_update->Insert(0, new base::StringValue(local_user_id));
209
210 sync_id_update->SetWithoutPathExpansion(local_user_id,
211 new base::StringValue(sync_user_id));
212 manager_update->SetWithoutPathExpansion(local_user_id,
213 new base::StringValue(manager->email()));
214 manager_name_update->SetWithoutPathExpansion(local_user_id,
215 new base::StringValue(manager->GetDisplayName()));
216 manager_email_update->SetWithoutPathExpansion(local_user_id,
217 new base::StringValue(manager->display_email()));
218
219 owner_->SaveUserDisplayName(local_user_id, display_name);
220
221 g_browser_process->local_state()->CommitPendingWrite();
222 return new_user;
223 }
224
GetUserSyncId(const std::string & user_id) const225 std::string SupervisedUserManagerImpl::GetUserSyncId(const std::string& user_id)
226 const {
227 std::string result;
228 GetUserStringValue(user_id, kSupervisedUserSyncId, &result);
229 return result;
230 }
231
GetManagerDisplayName(const std::string & user_id) const232 base::string16 SupervisedUserManagerImpl::GetManagerDisplayName(
233 const std::string& user_id) const {
234 PrefService* local_state = g_browser_process->local_state();
235 const base::DictionaryValue* manager_names =
236 local_state->GetDictionary(kSupervisedUserManagerNames);
237 base::string16 result;
238 if (manager_names->GetStringWithoutPathExpansion(user_id, &result) &&
239 !result.empty())
240 return result;
241 return base::UTF8ToUTF16(GetManagerDisplayEmail(user_id));
242 }
243
GetManagerUserId(const std::string & user_id) const244 std::string SupervisedUserManagerImpl::GetManagerUserId(
245 const std::string& user_id) const {
246 std::string result;
247 GetUserStringValue(user_id, kSupervisedUserManagers, &result);
248 return result;
249 }
250
GetManagerDisplayEmail(const std::string & user_id) const251 std::string SupervisedUserManagerImpl::GetManagerDisplayEmail(
252 const std::string& user_id) const {
253 std::string result;
254 if (GetUserStringValue(user_id,
255 kSupervisedUserManagerDisplayEmails,
256 &result) &&
257 !result.empty())
258 return result;
259 return GetManagerUserId(user_id);
260 }
261
GetPasswordInformation(const std::string & user_id,base::DictionaryValue * result)262 void SupervisedUserManagerImpl::GetPasswordInformation(
263 const std::string& user_id,
264 base::DictionaryValue* result) {
265 int value;
266 if (GetUserIntegerValue(user_id, kSupervisedUserPasswordSchema, &value))
267 result->SetIntegerWithoutPathExpansion(kSchemaVersion, value);
268 if (GetUserIntegerValue(user_id, kSupervisedUserPasswordRevision, &value))
269 result->SetIntegerWithoutPathExpansion(kPasswordRevision, value);
270
271 bool flag;
272 if (GetUserBooleanValue(user_id, kSupervisedUserNeedPasswordUpdate, &flag))
273 result->SetBooleanWithoutPathExpansion(kRequirePasswordUpdate, flag);
274 if (GetUserBooleanValue(user_id, kSupervisedUserIncompleteKey, &flag))
275 result->SetBooleanWithoutPathExpansion(kHasIncompleteKey, flag);
276
277 std::string salt;
278 if (GetUserStringValue(user_id, kSupervisedUserPasswordSalt, &salt))
279 result->SetStringWithoutPathExpansion(kSalt, salt);
280 }
281
SetPasswordInformation(const std::string & user_id,const base::DictionaryValue * password_info)282 void SupervisedUserManagerImpl::SetPasswordInformation(
283 const std::string& user_id,
284 const base::DictionaryValue* password_info) {
285 int value;
286 if (password_info->GetIntegerWithoutPathExpansion(kSchemaVersion, &value))
287 SetUserIntegerValue(user_id, kSupervisedUserPasswordSchema, value);
288 if (password_info->GetIntegerWithoutPathExpansion(kPasswordRevision, &value))
289 SetUserIntegerValue(user_id, kSupervisedUserPasswordRevision, value);
290
291 bool flag;
292 if (password_info->GetBooleanWithoutPathExpansion(kRequirePasswordUpdate,
293 &flag)) {
294 SetUserBooleanValue(user_id, kSupervisedUserNeedPasswordUpdate, flag);
295 }
296 if (password_info->GetBooleanWithoutPathExpansion(kHasIncompleteKey, &flag))
297 SetUserBooleanValue(user_id, kSupervisedUserIncompleteKey, flag);
298
299 std::string salt;
300 if (password_info->GetStringWithoutPathExpansion(kSalt, &salt))
301 SetUserStringValue(user_id, kSupervisedUserPasswordSalt, salt);
302 g_browser_process->local_state()->CommitPendingWrite();
303 }
304
GetUserStringValue(const std::string & user_id,const char * key,std::string * out_value) const305 bool SupervisedUserManagerImpl::GetUserStringValue(
306 const std::string& user_id,
307 const char* key,
308 std::string* out_value) const {
309 PrefService* local_state = g_browser_process->local_state();
310 const base::DictionaryValue* dictionary = local_state->GetDictionary(key);
311 return dictionary->GetStringWithoutPathExpansion(user_id, out_value);
312 }
313
GetUserIntegerValue(const std::string & user_id,const char * key,int * out_value) const314 bool SupervisedUserManagerImpl::GetUserIntegerValue(
315 const std::string& user_id,
316 const char* key,
317 int* out_value) const {
318 PrefService* local_state = g_browser_process->local_state();
319 const base::DictionaryValue* dictionary = local_state->GetDictionary(key);
320 return dictionary->GetIntegerWithoutPathExpansion(user_id, out_value);
321 }
322
GetUserBooleanValue(const std::string & user_id,const char * key,bool * out_value) const323 bool SupervisedUserManagerImpl::GetUserBooleanValue(const std::string& user_id,
324 const char* key,
325 bool* out_value) const {
326 PrefService* local_state = g_browser_process->local_state();
327 const base::DictionaryValue* dictionary = local_state->GetDictionary(key);
328 return dictionary->GetBooleanWithoutPathExpansion(user_id, out_value);
329 }
330
SetUserStringValue(const std::string & user_id,const char * key,const std::string & value)331 void SupervisedUserManagerImpl::SetUserStringValue(
332 const std::string& user_id,
333 const char* key,
334 const std::string& value) {
335 PrefService* local_state = g_browser_process->local_state();
336 DictionaryPrefUpdate update(local_state, key);
337 update->SetStringWithoutPathExpansion(user_id, value);
338 }
339
SetUserIntegerValue(const std::string & user_id,const char * key,const int value)340 void SupervisedUserManagerImpl::SetUserIntegerValue(
341 const std::string& user_id,
342 const char* key,
343 const int value) {
344 PrefService* local_state = g_browser_process->local_state();
345 DictionaryPrefUpdate update(local_state, key);
346 update->SetIntegerWithoutPathExpansion(user_id, value);
347 }
348
SetUserBooleanValue(const std::string & user_id,const char * key,const bool value)349 void SupervisedUserManagerImpl::SetUserBooleanValue(const std::string& user_id,
350 const char* key,
351 const bool value) {
352 PrefService* local_state = g_browser_process->local_state();
353 DictionaryPrefUpdate update(local_state, key);
354 update->SetBooleanWithoutPathExpansion(user_id, value);
355 }
356
FindByDisplayName(const base::string16 & display_name) const357 const User* SupervisedUserManagerImpl::FindByDisplayName(
358 const base::string16& display_name) const {
359 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
360 const UserList& users = owner_->GetUsers();
361 for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
362 if (((*it)->GetType() == User::USER_TYPE_LOCALLY_MANAGED) &&
363 ((*it)->display_name() == display_name)) {
364 return *it;
365 }
366 }
367 return NULL;
368 }
369
FindBySyncId(const std::string & sync_id) const370 const User* SupervisedUserManagerImpl::FindBySyncId(
371 const std::string& sync_id) const {
372 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
373 const UserList& users = owner_->GetUsers();
374 for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
375 if (((*it)->GetType() == User::USER_TYPE_LOCALLY_MANAGED) &&
376 (GetUserSyncId((*it)->email()) == sync_id)) {
377 return *it;
378 }
379 }
380 return NULL;
381 }
382
StartCreationTransaction(const base::string16 & display_name)383 void SupervisedUserManagerImpl::StartCreationTransaction(
384 const base::string16& display_name) {
385 g_browser_process->local_state()->
386 SetString(kLocallyManagedUserCreationTransactionDisplayName,
387 base::UTF16ToASCII(display_name));
388 g_browser_process->local_state()->CommitPendingWrite();
389 }
390
SetCreationTransactionUserId(const std::string & email)391 void SupervisedUserManagerImpl::SetCreationTransactionUserId(
392 const std::string& email) {
393 g_browser_process->local_state()->
394 SetString(kLocallyManagedUserCreationTransactionUserId,
395 email);
396 g_browser_process->local_state()->CommitPendingWrite();
397 }
398
CommitCreationTransaction()399 void SupervisedUserManagerImpl::CommitCreationTransaction() {
400 g_browser_process->local_state()->
401 ClearPref(kLocallyManagedUserCreationTransactionDisplayName);
402 g_browser_process->local_state()->
403 ClearPref(kLocallyManagedUserCreationTransactionUserId);
404 g_browser_process->local_state()->CommitPendingWrite();
405 }
406
HasFailedUserCreationTransaction()407 bool SupervisedUserManagerImpl::HasFailedUserCreationTransaction() {
408 return !(g_browser_process->local_state()->
409 GetString(kLocallyManagedUserCreationTransactionDisplayName).
410 empty());
411 }
412
RollbackUserCreationTransaction()413 void SupervisedUserManagerImpl::RollbackUserCreationTransaction() {
414 PrefService* prefs = g_browser_process->local_state();
415
416 std::string display_name = prefs->
417 GetString(kLocallyManagedUserCreationTransactionDisplayName);
418 std::string user_id = prefs->
419 GetString(kLocallyManagedUserCreationTransactionUserId);
420
421 LOG(WARNING) << "Cleaning up transaction for "
422 << display_name << "/" << user_id;
423
424 if (user_id.empty()) {
425 // Not much to do - just remove transaction.
426 prefs->ClearPref(kLocallyManagedUserCreationTransactionDisplayName);
427 prefs->CommitPendingWrite();
428 return;
429 }
430
431 if (gaia::ExtractDomainName(user_id) !=
432 UserManager::kLocallyManagedUserDomain) {
433 LOG(WARNING) << "Clean up transaction for non-locally managed user found :"
434 << user_id << ", will not remove data";
435 prefs->ClearPref(kLocallyManagedUserCreationTransactionDisplayName);
436 prefs->ClearPref(kLocallyManagedUserCreationTransactionUserId);
437 prefs->CommitPendingWrite();
438 return;
439 }
440 owner_->RemoveNonOwnerUserInternal(user_id, NULL);
441
442 prefs->ClearPref(kLocallyManagedUserCreationTransactionDisplayName);
443 prefs->ClearPref(kLocallyManagedUserCreationTransactionUserId);
444 prefs->CommitPendingWrite();
445 }
446
RemoveNonCryptohomeData(const std::string & user_id)447 void SupervisedUserManagerImpl::RemoveNonCryptohomeData(
448 const std::string& user_id) {
449 PrefService* prefs = g_browser_process->local_state();
450 ListPrefUpdate prefs_new_users_update(prefs, kLocallyManagedUsersFirstRun);
451 prefs_new_users_update->Remove(base::StringValue(user_id), NULL);
452
453 CleanPref(user_id, kSupervisedUserSyncId);
454 CleanPref(user_id, kSupervisedUserManagers);
455 CleanPref(user_id, kSupervisedUserManagerNames);
456 CleanPref(user_id, kSupervisedUserManagerDisplayEmails);
457 CleanPref(user_id, kSupervisedUserPasswordSalt);
458 CleanPref(user_id, kSupervisedUserPasswordSchema);
459 CleanPref(user_id, kSupervisedUserPasswordRevision);
460 CleanPref(user_id, kSupervisedUserNeedPasswordUpdate);
461 CleanPref(user_id, kSupervisedUserIncompleteKey);
462 }
463
CleanPref(const std::string & user_id,const char * key)464 void SupervisedUserManagerImpl::CleanPref(const std::string& user_id,
465 const char* key) {
466 PrefService* prefs = g_browser_process->local_state();
467 DictionaryPrefUpdate dict_update(prefs, key);
468 dict_update->RemoveWithoutPathExpansion(user_id, NULL);
469 }
470
CheckForFirstRun(const std::string & user_id)471 bool SupervisedUserManagerImpl::CheckForFirstRun(const std::string& user_id) {
472 ListPrefUpdate prefs_new_users_update(g_browser_process->local_state(),
473 kLocallyManagedUsersFirstRun);
474 return prefs_new_users_update->Remove(base::StringValue(user_id), NULL);
475 }
476
UpdateManagerName(const std::string & manager_id,const base::string16 & new_display_name)477 void SupervisedUserManagerImpl::UpdateManagerName(const std::string& manager_id,
478 const base::string16& new_display_name) {
479 PrefService* local_state = g_browser_process->local_state();
480
481 const base::DictionaryValue* manager_ids =
482 local_state->GetDictionary(kSupervisedUserManagers);
483
484 DictionaryPrefUpdate manager_name_update(local_state,
485 kSupervisedUserManagerNames);
486 for (base::DictionaryValue::Iterator it(*manager_ids); !it.IsAtEnd();
487 it.Advance()) {
488 std::string user_id;
489 bool has_manager_id = it.value().GetAsString(&user_id);
490 DCHECK(has_manager_id);
491 if (user_id == manager_id) {
492 manager_name_update->SetWithoutPathExpansion(
493 it.key(),
494 new base::StringValue(new_display_name));
495 }
496 }
497 }
498
GetAuthentication()499 SupervisedUserAuthentication* SupervisedUserManagerImpl::GetAuthentication() {
500 return authentication_.get();
501 }
502
LoadSupervisedUserToken(Profile * profile,const LoadTokenCallback & callback)503 void SupervisedUserManagerImpl::LoadSupervisedUserToken(
504 Profile* profile,
505 const LoadTokenCallback& callback) {
506 // TODO(antrim): use profile->GetPath() once we sure it is safe.
507 base::FilePath profile_dir = ProfileHelper::GetProfilePathByUserIdHash(
508 UserManager::Get()->GetUserByProfile(profile)->username_hash());
509 PostTaskAndReplyWithResult(
510 content::BrowserThread::GetBlockingPool(),
511 FROM_HERE,
512 base::Bind(&LoadSyncToken, profile_dir),
513 callback);
514 }
515
ConfigureSyncWithToken(Profile * profile,const std::string & token)516 void SupervisedUserManagerImpl::ConfigureSyncWithToken(
517 Profile* profile,
518 const std::string& token) {
519 if (!token.empty())
520 SupervisedUserServiceFactory::GetForProfile(profile)->InitSync(token);
521 }
522
523 } // namespace chromeos
524