login/auth/extended_authenticator.h

f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// Copyright 2014 The Chromium Authors. All rights reserved.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// Use of this source code is governed by a BSD-style license that can be
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// found in the LICENSE file.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#ifndef CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#define CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include <string>
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/basictypes.h"
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/callback.h"
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/compiler_specific.h"
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/memory/ref_counted.h"
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "base/memory/scoped_ptr.h"
cd6636c737a82949ad13db2d0d918af6424fb78bDuncan Sands#include "chromeos/chromeos_export.h"
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#include "chromeos/cryptohome/cryptohome_parameters.h"
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnernamespace chromeos {
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnerclass AuthStatusConsumer;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnerclass UserContext;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// An interface to interact with cryptohomed: mount home dirs, create new home
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// dirs, update passwords.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner//
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// Typical flow:
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// AuthenticateToMount() calls cryptohomed to perform offline login,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner// AuthenticateToCreate() calls cryptohomed to create new cryptohome.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattnerclass CHROMEOS_EXPORT ExtendedAuthenticator
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    : public base::RefCountedThreadSafe<ExtendedAuthenticator> {
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner public:
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  enum AuthState {
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    SUCCESS,       // Login succeeded.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    NO_MOUNT,      // No cryptohome exist for user.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    FAILED_MOUNT,  // Failed to mount existing cryptohome - login failed.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    FAILED_TPM,    // Failed to mount/create cryptohome because of TPM error.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  };
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  typedef base::Callback<void(const std::string& result)> ResultCallback;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  typedef base::Callback<void(const UserContext& context)> ContextCallback;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  class NewAuthStatusConsumer {
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner   public:
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    virtual ~NewAuthStatusConsumer() {}
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    // The current login attempt has ended in failure, with error.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner    virtual void OnAuthenticationFailure(AuthState state) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  };
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  static scoped_refptr<ExtendedAuthenticator> Create(
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner      NewAuthStatusConsumer* consumer);
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  static scoped_refptr<ExtendedAuthenticator> Create(
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner      AuthStatusConsumer* consumer);
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // Updates consumer of the class.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void SetConsumer(AuthStatusConsumer* consumer) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // This call will attempt to mount the home dir for the user, key (and key
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // label) in |context|. If the key is of type KEY_TYPE_PASSWORD_PLAIN, it will
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // be hashed with the system salt before being passed to cryptohomed. This
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // call assumes that the home dir already exist for the user and will return
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // an error otherwise. On success, the user ID hash (used as the mount point)
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // will be passed to |success_callback|.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void AuthenticateToMount(const UserContext& context,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                                   const ResultCallback& success_callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // This call will attempt to authenticate the user with the key (and key
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // label) in |context|. No further actions are taken after authentication.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void AuthenticateToCheck(const UserContext& context,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                                   const base::Closure& success_callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // This call will create and mount the home dir for |user_id| with the given
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // |keys| if the home dir is missing. If the home dir exists already, a mount
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // attempt will be performed using the first key in |keys| for authentication.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // Note that all |keys| should have been transformed from plain text already.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // This method does not alter them.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void CreateMount(const std::string& user_id,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                           const std::vector<cryptohome::KeyDefinition>& keys,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                           const ResultCallback& success_callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // Attempts to add a new |key| for the user identified/authorized by
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // |context|. If a key with the same label already exists, the behavior
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // depends on the |replace_existing| flag. If the flag is set, the old key is
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // replaced. If the flag is not set, an error occurs. It is not allowed to
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // replace the key used for authorization.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void AddKey(const UserContext& context,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                      const cryptohome::KeyDefinition& key,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                      bool replace_existing,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                      const base::Closure& success_callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // Attempts to perform an authorized update of the key in |context| with the
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // new |key|. The update is authorized by providing the |signature| of the
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // key. The original key must have the |PRIV_AUTHORIZED_UPDATE| privilege to
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // perform this operation. The key labels in |context| and in |key| should be
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // the same.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void UpdateKeyAuthorized(const UserContext& context,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                                   const cryptohome::KeyDefinition& key,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                                   const std::string& signature,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                                   const base::Closure& success_callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // Attempts to remove the key labeled |key_to_remove| for the user identified/
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // authorized by |context|. It is possible to remove the key used for
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // authorization, although it should be done with extreme care.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void RemoveKey(const UserContext& context,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                         const std::string& key_to_remove,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                         const base::Closure& success_callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // Hashes the key in |user_context| with the system salt it its type is
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // KEY_TYPE_PASSWORD_PLAIN and passes the resulting UserContext to the
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  // |callback|.
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual void TransformKeyIfNeeded(const UserContext& user_context,
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner                                    const ContextCallback& callback) = 0;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner protected:
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  ExtendedAuthenticator();
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  virtual ~ExtendedAuthenticator();
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner private:
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  friend class base::RefCountedThreadSafe<ExtendedAuthenticator>;
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner  DISALLOW_COPY_AND_ASSIGN(ExtendedAuthenticator);
4bd8217af3cf38f9fcce378fbc687162e28a7cf8Chris Lattner};
4bd8217af3cf38f9fcce378fbc687162e28a7cf8Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner}  // namespace chromeos
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner#endif  // CHROMEOS_LOGIN_AUTH_EXTENDED_AUTHENTICATOR_H_
f54e72962991005a3c0cc7dce0c550a14af90792Chris Lattner