1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
6#define CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "base/callback.h"
12#include "base/compiler_specific.h"
13#include "base/memory/ref_counted.h"
14#include "base/memory/scoped_ptr.h"
15#include "chromeos/cryptohome/cryptohome_parameters.h"
16#include "third_party/cros_system_api/dbus/service_constants.h"
17
18namespace chromeos {
19
20class LoginStatusConsumer;
21class UserContext;
22
23// Interaction with cryptohomed: mount home dirs, create new home dirs, update
24// passwords.
25//
26// Typical flow:
27// AuthenticateToMount() calls cryptohomed to perform offline login,
28// AuthenticateToCreate() calls cryptohomed to create new cryptohome.
29class ExtendedAuthenticator
30    : public base::RefCountedThreadSafe<ExtendedAuthenticator> {
31 public:
32  enum AuthState {
33    SUCCESS,       // Login succeeded.
34    NO_MOUNT,      // No cryptohome exist for user.
35    FAILED_MOUNT,  // Failed to mount existing cryptohome - login failed.
36    FAILED_TPM,    // Failed to mount/create cryptohome because of TPM error.
37  };
38
39  typedef base::Callback<void(const std::string& result)> ResultCallback;
40  typedef base::Callback<void(const UserContext& context)> ContextCallback;
41
42  class AuthStatusConsumer {
43   public:
44    virtual ~AuthStatusConsumer() {}
45    // The current login attempt has ended in failure, with error.
46    virtual void OnAuthenticationFailure(AuthState state) = 0;
47  };
48
49  explicit ExtendedAuthenticator(AuthStatusConsumer* consumer);
50  explicit ExtendedAuthenticator(LoginStatusConsumer* consumer);
51
52  // Updates consumer of the class.
53  void SetConsumer(LoginStatusConsumer* consumer);
54
55  // This call will attempt to mount the home dir for the user, key (and key
56  // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will
57  // be hashed with the system salt before being passed to cryptohomed. This
58  // call assumes that the home dir already exist for the user and will return
59  // an error otherwise. On success, the user ID hash (used as the mount point)
60  // will be passed to |success_callback|.
61  void AuthenticateToMount(const UserContext& context,
62                           const ResultCallback& success_callback);
63
64  // This call will attempt to authenticate the user with the key (and key
65  // label) in |context|. No further actions are taken after authentication.
66  void AuthenticateToCheck(const UserContext& context,
67                           const base::Closure& success_callback);
68
69  // This call will create and mount the home dir for |user_id| with the given
70  // |keys| if the home dir is missing. If the home dir exists already, a mount
71  // attempt will be performed using the first key in |keys| for authentication.
72  // Note that all |keys| should have been transformed from plain text already.
73  // This method does not alter them.
74  void CreateMount(const std::string& user_id,
75                   const std::vector<cryptohome::KeyDefinition>& keys,
76                   const ResultCallback& success_callback);
77
78  // Attempts to add a new |key| for the user identified/authorized by
79  // |context|. If a key with the same label already exists, the behavior
80  // depends on the |replace_existing| flag. If the flag is set, the old key is
81  // replaced. If the flag is not set, an error occurs. It is not allowed to
82  // replace the key used for authorization.
83  void AddKey(const UserContext& context,
84              const cryptohome::KeyDefinition& key,
85              bool replace_existing,
86              const base::Closure& success_callback);
87
88  // Attempts to perform an authorized update of the key in |context| with the
89  // new |key|. The update is authorized by providing the |signature| of the
90  // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to
91  // perform this operation. The key labels in |context| and in |key| should be
92  // the same.
93  void UpdateKeyAuthorized(const UserContext& context,
94                           const cryptohome::KeyDefinition& key,
95                           const std::string& signature,
96                           const base::Closure& success_callback);
97
98  // Attempts to remove the key labeled |key_to_remove| for the user identified/
99  // authorized by |context|. It is possible to remove the key used for
100  // authorization, although it should be done with extreme care.
101  void RemoveKey(const UserContext& context,
102                 const std::string& key_to_remove,
103                 const base::Closure& success_callback);
104
105  // Hashes the key in |user_context| with the system salt it its type is
106  // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the
107  // |callback|.
108  void TransformKeyIfNeeded(const UserContext& user_context,
109                            const ContextCallback& callback);
110
111 private:
112  friend class base::RefCountedThreadSafe<ExtendedAuthenticator>;
113
114  ~ExtendedAuthenticator();
115
116  // Callback for system salt getter.
117  void OnSaltObtained(const std::string& system_salt);
118
119  // Performs actual operation with fully configured |context|.
120  void DoAuthenticateToMount(const ResultCallback& success_callback,
121                             const UserContext& context);
122  void DoAuthenticateToCheck(const base::Closure& success_callback,
123                             const UserContext& context);
124  void DoAddKey(const cryptohome::KeyDefinition& key,
125                bool replace_existing,
126                const base::Closure& success_callback,
127                const UserContext& context);
128  void DoUpdateKeyAuthorized(const cryptohome::KeyDefinition& key,
129                             const std::string& signature,
130                             const base::Closure& success_callback,
131                             const UserContext& context);
132  void DoRemoveKey(const std::string& key_to_remove,
133                   const base::Closure& success_callback,
134                   const UserContext& context);
135
136  // Inner operation callbacks.
137  void OnMountComplete(const std::string& time_marker,
138                       const UserContext& context,
139                       const ResultCallback& success_callback,
140                       bool success,
141                       cryptohome::MountError return_code,
142                       const std::string& mount_hash);
143  void OnOperationComplete(const std::string& time_marker,
144                           const UserContext& context,
145                           const base::Closure& success_callback,
146                           bool success,
147                           cryptohome::MountError return_code);
148
149  bool salt_obtained_;
150  std::string system_salt_;
151  std::vector<base::Closure> system_salt_callbacks_;
152
153  AuthStatusConsumer* consumer_;
154  LoginStatusConsumer* old_consumer_;
155
156  DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator);
157};
158
159}  // namespace chromeos
160
161#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
162