1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 6 #define CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/callback.h" 12 #include "base/compiler_specific.h" 13 #include "base/memory/ref_counted.h" 14 #include "base/memory/scoped_ptr.h" 15 #include "chromeos/chromeos_export.h" 16 #include "chromeos/cryptohome/cryptohome_parameters.h" 17 18 namespace chromeos { 19 20 class AuthStatusConsumer; 21 class UserContext; 22 23 // An interface to interact with cryptohomed: mount home dirs, create new home 24 // dirs, update passwords. 25 // 26 // Typical flow: 27 // AuthenticateToMount() calls cryptohomed to perform offline login, 28 // AuthenticateToCreate() calls cryptohomed to create new cryptohome. 29 class CHROMEOS_EXPORT ExtendedAuthenticator 30 : public base::RefCountedThreadSafe<ExtendedAuthenticator> { 31 public: 32 enum AuthState { 33 SUCCESS, // Login succeeded. 34 NO_MOUNT, // No cryptohome exist for user. 35 FAILED_MOUNT, // Failed to mount existing cryptohome - login failed. 36 FAILED_TPM, // Failed to mount/create cryptohome because of TPM error. 37 }; 38 39 typedef base::Callback<void(const std::string& result)> ResultCallback; 40 typedef base::Callback<void(const UserContext& context)> ContextCallback; 41 42 class NewAuthStatusConsumer { 43 public: ~NewAuthStatusConsumer()44 virtual ~NewAuthStatusConsumer() {} 45 // The current login attempt has ended in failure, with error. 46 virtual void OnAuthenticationFailure(AuthState state) = 0; 47 }; 48 49 static scoped_refptr<ExtendedAuthenticator> Create( 50 NewAuthStatusConsumer* consumer); 51 static scoped_refptr<ExtendedAuthenticator> Create( 52 AuthStatusConsumer* consumer); 53 54 // Updates consumer of the class. 55 virtual void SetConsumer(AuthStatusConsumer* consumer) = 0; 56 57 // This call will attempt to mount the home dir for the user, key (and key 58 // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will 59 // be hashed with the system salt before being passed to cryptohomed. This 60 // call assumes that the home dir already exist for the user and will return 61 // an error otherwise. On success, the user ID hash (used as the mount point) 62 // will be passed to |success_callback|. 63 virtual void AuthenticateToMount(const UserContext& context, 64 const ResultCallback& success_callback) = 0; 65 66 // This call will attempt to authenticate the user with the key (and key 67 // label) in |context|. No further actions are taken after authentication. 68 virtual void AuthenticateToCheck(const UserContext& context, 69 const base::Closure& success_callback) = 0; 70 71 // This call will create and mount the home dir for |user_id| with the given 72 // |keys| if the home dir is missing. If the home dir exists already, a mount 73 // attempt will be performed using the first key in |keys| for authentication. 74 // Note that all |keys| should have been transformed from plain text already. 75 // This method does not alter them. 76 virtual void CreateMount(const std::string& user_id, 77 const std::vector<cryptohome::KeyDefinition>& keys, 78 const ResultCallback& success_callback) = 0; 79 80 // Attempts to add a new |key| for the user identified/authorized by 81 // |context|. If a key with the same label already exists, the behavior 82 // depends on the |replace_existing| flag. If the flag is set, the old key is 83 // replaced. If the flag is not set, an error occurs. It is not allowed to 84 // replace the key used for authorization. 85 virtual void AddKey(const UserContext& context, 86 const cryptohome::KeyDefinition& key, 87 bool replace_existing, 88 const base::Closure& success_callback) = 0; 89 90 // Attempts to perform an authorized update of the key in |context| with the 91 // new |key|. The update is authorized by providing the |signature| of the 92 // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to 93 // perform this operation. The key labels in |context| and in |key| should be 94 // the same. 95 virtual void UpdateKeyAuthorized(const UserContext& context, 96 const cryptohome::KeyDefinition& key, 97 const std::string& signature, 98 const base::Closure& success_callback) = 0; 99 100 // Attempts to remove the key labeled |key_to_remove| for the user identified/ 101 // authorized by |context|. It is possible to remove the key used for 102 // authorization, although it should be done with extreme care. 103 virtual void RemoveKey(const UserContext& context, 104 const std::string& key_to_remove, 105 const base::Closure& success_callback) = 0; 106 107 // Hashes the key in |user_context| with the system salt it its type is 108 // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the 109 // |callback|. 110 virtual void TransformKeyIfNeeded(const UserContext& user_context, 111 const ContextCallback& callback) = 0; 112 113 protected: 114 ExtendedAuthenticator(); 115 virtual ~ExtendedAuthenticator(); 116 117 private: 118 friend class base::RefCountedThreadSafe<ExtendedAuthenticator>; 119 120 DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator); 121 }; 122 123 } // namespace chromeos 124 125 #endif // CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 126