1// Copyright 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 6#define CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 7 8#include <string> 9 10#include "base/basictypes.h" 11#include "base/callback.h" 12#include "base/compiler_specific.h" 13#include "base/memory/ref_counted.h" 14#include "base/memory/scoped_ptr.h" 15#include "chromeos/cryptohome/cryptohome_parameters.h" 16#include "third_party/cros_system_api/dbus/service_constants.h" 17 18namespace chromeos { 19 20class LoginStatusConsumer; 21class UserContext; 22 23// Interaction with cryptohomed: mount home dirs, create new home dirs, update 24// passwords. 25// 26// Typical flow: 27// AuthenticateToMount() calls cryptohomed to perform offline login, 28// AuthenticateToCreate() calls cryptohomed to create new cryptohome. 29class ExtendedAuthenticator 30 : public base::RefCountedThreadSafe<ExtendedAuthenticator> { 31 public: 32 enum AuthState { 33 SUCCESS, // Login succeeded. 34 NO_MOUNT, // No cryptohome exist for user. 35 FAILED_MOUNT, // Failed to mount existing cryptohome - login failed. 36 FAILED_TPM, // Failed to mount/create cryptohome because of TPM error. 37 }; 38 39 typedef base::Callback<void(const std::string& result)> ResultCallback; 40 typedef base::Callback<void(const UserContext& context)> ContextCallback; 41 42 class AuthStatusConsumer { 43 public: 44 virtual ~AuthStatusConsumer() {} 45 // The current login attempt has ended in failure, with error. 46 virtual void OnAuthenticationFailure(AuthState state) = 0; 47 }; 48 49 explicit ExtendedAuthenticator(AuthStatusConsumer* consumer); 50 explicit ExtendedAuthenticator(LoginStatusConsumer* consumer); 51 52 // Updates consumer of the class. 53 void SetConsumer(LoginStatusConsumer* consumer); 54 55 // This call will attempt to mount the home dir for the user, key (and key 56 // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will 57 // be hashed with the system salt before being passed to cryptohomed. This 58 // call assumes that the home dir already exist for the user and will return 59 // an error otherwise. On success, the user ID hash (used as the mount point) 60 // will be passed to |success_callback|. 61 void AuthenticateToMount(const UserContext& context, 62 const ResultCallback& success_callback); 63 64 // This call will attempt to authenticate the user with the key (and key 65 // label) in |context|. No further actions are taken after authentication. 66 void AuthenticateToCheck(const UserContext& context, 67 const base::Closure& success_callback); 68 69 // This call will create and mount the home dir for |user_id| with the given 70 // |keys| if the home dir is missing. If the home dir exists already, a mount 71 // attempt will be performed using the first key in |keys| for authentication. 72 // Note that all |keys| should have been transformed from plain text already. 73 // This method does not alter them. 74 void CreateMount(const std::string& user_id, 75 const std::vector<cryptohome::KeyDefinition>& keys, 76 const ResultCallback& success_callback); 77 78 // Attempts to add a new |key| for the user identified/authorized by 79 // |context|. If a key with the same label already exists, the behavior 80 // depends on the |replace_existing| flag. If the flag is set, the old key is 81 // replaced. If the flag is not set, an error occurs. It is not allowed to 82 // replace the key used for authorization. 83 void AddKey(const UserContext& context, 84 const cryptohome::KeyDefinition& key, 85 bool replace_existing, 86 const base::Closure& success_callback); 87 88 // Attempts to perform an authorized update of the key in |context| with the 89 // new |key|. The update is authorized by providing the |signature| of the 90 // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to 91 // perform this operation. The key labels in |context| and in |key| should be 92 // the same. 93 void UpdateKeyAuthorized(const UserContext& context, 94 const cryptohome::KeyDefinition& key, 95 const std::string& signature, 96 const base::Closure& success_callback); 97 98 // Attempts to remove the key labeled |key_to_remove| for the user identified/ 99 // authorized by |context|. It is possible to remove the key used for 100 // authorization, although it should be done with extreme care. 101 void RemoveKey(const UserContext& context, 102 const std::string& key_to_remove, 103 const base::Closure& success_callback); 104 105 // Hashes the key in |user_context| with the system salt it its type is 106 // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the 107 // |callback|. 108 void TransformKeyIfNeeded(const UserContext& user_context, 109 const ContextCallback& callback); 110 111 private: 112 friend class base::RefCountedThreadSafe<ExtendedAuthenticator>; 113 114 ~ExtendedAuthenticator(); 115 116 // Callback for system salt getter. 117 void OnSaltObtained(const std::string& system_salt); 118 119 // Performs actual operation with fully configured |context|. 120 void DoAuthenticateToMount(const ResultCallback& success_callback, 121 const UserContext& context); 122 void DoAuthenticateToCheck(const base::Closure& success_callback, 123 const UserContext& context); 124 void DoAddKey(const cryptohome::KeyDefinition& key, 125 bool replace_existing, 126 const base::Closure& success_callback, 127 const UserContext& context); 128 void DoUpdateKeyAuthorized(const cryptohome::KeyDefinition& key, 129 const std::string& signature, 130 const base::Closure& success_callback, 131 const UserContext& context); 132 void DoRemoveKey(const std::string& key_to_remove, 133 const base::Closure& success_callback, 134 const UserContext& context); 135 136 // Inner operation callbacks. 137 void OnMountComplete(const std::string& time_marker, 138 const UserContext& context, 139 const ResultCallback& success_callback, 140 bool success, 141 cryptohome::MountError return_code, 142 const std::string& mount_hash); 143 void OnOperationComplete(const std::string& time_marker, 144 const UserContext& context, 145 const base::Closure& success_callback, 146 bool success, 147 cryptohome::MountError return_code); 148 149 bool salt_obtained_; 150 std::string system_salt_; 151 std::vector<base::Closure> system_salt_callbacks_; 152 153 AuthStatusConsumer* consumer_; 154 LoginStatusConsumer* old_consumer_; 155 156 DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator); 157}; 158 159} // namespace chromeos 160 161#endif // CHROME_BROWSER_CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 162