signin_manager.h revision e5d81f57cb97b3b6b7fccc9c5610d21eb81db09d
1// Copyright 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4// 5// The signin manager encapsulates some functionality tracking 6// which user is signed in. See SigninManagerBase for full description of 7// responsibilities. The class defined in this file provides functionality 8// required by all platforms except Chrome OS. 9// 10// When a user is signed in, a ClientLogin request is run on their behalf. 11// Auth tokens are fetched from Google and the results are stored in the 12// TokenService. 13// TODO(tim): Bug 92948, 226464. ClientLogin is all but gone from use. 14 15#ifndef COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_ 16#define COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_ 17 18#if defined(OS_CHROMEOS) 19// On Chrome OS, SigninManagerBase is all that exists. 20#include "components/signin/core/browser/signin_manager_base.h" 21 22#else 23 24#include <set> 25#include <string> 26 27#include "base/compiler_specific.h" 28#include "base/gtest_prod_util.h" 29#include "base/logging.h" 30#include "base/memory/scoped_ptr.h" 31#include "base/observer_list.h" 32#include "base/prefs/pref_change_registrar.h" 33#include "base/prefs/pref_member.h" 34#include "components/keyed_service/core/keyed_service.h" 35#include "components/signin/core/browser/signin_internals_util.h" 36#include "components/signin/core/browser/signin_manager_base.h" 37#include "google_apis/gaia/google_service_auth_error.h" 38#include "google_apis/gaia/merge_session_helper.h" 39#include "net/cookies/canonical_cookie.h" 40 41class PrefService; 42class ProfileOAuth2TokenService; 43class SigninAccountIdHelper; 44class SigninClient; 45 46class SigninManager : public SigninManagerBase { 47 public: 48 // The callback invoked once the OAuth token has been fetched during signin, 49 // but before the profile transitions to the "signed-in" state. This allows 50 // callers to load policy and prompt the user appropriately before completing 51 // signin. The callback is passed the just-fetched OAuth login refresh token. 52 typedef base::Callback<void(const std::string&)> OAuthTokenFetchedCallback; 53 54 // Returns true if |url| is a web signin URL and should be hosted in an 55 // isolated, privileged signin process. 56 static bool IsWebBasedSigninFlowURL(const GURL& url); 57 58 // This is used to distinguish URLs belonging to the special web signin flow 59 // running in the special signin process from other URLs on the same domain. 60 // We do not grant WebUI privilieges / bindings to this process or to URLs of 61 // this scheme; enforcement of privileges is handled separately by 62 // OneClickSigninHelper. 63 static const char kChromeSigninEffectiveSite[]; 64 65 SigninManager(SigninClient* client, ProfileOAuth2TokenService* token_service); 66 virtual ~SigninManager(); 67 68 // Returns true if the username is allowed based on the policy string. 69 static bool IsUsernameAllowedByPolicy(const std::string& username, 70 const std::string& policy); 71 72 // Attempt to sign in this user with a refresh token. 73 // If non-null, the passed |oauth_fetched_callback| callback is invoked once 74 // signin has been completed. 75 // The callback should invoke SignOut() or CompletePendingSignin() to either 76 // continue or cancel the in-process signin. 77 virtual void StartSignInWithRefreshToken( 78 const std::string& refresh_token, 79 const std::string& username, 80 const std::string& password, 81 const OAuthTokenFetchedCallback& oauth_fetched_callback); 82 83 // Copies auth credentials from one SigninManager to this one. This is used 84 // when creating a new profile during the signin process to transfer the 85 // in-progress credentials to the new profile. 86 virtual void CopyCredentialsFrom(const SigninManager& source); 87 88 // Sign a user out, removing the preference, erasing all keys 89 // associated with the user, and canceling all auth in progress. 90 virtual void SignOut(); 91 92 // On platforms where SigninManager is responsible for dealing with 93 // invalid username policy updates, we need to check this during 94 // initialization and sign the user out. 95 virtual void Initialize(PrefService* local_state) OVERRIDE; 96 virtual void Shutdown() OVERRIDE; 97 98 // Invoked from an OAuthTokenFetchedCallback to complete user signin. 99 virtual void CompletePendingSignin(); 100 101 // Invoked from SigninManagerAndroid to indicate that the sign-in process 102 // has completed for |username|. 103 void OnExternalSigninCompleted(const std::string& username); 104 105 // Returns true if there's a signin in progress. 106 virtual bool AuthInProgress() const OVERRIDE; 107 108 virtual bool IsSigninAllowed() const OVERRIDE; 109 110 // Returns true if the passed username is allowed by policy. Virtual for 111 // mocking in tests. 112 virtual bool IsAllowedUsername(const std::string& username) const; 113 114 // If an authentication is in progress, return the username being 115 // authenticated. Returns an empty string if no auth is in progress. 116 const std::string& GetUsernameForAuthInProgress() const; 117 118 // Set the preference to turn off one-click sign-in so that it won't ever 119 // show it again for the user associated with |prefs| (even if the user tries 120 // a new account). 121 static void DisableOneClickSignIn(PrefService* prefs); 122 123 // Tells the SigninManager whether to prohibit signout for this profile. 124 // If |prohibit_signout| is true, then signout will be prohibited. 125 void ProhibitSignout(bool prohibit_signout); 126 127 // If true, signout is prohibited for this profile (calls to SignOut() are 128 // ignored). 129 bool IsSignoutProhibited() const; 130 131 // Add or remove observers for the merge session notification. 132 void AddMergeSessionObserver(MergeSessionHelper::Observer* observer); 133 void RemoveMergeSessionObserver(MergeSessionHelper::Observer* observer); 134 135 protected: 136 // Flag saying whether signing out is allowed. 137 bool prohibit_signout_; 138 139 private: 140 enum SigninType { SIGNIN_TYPE_NONE, SIGNIN_TYPE_WITH_REFRESH_TOKEN }; 141 142 std::string SigninTypeToString(SigninType type); 143 friend class FakeSigninManager; 144 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ClearTransientSigninData); 145 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorSuccess); 146 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorFailure); 147 148 // If user was signed in, load tokens from DB if available. 149 void InitTokenService(); 150 151 // Called to setup the transient signin data during one of the 152 // StartSigninXXX methods. |type| indicates which of the methods is being 153 // used to perform the signin while |username| and |password| identify the 154 // account to be signed in. Returns false and generates an auth error if the 155 // passed |username| is not allowed by policy. 156 bool PrepareForSignin(SigninType type, 157 const std::string& username, 158 const std::string& password); 159 160 // Persists |username| as the currently signed-in account, and triggers 161 // a sign-in success notification. 162 void OnSignedIn(const std::string& username); 163 164 // Called when a new request to re-authenticate a user is in progress. 165 // Will clear in memory data but leaves the db as such so when the browser 166 // restarts we can use the old token(which might throw a password error). 167 void ClearTransientSigninData(); 168 169 // Called to handle an error from a GAIA auth fetch. Sets the last error 170 // to |error|, sends out a notification of login failure and clears the 171 // transient signin data. 172 void HandleAuthError(const GoogleServiceAuthError& error); 173 174 void OnSigninAllowedPrefChanged(); 175 void OnGoogleServicesUsernamePatternChanged(); 176 177 // ClientLogin identity. 178 std::string possibly_invalid_username_; 179 std::string password_; // This is kept empty whenever possible. 180 181 // Fetcher for the obfuscated user id. 182 scoped_ptr<SigninAccountIdHelper> account_id_helper_; 183 184 // The type of sign being performed. This value is valid only between a call 185 // to one of the StartSigninXXX methods and when the sign in is either 186 // successful or not. 187 SigninType type_; 188 189 // Temporarily saves the oauth2 refresh token. It will be passed to the 190 // token service so that it does not need to mint new ones. 191 std::string temp_refresh_token_; 192 193 base::WeakPtrFactory<SigninManager> weak_pointer_factory_; 194 195 // The SigninClient object associated with this object. Must outlive this 196 // object. 197 SigninClient* client_; 198 199 // The ProfileOAuth2TokenService instance associated with this object. Must 200 // outlive this object. 201 ProfileOAuth2TokenService* token_service_; 202 203 // Helper object to listen for changes to signin preferences stored in non- 204 // profile-specific local prefs (like kGoogleServicesUsernamePattern). 205 PrefChangeRegistrar local_state_pref_registrar_; 206 207 // Helper object to listen for changes to the signin allowed preference. 208 BooleanPrefMember signin_allowed_; 209 210 // Helper to merge signed in account into the content area. 211 scoped_ptr<MergeSessionHelper> merge_session_helper_; 212 213 DISALLOW_COPY_AND_ASSIGN(SigninManager); 214}; 215 216#endif // !defined(OS_CHROMEOS) 217 218#endif // COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_ 219