1f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// Copyright 2014 The Chromium Authors. All rights reserved. 2f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// Use of this source code is governed by a BSD-style license that can be 3f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// found in the LICENSE file. 4f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 5f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#ifndef CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 6f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#define CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 7f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 8f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include <string> 9f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 10f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/basictypes.h" 11f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/callback.h" 12f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/compiler_specific.h" 13f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/memory/ref_counted.h" 14f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/memory/scoped_ptr.h" 15cd6636c737a82949ad13db2d0d918af6424fb78bDuncan Sands#include "chromeos/chromeos_export.h" 16f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "chromeos/cryptohome/cryptohome_parameters.h" 17f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 18f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnernamespace chromeos { 19f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 20f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnerclass AuthStatusConsumer; 21f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnerclass UserContext; 22f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 23f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// An interface to interact with cryptohomed: mount home dirs, create new home 24f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// dirs, update passwords. 25f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// 26f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// Typical flow: 27f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// AuthenticateToMount() calls cryptohomed to perform offline login, 28f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// AuthenticateToCreate() calls cryptohomed to create new cryptohome. 29f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnerclass CHROMEOS_EXPORT ExtendedAuthenticator 30f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner : public base::RefCountedThreadSafe<ExtendedAuthenticator> { 31f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner public: 32f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner enum AuthState { 33f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner SUCCESS, // Login succeeded. 34f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner NO_MOUNT, // No cryptohome exist for user. 35f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner FAILED_MOUNT, // Failed to mount existing cryptohome - login failed. 36f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner FAILED_TPM, // Failed to mount/create cryptohome because of TPM error. 37f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner }; 38f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 39f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner typedef base::Callback<void(const std::string& result)> ResultCallback; 40f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner typedef base::Callback<void(const UserContext& context)> ContextCallback; 41f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 42f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner class NewAuthStatusConsumer { 43f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner public: 44f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual ~NewAuthStatusConsumer() {} 45f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // The current login attempt has ended in failure, with error. 46f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void OnAuthenticationFailure(AuthState state) = 0; 47f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner }; 48f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 49f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner static scoped_refptr<ExtendedAuthenticator> Create( 50f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner NewAuthStatusConsumer* consumer); 51f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner static scoped_refptr<ExtendedAuthenticator> Create( 52f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner AuthStatusConsumer* consumer); 53f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 54f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // Updates consumer of the class. 55f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void SetConsumer(AuthStatusConsumer* consumer) = 0; 56f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 57f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // This call will attempt to mount the home dir for the user, key (and key 58f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will 59f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // be hashed with the system salt before being passed to cryptohomed. This 60f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // call assumes that the home dir already exist for the user and will return 61f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // an error otherwise. On success, the user ID hash (used as the mount point) 62f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // will be passed to |success_callback|. 63f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void AuthenticateToMount(const UserContext& context, 64f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const ResultCallback& success_callback) = 0; 65f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 66f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // This call will attempt to authenticate the user with the key (and key 67f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // label) in |context|. No further actions are taken after authentication. 68f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void AuthenticateToCheck(const UserContext& context, 69f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const base::Closure& success_callback) = 0; 70f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 71f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // This call will create and mount the home dir for |user_id| with the given 72f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // |keys| if the home dir is missing. If the home dir exists already, a mount 73f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // attempt will be performed using the first key in |keys| for authentication. 74f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // Note that all |keys| should have been transformed from plain text already. 75f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // This method does not alter them. 76f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void CreateMount(const std::string& user_id, 77f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const std::vector<cryptohome::KeyDefinition>& keys, 78f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const ResultCallback& success_callback) = 0; 79f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 80f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // Attempts to add a new |key| for the user identified/authorized by 81f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // |context|. If a key with the same label already exists, the behavior 82f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // depends on the |replace_existing| flag. If the flag is set, the old key is 83f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // replaced. If the flag is not set, an error occurs. It is not allowed to 84f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // replace the key used for authorization. 85f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void AddKey(const UserContext& context, 86f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const cryptohome::KeyDefinition& key, 87f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner bool replace_existing, 88f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const base::Closure& success_callback) = 0; 89f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 90f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // Attempts to perform an authorized update of the key in |context| with the 91f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // new |key|. The update is authorized by providing the |signature| of the 92f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to 93f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // perform this operation. The key labels in |context| and in |key| should be 94f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // the same. 95f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void UpdateKeyAuthorized(const UserContext& context, 96f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const cryptohome::KeyDefinition& key, 97f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const std::string& signature, 98f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const base::Closure& success_callback) = 0; 99f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 100f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // Attempts to remove the key labeled |key_to_remove| for the user identified/ 101f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // authorized by |context|. It is possible to remove the key used for 102f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // authorization, although it should be done with extreme care. 103f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void RemoveKey(const UserContext& context, 104f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const std::string& key_to_remove, 105f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const base::Closure& success_callback) = 0; 106f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 107f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // Hashes the key in |user_context| with the system salt it its type is 108f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the 109f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner // |callback|. 110f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual void TransformKeyIfNeeded(const UserContext& user_context, 111f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner const ContextCallback& callback) = 0; 112f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 113f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner protected: 114f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner ExtendedAuthenticator(); 115f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner virtual ~ExtendedAuthenticator(); 116f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 117f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner private: 118f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner friend class base::RefCountedThreadSafe<ExtendedAuthenticator>; 119f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 120f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator); 1214bd8217af3cf38f9fcce378fbc687162e28a7cf8Chris Lattner}; 1224bd8217af3cf38f9fcce378fbc687162e28a7cf8Chris Lattner 123f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner} // namespace chromeos 124f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner 125f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#endif // CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_ 126f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner