1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_SUPERVISED_SUPERVISED_USER_AUTHENTICATION_H_
5#define CHROME_BROWSER_CHROMEOS_LOGIN_SUPERVISED_SUPERVISED_USER_AUTHENTICATION_H_
6
7#include "base/basictypes.h"
8#include "base/compiler_specific.h"
9#include "base/memory/weak_ptr.h"
10#include "base/strings/string16.h"
11#include "base/values.h"
12#include "chrome/browser/chromeos/login/supervised/supervised_user_login_flow.h"
13#include "chromeos/login/auth/user_context.h"
14
15namespace chromeos {
16
17class SupervisedUserManager;
18
19// This is a class that encapsulates all details of password handling for
20// supervised users.
21// Main property is the schema used to handle password. For now it can be either
22// plain password schema, when plain text password is passed to standard
23// cryprohome authentication algorithm without modification, or hashed password
24// schema, when password is additioUpdateContextToChecknally hashed with
25// user-specific salt.
26// Second schema is required to allow password syncing across devices for
27// supervised users.
28class SupervisedUserAuthentication {
29 public:
30  enum Schema {
31    SCHEMA_PLAIN = 1,
32    SCHEMA_SALT_HASHED = 2
33  };
34
35  enum SupervisedUserPasswordChangeResult {
36    PASSWORD_CHANGED_IN_MANAGER_SESSION = 0,
37    PASSWORD_CHANGED_IN_USER_SESSION = 1,
38    PASSWORD_CHANGE_FAILED_NO_MASTER_KEY = 2,
39    PASSWORD_CHANGE_FAILED_NO_SIGNATURE_KEY = 3,
40    PASSWORD_CHANGE_FAILED_NO_PASSWORD_DATA = 4,
41    PASSWORD_CHANGE_FAILED_MASTER_KEY_FAILURE = 5,
42    PASSWORD_CHANGE_FAILED_LOADING_DATA = 6,
43    PASSWORD_CHANGE_FAILED_INCOMPLETE_DATA = 7,
44    PASSWORD_CHANGE_FAILED_AUTHENTICATION_FAILURE = 8,
45    PASSWORD_CHANGE_FAILED_STORE_DATA = 9,
46    PASSWORD_CHANGE_RESULT_MAX_VALUE = 10
47  };
48
49  typedef base::Callback<void(const base::DictionaryValue* password_data)>
50      PasswordDataCallback;
51
52  explicit SupervisedUserAuthentication(SupervisedUserManager* owner);
53  virtual ~SupervisedUserAuthentication();
54
55  // Returns current schema for whole ChromeOS. It defines if users with older
56  // schema should be migrated somehow.
57  Schema GetStableSchema();
58
59  // Transforms key according to schema specified in Local State.
60  UserContext TransformKey(const UserContext& context);
61
62  // Fills |password_data| with |password|-specific data for |user_id|,
63  // depending on target schema. Does not affect Local State.
64  bool FillDataForNewUser(const std::string& user_id,
65                          const std::string& password,
66                          base::DictionaryValue* password_data,
67                          base::DictionaryValue* extra_data);
68
69  // Stores |password_data| for |user_id| in Local State. Only public parts
70  // of |password_data| will be stored.
71  void StorePasswordData(const std::string& user_id,
72                         const base::DictionaryValue& password_data);
73
74  bool NeedPasswordChange(const std::string& user_id,
75                          const base::DictionaryValue* password_data);
76
77  // Checks if given user should update password upon signin.
78  bool HasScheduledPasswordUpdate(const std::string& user_id);
79  void ClearScheduledPasswordUpdate(const std::string& user_id);
80
81  // Checks if password was migrated to new schema by supervised user.
82  // In this case it does not have encryption key, and should be updated by
83  // manager even if password versions match.
84  bool HasIncompleteKey(const std::string& user_id);
85  void MarkKeyIncomplete(const std::string& user_id, bool incomplete);
86
87  // Loads password data stored by ScheduleSupervisedPasswordChange.
88  void LoadPasswordUpdateData(const std::string& user_id,
89                              const PasswordDataCallback& success_callback,
90                              const base::Closure& failure_callback);
91
92  // Creates a random string that can be used as a master key for managed
93  // user's homedir.
94  std::string GenerateMasterKey();
95
96  // Called by supervised user to store password data for migration upon signin.
97  void ScheduleSupervisedPasswordChange(
98      const std::string& supervised_user_id,
99      const base::DictionaryValue* password_data);
100
101  // Utility method that gets schema version for |user_id| from Local State.
102  Schema GetPasswordSchema(const std::string& user_id);
103
104  static std::string BuildPasswordSignature(
105      const std::string& password,
106      int revision,
107      const std::string& base64_signature_key);
108
109 private:
110  SupervisedUserManager* owner_;
111
112  // Controls if migration is enabled.
113  bool migration_enabled_;
114
115  // Target schema version. Affects migration process and new user creation.
116  Schema stable_schema_;
117
118
119  DISALLOW_COPY_AND_ASSIGN(SupervisedUserAuthentication);
120};
121
122} // namespace chromeos
123
124#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_SUPERVISED_SUPERVISED_USER_AUTHENTICATION_H_
125