signin_manager.h revision e5d81f57cb97b3b6b7fccc9c5610d21eb81db09d 
1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4//
5// The signin manager encapsulates some functionality tracking
6// which user is signed in. See SigninManagerBase for full description of
7// responsibilities. The class defined in this file provides functionality
8// required by all platforms except Chrome OS.
9//
10// When a user is signed in, a ClientLogin request is run on their behalf.
11// Auth tokens are fetched from Google and the results are stored in the
12// TokenService.
13// TODO(tim): Bug 92948, 226464. ClientLogin is all but gone from use.
14
15#ifndef COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
16#define COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
17
18#if defined(OS_CHROMEOS)
19// On Chrome OS, SigninManagerBase is all that exists.
20#include "components/signin/core/browser/signin_manager_base.h"
21
22#else
23
24#include <set>
25#include <string>
26
27#include "base/compiler_specific.h"
28#include "base/gtest_prod_util.h"
29#include "base/logging.h"
30#include "base/memory/scoped_ptr.h"
31#include "base/observer_list.h"
32#include "base/prefs/pref_change_registrar.h"
33#include "base/prefs/pref_member.h"
34#include "components/keyed_service/core/keyed_service.h"
35#include "components/signin/core/browser/signin_internals_util.h"
36#include "components/signin/core/browser/signin_manager_base.h"
37#include "google_apis/gaia/google_service_auth_error.h"
38#include "google_apis/gaia/merge_session_helper.h"
39#include "net/cookies/canonical_cookie.h"
40
41class PrefService;
42class ProfileOAuth2TokenService;
43class SigninAccountIdHelper;
44class SigninClient;
45
46class SigninManager : public SigninManagerBase {
47 public:
48  // The callback invoked once the OAuth token has been fetched during signin,
49  // but before the profile transitions to the "signed-in" state. This allows
50  // callers to load policy and prompt the user appropriately before completing
51  // signin. The callback is passed the just-fetched OAuth login refresh token.
52  typedef base::Callback<void(const std::string&)> OAuthTokenFetchedCallback;
53
54  // Returns true if |url| is a web signin URL and should be hosted in an
55  // isolated, privileged signin process.
56  static bool IsWebBasedSigninFlowURL(const GURL& url);
57
58  // This is used to distinguish URLs belonging to the special web signin flow
59  // running in the special signin process from other URLs on the same domain.
60  // We do not grant WebUI privilieges / bindings to this process or to URLs of
61  // this scheme; enforcement of privileges is handled separately by
62  // OneClickSigninHelper.
63  static const char kChromeSigninEffectiveSite[];
64
65  SigninManager(SigninClient* client, ProfileOAuth2TokenService* token_service);
66  virtual ~SigninManager();
67
68  // Returns true if the username is allowed based on the policy string.
69  static bool IsUsernameAllowedByPolicy(const std::string& username,
70                                        const std::string& policy);
71
72  // Attempt to sign in this user with a refresh token.
73  // If non-null, the passed |oauth_fetched_callback| callback is invoked once
74  // signin has been completed.
75  // The callback should invoke SignOut() or CompletePendingSignin() to either
76  // continue or cancel the in-process signin.
77  virtual void StartSignInWithRefreshToken(
78      const std::string& refresh_token,
79      const std::string& username,
80      const std::string& password,
81      const OAuthTokenFetchedCallback& oauth_fetched_callback);
82
83  // Copies auth credentials from one SigninManager to this one. This is used
84  // when creating a new profile during the signin process to transfer the
85  // in-progress credentials to the new profile.
86  virtual void CopyCredentialsFrom(const SigninManager& source);
87
88  // Sign a user out, removing the preference, erasing all keys
89  // associated with the user, and canceling all auth in progress.
90  virtual void SignOut();
91
92  // On platforms where SigninManager is responsible for dealing with
93  // invalid username policy updates, we need to check this during
94  // initialization and sign the user out.
95  virtual void Initialize(PrefService* local_state) OVERRIDE;
96  virtual void Shutdown() OVERRIDE;
97
98  // Invoked from an OAuthTokenFetchedCallback to complete user signin.
99  virtual void CompletePendingSignin();
100
101  // Invoked from SigninManagerAndroid to indicate that the sign-in process
102  // has completed for |username|.
103  void OnExternalSigninCompleted(const std::string& username);
104
105  // Returns true if there's a signin in progress.
106  virtual bool AuthInProgress() const OVERRIDE;
107
108  virtual bool IsSigninAllowed() const OVERRIDE;
109
110  // Returns true if the passed username is allowed by policy. Virtual for
111  // mocking in tests.
112  virtual bool IsAllowedUsername(const std::string& username) const;
113
114  // If an authentication is in progress, return the username being
115  // authenticated. Returns an empty string if no auth is in progress.
116  const std::string& GetUsernameForAuthInProgress() const;
117
118  // Set the preference to turn off one-click sign-in so that it won't ever
119  // show it again for the user associated with |prefs| (even if the user tries
120  // a new account).
121  static void DisableOneClickSignIn(PrefService* prefs);
122
123  // Tells the SigninManager whether to prohibit signout for this profile.
124  // If |prohibit_signout| is true, then signout will be prohibited.
125  void ProhibitSignout(bool prohibit_signout);
126
127  // If true, signout is prohibited for this profile (calls to SignOut() are
128  // ignored).
129  bool IsSignoutProhibited() const;
130
131  // Add or remove observers for the merge session notification.
132  void AddMergeSessionObserver(MergeSessionHelper::Observer* observer);
133  void RemoveMergeSessionObserver(MergeSessionHelper::Observer* observer);
134
135 protected:
136  // Flag saying whether signing out is allowed.
137  bool prohibit_signout_;
138
139 private:
140  enum SigninType { SIGNIN_TYPE_NONE, SIGNIN_TYPE_WITH_REFRESH_TOKEN };
141
142  std::string SigninTypeToString(SigninType type);
143  friend class FakeSigninManager;
144  FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ClearTransientSigninData);
145  FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorSuccess);
146  FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorFailure);
147
148  // If user was signed in, load tokens from DB if available.
149  void InitTokenService();
150
151  // Called to setup the transient signin data during one of the
152  // StartSigninXXX methods.  |type| indicates which of the methods is being
153  // used to perform the signin while |username| and |password| identify the
154  // account to be signed in. Returns false and generates an auth error if the
155  // passed |username| is not allowed by policy.
156  bool PrepareForSignin(SigninType type,
157                        const std::string& username,
158                        const std::string& password);
159
160  // Persists |username| as the currently signed-in account, and triggers
161  // a sign-in success notification.
162  void OnSignedIn(const std::string& username);
163
164  // Called when a new request to re-authenticate a user is in progress.
165  // Will clear in memory data but leaves the db as such so when the browser
166  // restarts we can use the old token(which might throw a password error).
167  void ClearTransientSigninData();
168
169  // Called to handle an error from a GAIA auth fetch.  Sets the last error
170  // to |error|, sends out a notification of login failure and clears the
171  // transient signin data.
172  void HandleAuthError(const GoogleServiceAuthError& error);
173
174  void OnSigninAllowedPrefChanged();
175  void OnGoogleServicesUsernamePatternChanged();
176
177  // ClientLogin identity.
178  std::string possibly_invalid_username_;
179  std::string password_;  // This is kept empty whenever possible.
180
181  // Fetcher for the obfuscated user id.
182  scoped_ptr<SigninAccountIdHelper> account_id_helper_;
183
184  // The type of sign being performed.  This value is valid only between a call
185  // to one of the StartSigninXXX methods and when the sign in is either
186  // successful or not.
187  SigninType type_;
188
189  // Temporarily saves the oauth2 refresh token.  It will be passed to the
190  // token service so that it does not need to mint new ones.
191  std::string temp_refresh_token_;
192
193  base::WeakPtrFactory<SigninManager> weak_pointer_factory_;
194
195  // The SigninClient object associated with this object. Must outlive this
196  // object.
197  SigninClient* client_;
198
199  // The ProfileOAuth2TokenService instance associated with this object. Must
200  // outlive this object.
201  ProfileOAuth2TokenService* token_service_;
202
203  // Helper object to listen for changes to signin preferences stored in non-
204  // profile-specific local prefs (like kGoogleServicesUsernamePattern).
205  PrefChangeRegistrar local_state_pref_registrar_;
206
207  // Helper object to listen for changes to the signin allowed preference.
208  BooleanPrefMember signin_allowed_;
209
210  // Helper to merge signed in account into the content area.
211  scoped_ptr<MergeSessionHelper> merge_session_helper_;
212
213  DISALLOW_COPY_AND_ASSIGN(SigninManager);
214};
215
216#endif  // !defined(OS_CHROMEOS)
217
218#endif  // COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_
219