signin_manager.h revision 116680a4aac90f2aa7413d9095a592090648e557 
1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4//
5// The signin manager encapsulates some functionality tracking
6// which user is signed in. See SigninManagerBase for full description of
7// responsibilities. The class defined in this file provides functionality
8// required by all platforms except Chrome OS.
9//
10// When a user is signed in, a ClientLogin request is run on their behalf.
11// Auth tokens are fetched from Google and the results are stored in the
12// TokenService.
13// TODO(tim): Bug 92948, 226464. ClientLogin is all but gone from use.
14
15#ifndef COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
16#define COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
17
18#if defined(OS_CHROMEOS)
19// On Chrome OS, SigninManagerBase is all that exists.
20#include "components/signin/core/browser/signin_manager_base.h"
21
22#else
23
24#include <set>
25#include <string>
26
27#include "base/compiler_specific.h"
28#include "base/gtest_prod_util.h"
29#include "base/logging.h"
30#include "base/memory/scoped_ptr.h"
31#include "base/observer_list.h"
32#include "base/prefs/pref_change_registrar.h"
33#include "base/prefs/pref_member.h"
34#include "components/keyed_service/core/keyed_service.h"
35#include "components/signin/core/browser/signin_internals_util.h"
36#include "components/signin/core/browser/signin_manager_base.h"
37#include "components/signin/core/browser/signin_metrics.h"
38#include "google_apis/gaia/google_service_auth_error.h"
39#include "google_apis/gaia/merge_session_helper.h"
40#include "net/cookies/canonical_cookie.h"
41
42class PrefService;
43class ProfileOAuth2TokenService;
44class SigninAccountIdHelper;
45class SigninClient;
46
47class SigninManager : public SigninManagerBase {
48 public:
49  // The callback invoked once the OAuth token has been fetched during signin,
50  // but before the profile transitions to the "signed-in" state. This allows
51  // callers to load policy and prompt the user appropriately before completing
52  // signin. The callback is passed the just-fetched OAuth login refresh token.
53  typedef base::Callback<void(const std::string&)> OAuthTokenFetchedCallback;
54
55  // Returns true if |url| is a web signin URL and should be hosted in an
56  // isolated, privileged signin process.
57  static bool IsWebBasedSigninFlowURL(const GURL& url);
58
59  // This is used to distinguish URLs belonging to the special web signin flow
60  // running in the special signin process from other URLs on the same domain.
61  // We do not grant WebUI privilieges / bindings to this process or to URLs of
62  // this scheme; enforcement of privileges is handled separately by
63  // OneClickSigninHelper.
64  static const char kChromeSigninEffectiveSite[];
65
66  SigninManager(SigninClient* client, ProfileOAuth2TokenService* token_service);
67  virtual ~SigninManager();
68
69  // Returns true if the username is allowed based on the policy string.
70  static bool IsUsernameAllowedByPolicy(const std::string& username,
71                                        const std::string& policy);
72
73  // Attempt to sign in this user with a refresh token.
74  // If non-null, the passed |oauth_fetched_callback| callback is invoked once
75  // signin has been completed.
76  // The callback should invoke SignOut() or CompletePendingSignin() to either
77  // continue or cancel the in-process signin.
78  virtual void StartSignInWithRefreshToken(
79      const std::string& refresh_token,
80      const std::string& username,
81      const std::string& password,
82      const OAuthTokenFetchedCallback& oauth_fetched_callback);
83
84  // Copies auth credentials from one SigninManager to this one. This is used
85  // when creating a new profile during the signin process to transfer the
86  // in-progress credentials to the new profile.
87  virtual void CopyCredentialsFrom(const SigninManager& source);
88
89  // Sign a user out, removing the preference, erasing all keys
90  // associated with the user, and canceling all auth in progress.
91  virtual void SignOut(signin_metrics::ProfileSignout signout_source_metric);
92
93  // On platforms where SigninManager is responsible for dealing with
94  // invalid username policy updates, we need to check this during
95  // initialization and sign the user out.
96  virtual void Initialize(PrefService* local_state) OVERRIDE;
97  virtual void Shutdown() OVERRIDE;
98
99  // Invoked from an OAuthTokenFetchedCallback to complete user signin.
100  virtual void CompletePendingSignin();
101
102  // Invoked from SigninManagerAndroid to indicate that the sign-in process
103  // has completed for |username|.
104  void OnExternalSigninCompleted(const std::string& username);
105
106  // Returns true if there's a signin in progress.
107  virtual bool AuthInProgress() const OVERRIDE;
108
109  virtual bool IsSigninAllowed() const OVERRIDE;
110
111  // Returns true if the passed username is allowed by policy. Virtual for
112  // mocking in tests.
113  virtual bool IsAllowedUsername(const std::string& username) const;
114
115  // If an authentication is in progress, return the username being
116  // authenticated. Returns an empty string if no auth is in progress.
117  const std::string& GetUsernameForAuthInProgress() const;
118
119  // Set the preference to turn off one-click sign-in so that it won't ever
120  // show it again for the user associated with |prefs| (even if the user tries
121  // a new account).
122  static void DisableOneClickSignIn(PrefService* prefs);
123
124  // Tells the SigninManager whether to prohibit signout for this profile.
125  // If |prohibit_signout| is true, then signout will be prohibited.
126  void ProhibitSignout(bool prohibit_signout);
127
128  // If true, signout is prohibited for this profile (calls to SignOut() are
129  // ignored).
130  bool IsSignoutProhibited() const;
131
132  // Add or remove observers for the merge session notification.
133  virtual void AddMergeSessionObserver(
134      MergeSessionHelper::Observer* observer);
135  virtual void RemoveMergeSessionObserver(
136      MergeSessionHelper::Observer* observer);
137
138 protected:
139  // Flag saying whether signing out is allowed.
140  bool prohibit_signout_;
141
142 private:
143  enum SigninType { SIGNIN_TYPE_NONE, SIGNIN_TYPE_WITH_REFRESH_TOKEN };
144
145  std::string SigninTypeToString(SigninType type);
146  friend class FakeSigninManager;
147  FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ClearTransientSigninData);
148  FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorSuccess);
149  FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorFailure);
150
151  // If user was signed in, load tokens from DB if available.
152  void InitTokenService();
153
154  // Called to setup the transient signin data during one of the
155  // StartSigninXXX methods.  |type| indicates which of the methods is being
156  // used to perform the signin while |username| and |password| identify the
157  // account to be signed in. Returns false and generates an auth error if the
158  // passed |username| is not allowed by policy.
159  bool PrepareForSignin(SigninType type,
160                        const std::string& username,
161                        const std::string& password);
162
163  // Persists |username| as the currently signed-in account, and triggers
164  // a sign-in success notification.
165  void OnSignedIn(const std::string& username);
166
167  // Called when a new request to re-authenticate a user is in progress.
168  // Will clear in memory data but leaves the db as such so when the browser
169  // restarts we can use the old token(which might throw a password error).
170  void ClearTransientSigninData();
171
172  // Called to handle an error from a GAIA auth fetch.  Sets the last error
173  // to |error|, sends out a notification of login failure and clears the
174  // transient signin data.
175  void HandleAuthError(const GoogleServiceAuthError& error);
176
177  void OnSigninAllowedPrefChanged();
178  void OnGoogleServicesUsernamePatternChanged();
179
180  // ClientLogin identity.
181  std::string possibly_invalid_username_;
182  std::string password_;  // This is kept empty whenever possible.
183
184  // Fetcher for the obfuscated user id.
185  scoped_ptr<SigninAccountIdHelper> account_id_helper_;
186
187  // The type of sign being performed.  This value is valid only between a call
188  // to one of the StartSigninXXX methods and when the sign in is either
189  // successful or not.
190  SigninType type_;
191
192  // Temporarily saves the oauth2 refresh token.  It will be passed to the
193  // token service so that it does not need to mint new ones.
194  std::string temp_refresh_token_;
195
196  base::WeakPtrFactory<SigninManager> weak_pointer_factory_;
197
198  // The SigninClient object associated with this object. Must outlive this
199  // object.
200  SigninClient* client_;
201
202  // The ProfileOAuth2TokenService instance associated with this object. Must
203  // outlive this object.
204  ProfileOAuth2TokenService* token_service_;
205
206  // Helper object to listen for changes to signin preferences stored in non-
207  // profile-specific local prefs (like kGoogleServicesUsernamePattern).
208  PrefChangeRegistrar local_state_pref_registrar_;
209
210  // Helper object to listen for changes to the signin allowed preference.
211  BooleanPrefMember signin_allowed_;
212
213  // Helper to merge signed in account into the content area.
214  scoped_ptr<MergeSessionHelper> merge_session_helper_;
215
216  DISALLOW_COPY_AND_ASSIGN(SigninManager);
217};
218
219#endif  // !defined(OS_CHROMEOS)
220
221#endif  // COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
222